lumma | 5a28556b7baa532277625489fafd05cdc910e50a990d28bfead67dd2eafdc2b3

Analysis

max time kernel
105s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe
Size

228KB
MD5

82d198a3529f313b437d80c4abeed3e0
SHA1

1c3cf1ec9f642dd4a784810d11c5b399ef9a8620
SHA256

452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a
SHA512

eaa3e9cde945523491516a982b3d3d1b9ac59b39768f46a7a50db357b4b1c89326f5a66031b1c23c0b4a35ef3965bb8c748581195ee78ef8de015bb5a378aecf
SSDEEP

3072:7sLYJ+f5GLqeTf3H+zKTXkifCvSSJFu+oukzYzWBkOuRGK:ILYJmK6KoiqvShukMzpjcK

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3704-133-0x00000000005B0000-0x00000000005B9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

57 3008 rundll32.exe
60 3008 rundll32.exe
65 3008 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

6198.exe6E99.exe

pid process

2164 6198.exe
3712 6E99.exe

flow	pid	process
57	3008	rundll32.exe
60	3008	rundll32.exe
65	3008	rundll32.exe

pid	process
2164	6198.exe
3712	6E99.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pdf\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\pdf.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pdf\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pdf\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService먀"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3008 rundll32.exe
4936 svchost.exe
1624 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3008	rundll32.exe
4936	svchost.exe
1624	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3008 set thread context of 4664	3008	rundll32.exe	rundll32.exe
PID 3008 set thread context of 4088	3008	rundll32.exe	rundll32.exe
PID 3008 set thread context of 2204	3008	rundll32.exe	rundll32.exe
PID 3008 set thread context of 384	3008	rundll32.exe	rundll32.exe
PID 3008 set thread context of 3380	3008	rundll32.exe	rundll32.exe
PID 3008 set thread context of 4180	3008	rundll32.exe	schtasks.exe
PID 3008 set thread context of 1300	3008	rundll32.exe	rundll32.exe

Drops file in Program Files directory 27 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_asym.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\pdf.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\SignHere.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\64BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3944 2164 WerFault.exe 6198.exe
2860 3712 WerFault.exe 6E99.exe

pid	pid_target	process	target process
3944	2164	WerFault.exe	6198.exe
2860	3712	WerFault.exe	6E99.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exeschtasks.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	schtasks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	schtasks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	schtasks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000030566343100054656d7000003a0009000400efbe21550a58305668432e00000000000000000000000000000000000000000000000000df6c4700540065006d007000000014000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2440

pid	process
2440

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe

pid	process
3704	452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe
3704	452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2440
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe

pid process

3704 452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe

pid	process
2440

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeDebugPrivilege	3008	rundll32.exe
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440
Token: SeShutdownPrivilege	2440

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
4664	rundll32.exe
2440
2440
2440
2440
2440
2440
2440
2440
3008	rundll32.exe
4088	rundll32.exe
3008	rundll32.exe
2204	rundll32.exe
384	rundll32.exe
3008	rundll32.exe
3380	rundll32.exe
3008	rundll32.exe
1300	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2440
2440

pid	process
2440
2440

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

6198.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2440 wrote to memory of 2164	2440		6198.exe
PID 2440 wrote to memory of 2164	2440		6198.exe
PID 2440 wrote to memory of 2164	2440		6198.exe
PID 2440 wrote to memory of 3712	2440		6E99.exe
PID 2440 wrote to memory of 3712	2440		6E99.exe
PID 2440 wrote to memory of 3712	2440		6E99.exe
PID 2164 wrote to memory of 3008	2164	6198.exe	rundll32.exe
PID 2164 wrote to memory of 3008	2164	6198.exe	rundll32.exe
PID 2164 wrote to memory of 3008	2164	6198.exe	rundll32.exe
PID 4936 wrote to memory of 1624	4936	svchost.exe	rundll32.exe
PID 4936 wrote to memory of 1624	4936	svchost.exe	rundll32.exe
PID 4936 wrote to memory of 1624	4936	svchost.exe	rundll32.exe
PID 3008 wrote to memory of 4664	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 4664	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 4664	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 4928	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4928	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4928	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4088	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 4088	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 4088	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 5116	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 5116	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 5116	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4276	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4276	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4276	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 2204	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 2204	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 2204	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 2184	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 2184	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 2184	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 384	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 384	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 384	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 4464	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4464	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4464	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 3380	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 3380	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 3380	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 4180	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4180	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4180	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4180	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 2032	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 2032	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 2032	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 1300	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 1300	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 1300	3008	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 4492	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4492	3008	rundll32.exe	schtasks.exe
PID 3008 wrote to memory of 4492	3008	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe
"C:\Users\Admin\AppData\Local\Temp\452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3704

