lumma | 821af69b1a2b6f632623612fea5037d5e79133fa530ff1b800daab60657b8109

Analysis

max time kernel
96s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

258KB
MD5

41fd2f0598c3465dac7f618c9fb9e6ab
SHA1

6442aeb994fa61edda5574207f7c4e0c8d149cfc
SHA256

821af69b1a2b6f632623612fea5037d5e79133fa530ff1b800daab60657b8109
SHA512

d15ea74fc7821928ea3c3e92d0599cd460629e4373ca82d4dc0eb48b7bfb93d3355bc4cf98d92f9e36c7b7bc0928af56412c80d480d99871d70c0319455708ec
SSDEEP

6144:MFeIlLGa14PWmIBeDfighEiVWtqtU4zqQna:MFe6aa2PosTHELtqtFP

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1960-133-0x00000000005C0000-0x00000000005C9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

43 4464 rundll32.exe
56 4464 rundll32.exe
63 4464 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

4D35.exe80E9.exe

pid process

3956 4D35.exe
2488 80E9.exe

flow	pid	process
43	4464	rundll32.exe
56	4464	rundll32.exe
63	4464	rundll32.exe

pid	process
3956	4D35.exe
2488	80E9.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Combine_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Combine_R_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Combine_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4464 rundll32.exe
5100 svchost.exe
4652 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4464	rundll32.exe
5100	svchost.exe
4652	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4464 set thread context of 4188	4464	rundll32.exe	rundll32.exe
PID 4464 set thread context of 2408	4464	rundll32.exe	rundll32.exe
PID 4464 set thread context of 4932	4464	rundll32.exe	rundll32.exe
PID 4464 set thread context of 1308	4464	rundll32.exe	rundll32.exe
PID 4464 set thread context of 4876	4464	rundll32.exe	rundll32.exe

Drops file in Program Files directory 20 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\pdf.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tesselate.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP..dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sendforcomments.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\server_issue.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2592 3956 WerFault.exe 4D35.exe
1816 2488 WerFault.exe 80E9.exe

pid	pid_target	process	target process
2592	3956	WerFault.exe	4D35.exe
1816	2488	WerFault.exe	80E9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000030568343100054656d7000003a0009000400efbe21550a58305687432e00000000000000000000000000000000000000000000000000d7c76c00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

980

pid	process
980

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1960	file.exe
1960	file.exe
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

980
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

1960 file.exe

pid	process
980

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeDebugPrivilege	4464	rundll32.exe
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
4188	rundll32.exe
980
980
980
980
4464	rundll32.exe
980
980
980
980
2408	rundll32.exe
4464	rundll32.exe
4932	rundll32.exe
1308	rundll32.exe
4464	rundll32.exe
4876	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

980
980

pid	process
980
980

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

4D35.exerundll32.exesvchost.exe

description	pid	process	target process
PID 980 wrote to memory of 3956	980		4D35.exe
PID 980 wrote to memory of 3956	980		4D35.exe
PID 980 wrote to memory of 3956	980		4D35.exe
PID 3956 wrote to memory of 4464	3956	4D35.exe	rundll32.exe
PID 3956 wrote to memory of 4464	3956	4D35.exe	rundll32.exe
PID 3956 wrote to memory of 4464	3956	4D35.exe	rundll32.exe
PID 980 wrote to memory of 2488	980		80E9.exe
PID 980 wrote to memory of 2488	980		80E9.exe
PID 980 wrote to memory of 2488	980		80E9.exe
PID 4464 wrote to memory of 4188	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 4188	4464	rundll32.exe	rundll32.exe
PID 5100 wrote to memory of 4652	5100	svchost.exe	rundll32.exe
PID 5100 wrote to memory of 4652	5100	svchost.exe	rundll32.exe
PID 5100 wrote to memory of 4652	5100	svchost.exe	rundll32.exe
PID 4464 wrote to memory of 4188	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 2408	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 2408	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 2408	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 4720	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4720	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4720	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4840	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4840	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4840	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4932	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 4932	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 4932	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 4824	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4824	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4824	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 2412	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 2412	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 2412	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 1308	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 1308	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 1308	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 4224	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4224	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4224	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 948	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 948	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 948	4464	rundll32.exe	schtasks.exe
PID 4464 wrote to memory of 4876	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 4876	4464	rundll32.exe	rundll32.exe
PID 4464 wrote to memory of 4876	4464	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1960