C:\Users\Admin\AppData\Local\Temp\6198.exe
C:\Users\Admin\AppData\Local\Temp\6198.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3008

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4664

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4928

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4088

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5116

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4276

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2204

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2184

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:384

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4464

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3380

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
- Checks processor information in registry
PID:4180

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2032

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4492

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5004

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5096

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4796

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2396

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3920

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1760

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4844

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4584

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:900

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1740

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 532
2⤵
- Program crash
PID:3944

C:\Users\Admin\AppData\Local\Temp\6E99.exe
C:\Users\Admin\AppData\Local\Temp\6E99.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1356
2⤵
- Program crash
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2164 -ip 2164
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3712 -ip 3712
1⤵
PID:2556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\pdf.dll",e0oxQg==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\pdf.dll
Filesize
774KB

MD5
4d7be43b964ab47a74228aa5366a7fb7

SHA1
58692e23b58628896254f22549b5d540660f9107

SHA256
bcad2dfd26a44ff163340e6ea740cab504589f7cf49e55f61dee212e37a74bb5

SHA512
366c25f563e017125bae05f34cd1435e52002f38b18f43fbc3e9baa0f2107a81185ea029b95bb8dad9c96be6a551f8c7a72c175c14354d9d86260e4edd5e6536

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\pdf.dll
Filesize
774KB

MD5
4d7be43b964ab47a74228aa5366a7fb7

SHA1
58692e23b58628896254f22549b5d540660f9107

SHA256
bcad2dfd26a44ff163340e6ea740cab504589f7cf49e55f61dee212e37a74bb5

SHA512
366c25f563e017125bae05f34cd1435e52002f38b18f43fbc3e9baa0f2107a81185ea029b95bb8dad9c96be6a551f8c7a72c175c14354d9d86260e4edd5e6536

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.powerpointmui.msi.16.en-us.xml
Filesize
27KB

MD5
e9ed7134ebf28fea3f7aa5691a28438a

SHA1
ea1e55c279ed9f8dae333ae436204d8d67d46adf

SHA256
8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28

SHA512
535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
13KB

MD5
c7405e2e68aec89e44862595ccc0d186

SHA1
2cc8d73f93dd875134917795633bb606911f1069

SHA256
9a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37

SHA512
0cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
27KB

MD5
1cef1a17af19cd221b168384320770e5

SHA1
1b694f2e2c2f87becfd9d4d1b271843c928dbfc4

SHA256
cf103015c20fbe6aebd3b83104eb034f2ff6e40187296a5a7e71a9f77013294b

SHA512
61a7f84dc4970a564056407549bc3664bf67d18a93f86a2be73ea39d8fb5d7007bb7531d881e516196c5139c1c5f67d7b602d0b26dfd1f13ebba7e90e3b8c377

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\StorageHealthModel.dat
Filesize
542KB

MD5
1ffbb6bf6ac240feb3fada4eedbe5310

SHA1
3f8ef6d47bda2b464024e8d09577591fab2685d7

SHA256
c09e4425d87b888993f114755887611f68d351961e429628b952b9b62b49ef5a

SHA512
18c37c2c207664a231144dced3f8a4b97c3787da1174c08f357d9d6e80ae5cd68bcaf2c89062371b40ac9d235a882053bb80d46c28ff7f4e85c2ab25dc5a7081

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
1f2214d207654ab9cc74ecbae3b8b40f

SHA1
24b60ecddd20a2d922c617080cb0ca8f4ec0eaa6

SHA256
d7c15a49e0f47fdd9afac791c6540a6ce7930502256854ffb03c58792c3f4262

SHA512
6ed9d67ca5f487451eb4c1384295b7c2a0f85214b8a900f0e47f3ce53bb7ca021fa16624b97ec08ee2e0a8ff34f6f29f35c0c467f72eed5f66ea3549cc0a3cb9

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edbtmp.log
Filesize
64KB

MD5
767197237b7830685858454703a12e7f

SHA1
9a9e9a4e2c025611ab9b6da5fba5ec2c87bd278c

SHA256
87450c22470e838c96d1a98dd418e84b8b6e1d861eb1436b96d9a3f22eaaddb2

SHA512
bdae6e43c351ee2ed77dbe6335cf57a5d5bba7e0ada4785416142b62c5a471c7af8391117f2709b7ec71fdad387682fd0371c0641311515105f26fd1a675deb5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml
Filesize
1KB

MD5
ba3f2a2801ae546e498881e8ec22a17c

SHA1
ab57705933a28c4f9e552f5a435ab8a7709fedc8

SHA256
af7a12135db48bf260cd6d7ce831810ef98ca05847c4b23086bc2e616e8b08f4

SHA512
3ae1c6d4bba1720b080c315e58c8b44685defd65031314a48c1de749e4cd13a42ccf5f0de4202019c94b0ecbd1ab9e6dbdfd39d5b6434909796f490246b6e302

Download Submit
C:\Users\Admin\AppData\Local\Temp\6198.exe
Filesize
1.1MB

MD5
dcbea7655543025cd758fdefafd76cde

SHA1
b4075079fc7b3db2373b2d8d0ee07415a146132e

SHA256
e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5

SHA512
908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6198.exe
Filesize
1.1MB

MD5
dcbea7655543025cd758fdefafd76cde

SHA1
b4075079fc7b3db2373b2d8d0ee07415a146132e

SHA256
e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5

SHA512
908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E99.exe
Filesize
276KB

MD5
9a636854eb16b6ae20d0152747ccdc87

SHA1
839ad2590dc91881058abf89c41cdde28e3c40ed

SHA256
730d01a6a7eedbf59ff5fc88ca0e7bf3d2a1fc7d5ede1232f31aa7a06e7b9adc

SHA512
d5b88e441a3c609ad59fbc50472d8ae5114543832109532c8d1e9dbf015b2e63b33227cbd904689ea8e2ce308dd8e65d61cfedfa3eae23696d0de3a5d9d2761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E99.exe
Filesize
276KB

MD5
9a636854eb16b6ae20d0152747ccdc87

SHA1
839ad2590dc91881058abf89c41cdde28e3c40ed

SHA256
730d01a6a7eedbf59ff5fc88ca0e7bf3d2a1fc7d5ede1232f31aa7a06e7b9adc

SHA512
d5b88e441a3c609ad59fbc50472d8ae5114543832109532c8d1e9dbf015b2e63b33227cbd904689ea8e2ce308dd8e65d61cfedfa3eae23696d0de3a5d9d2761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\pdf.dll
Filesize
774KB

MD5
4d7be43b964ab47a74228aa5366a7fb7

SHA1
58692e23b58628896254f22549b5d540660f9107

SHA256
bcad2dfd26a44ff163340e6ea740cab504589f7cf49e55f61dee212e37a74bb5

SHA512
366c25f563e017125bae05f34cd1435e52002f38b18f43fbc3e9baa0f2107a81185ea029b95bb8dad9c96be6a551f8c7a72c175c14354d9d86260e4edd5e6536