C:\Users\Admin\AppData\Local\Temp\4D35.exe
C:\Users\Admin\AppData\Local\Temp\4D35.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4464

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4188

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2408

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4720

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4840

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4932

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4824

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2412

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1308

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4224

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:948

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4876

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3580

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4600

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2684

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4528

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4276

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5108

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:3456

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2156

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3360

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:2484

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2364

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3200

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:2160

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:796

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3956

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:640

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2068

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4504

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2108

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 308
2⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3956 -ip 3956
1⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\80E9.exe
C:\Users\Admin\AppData\Local\Temp\80E9.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1360
2⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2488 -ip 2488
1⤵
PID:2824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\combine_r_rhp..dll",uGJWNURLQVE=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP..dll
Filesize
774KB

MD5
339d4b1a693822ce78292287a07cf317

SHA1
2a2c1ff60cdfa9008bf8a2c5fcbc54250ad8923a

SHA256
1c5584dde1ca6baaf62001b7aa0e3cd5b7714a8af6697420bf0a29569efb37c3

SHA512
e33a3a2f5ce0b66eab148748da63abd1e353055b87e0ef2e7e942acd1dd54ccbaa95c470924cf8b4e34b3b64cc3b33f35ac80b063fe9d6bb35bed5e02d3119b2

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP..dll
Filesize
774KB

MD5
339d4b1a693822ce78292287a07cf317

SHA1
2a2c1ff60cdfa9008bf8a2c5fcbc54250ad8923a

SHA256
1c5584dde1ca6baaf62001b7aa0e3cd5b7714a8af6697420bf0a29569efb37c3

SHA512
e33a3a2f5ce0b66eab148748da63abd1e353055b87e0ef2e7e942acd1dd54ccbaa95c470924cf8b4e34b3b64cc3b33f35ac80b063fe9d6bb35bed5e02d3119b2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.officemuiset.msi.16.en-us.xml
Filesize
1KB

MD5
576aefa0d5cef530c59ff90625d60e25

SHA1
19be51d3942120e5474e0711592718da525eaa20

SHA256
f5b39bd24efbf27831061a34d1a78cea8f0073bfccade786129495f17cf2f112

SHA512
0d342bb21bb9651c0c36831718d9009af790bf808a9f38ec1788a06428d08d1299f4e215bd08e4912acc25d0f41ae95f3118019aa2811e89f35453b0ef8b32bf

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_9_1_10_58_17.etl
Filesize
256KB

MD5
9e70b4436daa55bb417d550731fe721c

SHA1
7897e6fb99a5a253c08609dbb7baf4c43302c28a

SHA256
7681b77f7d011b49769863d05a2334c7eff3eb71ac4414c69dcf49988247a2b6

SHA512
dc0742a4ab6da54a6334d5e38b9ef794c853ff1306c78001fa3e455722329171bc1ac0bf5eefa0ca5bde007884f4da636810d544bc115e575ac22072666346ac

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Diagtrack-Listener.etl
Filesize
192KB

MD5
8b307dfe467c82538d8a1a27cac4e4c0

SHA1
fefdee33de626f7f198bb885c2c4b03c5b366d8a

SHA256
889436941087acd408bf480bcb01dfce62cc25c0ad694f25c6104a7894f9cd81

SHA512
9ec22cc02e2e126b78493e7b1e1f52e1151c72210697eb3635f93077fa0a22f576e304020cc560a003c620d9c1a3fc94f5abbbaa471e2cb24746ff8a59b57268

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
849B

MD5
bd5949f7138558f33eeadec17d3605a1

SHA1
7089296812fd9348b62936a6eea5928809f26d63

SHA256
0b9ef96887d1143ced0048b15f5437eaf878c932dd89a05794a742ce8f905fe6

SHA512
6be4a51529e882a8f6c3001a8598ce41d00f401bc53ec3e38b1122cf2e61076ef3a780c077f672faae774078a4dc68e6481f1ad660342d2836dde9b38c6752d8

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe.xml
Filesize
840B

MD5
2528a361d2ecf923788b3f69833696ec

SHA1
38980657507f08069bc9a05ef8ec17da33410c30

SHA256
7b9699e0d489996eaeb9620d5e5b15cb5f523144a8dbf2a73412329711bd6b7c

SHA512
532f760ba48c2051537edea47506efea1ea8204e51dc61173692da9eab58b5a0bd934b7fa2ce07798e9d468acede6a4926b234dcef3ee0685676505079681202

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013Win32.xml
Filesize
66KB

MD5
d6269a771887562b5461c9a99bcfeacd

SHA1
d4f5647c655af50453e2097eb3e8552318f139a1

SHA256
58e3a955ba9293be903e880620c559bcd4f5b8069c3c23a3f06a9c549ed621d1

SHA512
18b23fea2436cd1c6ac8dd159660f386694abe0d6c2e5bca15e11bbf9da06a620bc4c759af1b5646bed8086576369b051bec0f41837127738bebce9f13b9dc30

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2016Win64.xml
Filesize
64KB

MD5
dfb978df0faed93e4ec5ad1135e908ae

SHA1
31e7bb7856fad49be905210ee15a15e5f79fae3e

SHA256
bf05f685c4c0b4fae3c0ef014535d83a89088e026b1872ef6ad50ffa381b4490

SHA512
198e2ee755cc5e29884af59f65b96f6bcd0513cd4bf93867732b32f3e9487300508a1abdd9105183a8d99ebd5fda33b1946db244409380a4f4cae515038add82

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
548107a3af24bc913c1b90dba6e17238

SHA1
545947992bcb297bcc81049fd3bdadb8f3ab39c6

SHA256
d59a709221f0ed86e6d82acac1f9847c3a13b198168a5bcf2ec9e2d9b15ede90

SHA512
a0e0fc4dcec782dfe18f975bd182cfa0561858b315d3a6bb6fc4ff162a605fa5b54d63b87977e5fcafd4dcdde0a0b37045cb97f3217215cd8e6a869b79ada782

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\user.bmp
Filesize
588KB

MD5
908fa2dfb385771ecf5f8b2b3e7bff16

SHA1
1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58

SHA256
60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d

SHA512
573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D35.exe
Filesize
1.1MB

MD5
dcbea7655543025cd758fdefafd76cde

SHA1
b4075079fc7b3db2373b2d8d0ee07415a146132e

SHA256
e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5

SHA512
908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D35.exe
Filesize
1.1MB

MD5
dcbea7655543025cd758fdefafd76cde

SHA1
b4075079fc7b3db2373b2d8d0ee07415a146132e

SHA256
e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5

SHA512
908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\80E9.exe
Filesize
276KB

MD5
9a636854eb16b6ae20d0152747ccdc87

SHA1
839ad2590dc91881058abf89c41cdde28e3c40ed

SHA256
730d01a6a7eedbf59ff5fc88ca0e7bf3d2a1fc7d5ede1232f31aa7a06e7b9adc

SHA512
d5b88e441a3c609ad59fbc50472d8ae5114543832109532c8d1e9dbf015b2e63b33227cbd904689ea8e2ce308dd8e65d61cfedfa3eae23696d0de3a5d9d2761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\80E9.exe
Filesize
276KB

MD5
9a636854eb16b6ae20d0152747ccdc87

SHA1
839ad2590dc91881058abf89c41cdde28e3c40ed

SHA256
730d01a6a7eedbf59ff5fc88ca0e7bf3d2a1fc7d5ede1232f31aa7a06e7b9adc

SHA512
d5b88e441a3c609ad59fbc50472d8ae5114543832109532c8d1e9dbf015b2e63b33227cbd904689ea8e2ce308dd8e65d61cfedfa3eae23696d0de3a5d9d2761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\combine_r_rhp..dll
Filesize
774KB

MD5
339d4b1a693822ce78292287a07cf317

SHA1
2a2c1ff60cdfa9008bf8a2c5fcbc54250ad8923a

SHA256
1c5584dde1ca6baaf62001b7aa0e3cd5b7714a8af6697420bf0a29569efb37c3

SHA512
e33a3a2f5ce0b66eab148748da63abd1e353055b87e0ef2e7e942acd1dd54ccbaa95c470924cf8b4e34b3b64cc3b33f35ac80b063fe9d6bb35bed5e02d3119b2

Download Submit
memory/640-332-0x0000000000000000-mapping.dmp

Download
memory/796-321-0x0000000000000000-mapping.dmp

Download
memory/948-239-0x0000000000000000-mapping.dmp

Download
memory/980-159-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/980-146-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-142-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-140-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-158-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/980-143-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-144-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-139-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-138-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-154-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/980-141-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-151-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-145-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-136-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-153-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/980-152-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-147-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-137-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-148-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-149-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/980-150-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1028-258-0x0000000000000000-mapping.dmp