Download Submit
memory/384-210-0x000001A79EFB0000-0x000001A79F0F0000-memory.dmp

Filesize
1.2MB

Download
memory/384-209-0x00007FF7FB3F6890-mapping.dmp

Download
memory/384-211-0x000001A79EFB0000-0x000001A79F0F0000-memory.dmp

Filesize
1.2MB

Download
memory/384-212-0x000001A79D550000-0x000001A79D805000-memory.dmp

Filesize
2.7MB

Download
memory/384-214-0x000001A79D550000-0x000001A79D805000-memory.dmp

Filesize
2.7MB

Download
memory/900-257-0x0000000000000000-mapping.dmp

Download
memory/1300-244-0x0000025C27F30000-0x0000025C281E5000-memory.dmp

Filesize
2.7MB

Download
memory/1300-240-0x00007FF7FB3F6890-mapping.dmp

Download
memory/1300-241-0x0000025C27DA0000-0x0000025C27EE0000-memory.dmp

Filesize
1.2MB

Download
memory/1300-242-0x0000025C27DA0000-0x0000025C27EE0000-memory.dmp

Filesize
1.2MB

Download
memory/1300-243-0x0000025C27F30000-0x0000025C281E5000-memory.dmp

Filesize
2.7MB

Download
memory/1624-180-0x0000000004980000-0x00000000054D5000-memory.dmp

Filesize
11.3MB

Download
memory/1624-177-0x0000000004980000-0x00000000054D5000-memory.dmp

Filesize
11.3MB

Download
memory/1624-168-0x0000000000000000-mapping.dmp

Download
memory/1628-248-0x0000000000000000-mapping.dmp

Download
memory/1684-247-0x0000000000000000-mapping.dmp

Download
memory/1740-258-0x0000000000000000-mapping.dmp

Download
memory/1748-259-0x0000000000000000-mapping.dmp

Download
memory/1760-253-0x0000000000000000-mapping.dmp

Download
memory/2032-235-0x0000000000000000-mapping.dmp

Download
memory/2164-143-0x0000000002199000-0x0000000002282000-memory.dmp

Filesize
932KB

Download
memory/2164-147-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2164-144-0x00000000022A0000-0x00000000023CE000-memory.dmp

Filesize
1.2MB

Download
memory/2164-136-0x0000000000000000-mapping.dmp

Download
memory/2184-203-0x0000000000000000-mapping.dmp

Download
memory/2204-204-0x0000021C22C00000-0x0000021C22EB5000-memory.dmp

Filesize
2.7MB

Download
memory/2204-202-0x0000021C22C00000-0x0000021C22EB5000-memory.dmp

Filesize
2.7MB

Download
memory/2204-201-0x0000021C24660000-0x0000021C247A0000-memory.dmp

Filesize
1.2MB

Download
memory/2204-200-0x0000021C24660000-0x0000021C247A0000-memory.dmp

Filesize
1.2MB

Download
memory/2204-199-0x00007FF7FB3F6890-mapping.dmp

Download
memory/2396-251-0x0000000000000000-mapping.dmp

Download
memory/3008-196-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-153-0x0000000005420000-0x0000000005F75000-memory.dmp

Filesize
11.3MB

Download
memory/3008-142-0x0000000000000000-mapping.dmp

Download
memory/3008-152-0x0000000005420000-0x0000000005F75000-memory.dmp

Filesize
11.3MB

Download
memory/3008-183-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-184-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-185-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-186-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-239-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-238-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-237-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-236-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-154-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-218-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-217-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-216-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-195-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-215-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-197-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-155-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-198-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-156-0x0000000005420000-0x0000000005F75000-memory.dmp

Filesize
11.3MB

Download
memory/3008-172-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-173-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-170-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-171-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-205-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-206-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-207-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3008-208-0x0000000004A40000-0x0000000004B80000-memory.dmp

Filesize
1.2MB

Download
memory/3380-219-0x00007FF7FB3F6890-mapping.dmp

Download
memory/3380-234-0x0000020AA4F00000-0x0000020AA51B5000-memory.dmp

Filesize
2.7MB

Download
memory/3380-223-0x0000020AA4F00000-0x0000020AA51B5000-memory.dmp

Filesize
2.7MB

Download
memory/3380-220-0x0000020AA6960000-0x0000020AA6AA0000-memory.dmp

Filesize
1.2MB

Download
memory/3380-222-0x0000020AA6960000-0x0000020AA6AA0000-memory.dmp

Filesize
1.2MB

Download
memory/3704-132-0x00000000007B7000-0x00000000007C7000-memory.dmp

Filesize
64KB

Download
memory/3704-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/3704-134-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3704-135-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3712-150-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3712-148-0x00000000007CD000-0x00000000007E7000-memory.dmp

Filesize
104KB

Download
memory/3712-149-0x0000000000590000-0x00000000005BA000-memory.dmp

Filesize
168KB

Download
memory/3712-139-0x0000000000000000-mapping.dmp

Download
memory/3712-151-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3920-252-0x0000000000000000-mapping.dmp

Download
memory/3932-256-0x0000000000000000-mapping.dmp

Download
memory/4088-193-0x00000179423F0000-0x00000179426A5000-memory.dmp

Filesize
2.7MB

Download
memory/4088-187-0x00007FF7FB3F6890-mapping.dmp

Download
memory/4088-188-0x0000017943CC0000-0x0000017943E00000-memory.dmp

Filesize
1.2MB

Download
memory/4088-189-0x0000017943CC0000-0x0000017943E00000-memory.dmp

Filesize
1.2MB

Download
memory/4088-190-0x00000179423F0000-0x00000179426A5000-memory.dmp

Filesize
2.7MB

Download
memory/4180-232-0x00000000019D0000-0x0000000002525000-memory.dmp

Filesize
11.3MB

Download
memory/4180-224-0x00000000019D0000-0x0000000002525000-memory.dmp

Filesize
11.3MB

Download
memory/4180-233-0x00000000019D0000-0x0000000002525000-memory.dmp

Filesize
11.3MB

Download
memory/4180-230-0x0000000003E10000-0x0000000003F50000-memory.dmp

Filesize
1.2MB

Download
memory/4180-229-0x0000000003E10000-0x0000000003F50000-memory.dmp

Filesize
1.2MB

Download
memory/4180-228-0x0000000003E10000-0x0000000003F50000-memory.dmp

Filesize
1.2MB

Download
memory/4180-227-0x0000000003E10000-0x0000000003F50000-memory.dmp

Filesize
1.2MB

Download
memory/4180-226-0x0000000003E10000-0x0000000003F50000-memory.dmp

Filesize
1.2MB

Download
memory/4180-231-0x0000000000CC0000-0x00000000016F6000-memory.dmp

Filesize
10.2MB

Download
memory/4180-221-0x0000000000000000-mapping.dmp

Download
memory/4180-225-0x0000000003E10000-0x0000000003F50000-memory.dmp

Filesize
1.2MB

Download
memory/4276-194-0x0000000000000000-mapping.dmp

Download
memory/4464-213-0x0000000000000000-mapping.dmp

Download
memory/4492-245-0x0000000000000000-mapping.dmp

Download
memory/4584-255-0x0000000000000000-mapping.dmp

Download
memory/4664-174-0x00007FF7FB3F6890-mapping.dmp

Download
memory/4664-179-0x000002442DBD0000-0x000002442DE85000-memory.dmp

Filesize
2.7MB

Download
memory/4664-175-0x000002442F4A0000-0x000002442F5E0000-memory.dmp

Filesize
1.2MB

Download
memory/4664-176-0x000002442F4A0000-0x000002442F5E0000-memory.dmp

Filesize
1.2MB

Download
memory/4664-178-0x0000000000790000-0x0000000000A34000-memory.dmp

Filesize
2.6MB

Download
memory/4664-181-0x000002442DBD0000-0x000002442DE85000-memory.dmp

Filesize
2.7MB

Download
memory/4796-250-0x0000000000000000-mapping.dmp

Download
memory/4844-254-0x0000000000000000-mapping.dmp

Download
memory/4928-182-0x0000000000000000-mapping.dmp

Download
memory/4936-192-0x0000000004270000-0x0000000004DC5000-memory.dmp

Filesize
11.3MB

Download
memory/4936-160-0x0000000004270000-0x0000000004DC5000-memory.dmp

Filesize
11.3MB

Download
memory/4936-161-0x0000000004270000-0x0000000004DC5000-memory.dmp

Filesize
11.3MB

Download
memory/5004-246-0x0000000000000000-mapping.dmp

Download
memory/5096-249-0x0000000000000000-mapping.dmp

Download
memory/5116-191-0x0000000000000000-mapping.dmp

Download