Download
memory/1308-234-0x0000024509D70000-0x0000024509EB0000-memory.dmp

Filesize
1.2MB

Download
memory/1308-238-0x0000024508300000-0x00000245085B5000-memory.dmp

Filesize
2.7MB

Download
memory/1308-236-0x0000024508300000-0x00000245085B5000-memory.dmp

Filesize
2.7MB

Download
memory/1308-235-0x0000024509D70000-0x0000024509EB0000-memory.dmp

Filesize
1.2MB

Download
memory/1308-233-0x00007FF67F3B6890-mapping.dmp

Download
memory/1420-345-0x0000000000000000-mapping.dmp

Download
memory/1572-254-0x00007FF67F3B6890-mapping.dmp

Download
memory/1572-255-0x00000285205B0000-0x00000285206F0000-memory.dmp

Filesize
1.2MB

Download
memory/1572-259-0x000002851EB50000-0x000002851EE05000-memory.dmp

Filesize
2.7MB

Download
memory/1572-256-0x00000285205B0000-0x00000285206F0000-memory.dmp

Filesize
1.2MB

Download
memory/1572-257-0x000002851EB50000-0x000002851EE05000-memory.dmp

Filesize
2.7MB

Download
memory/1960-132-0x00000000004CD000-0x00000000004E3000-memory.dmp

Filesize
88KB

Download
memory/1960-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1960-133-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/1960-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2068-333-0x0000000000000000-mapping.dmp

Download
memory/2100-334-0x000001B374F90000-0x000001B375245000-memory.dmp

Filesize
2.7MB

Download
memory/2100-328-0x00007FF67F3B6890-mapping.dmp

Download
memory/2100-331-0x000001B374F90000-0x000001B375245000-memory.dmp

Filesize
2.7MB

Download
memory/2108-343-0x0000000000000000-mapping.dmp

Download
memory/2156-288-0x0000000000000000-mapping.dmp

Download
memory/2160-317-0x00007FF67F3B6890-mapping.dmp

Download
memory/2160-323-0x0000023A5ED40000-0x0000023A5EFF5000-memory.dmp

Filesize
2.7MB

Download
memory/2160-320-0x0000023A5ED40000-0x0000023A5EFF5000-memory.dmp

Filesize
2.7MB

Download
memory/2364-310-0x0000000000000000-mapping.dmp

Download
memory/2408-209-0x00007FF67F3B6890-mapping.dmp

Download
memory/2408-216-0x0000018620F40000-0x00000186211F5000-memory.dmp

Filesize
2.7MB

Download
memory/2408-212-0x0000018620F40000-0x00000186211F5000-memory.dmp

Filesize
2.7MB

Download
memory/2408-211-0x00000186229A0000-0x0000018622AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2408-210-0x00000186229A0000-0x0000018622AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2412-228-0x0000000000000000-mapping.dmp

Download
memory/2484-301-0x00000219C2780000-0x00000219C2A35000-memory.dmp

Filesize
2.7MB

Download
memory/2484-299-0x00000219C2780000-0x00000219C2A35000-memory.dmp

Filesize
2.7MB

Download
memory/2484-296-0x00007FF67F3B6890-mapping.dmp

Download
memory/2488-169-0x00000000007AD000-0x00000000007C7000-memory.dmp

Filesize
104KB

Download
memory/2488-166-0x0000000000000000-mapping.dmp

Download
memory/2488-170-0x0000000000590000-0x00000000005BA000-memory.dmp

Filesize
168KB

Download
memory/2488-171-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2488-174-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2684-268-0x0000000000000000-mapping.dmp

Download
memory/3200-311-0x0000000000000000-mapping.dmp

Download
memory/3360-291-0x0000000000000000-mapping.dmp

Download
memory/3456-290-0x000001AA32820000-0x000001AA32AD5000-memory.dmp

Filesize
2.7MB

Download
memory/3456-289-0x000001AA32820000-0x000001AA32AD5000-memory.dmp

Filesize
2.7MB

Download
memory/3456-285-0x00007FF67F3B6890-mapping.dmp

Download
memory/3580-249-0x0000000000000000-mapping.dmp

Download
memory/3956-322-0x0000000000000000-mapping.dmp

Download
memory/3956-165-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3956-155-0x0000000000000000-mapping.dmp

Download
memory/3956-163-0x00000000020AB000-0x0000000002194000-memory.dmp

Filesize
932KB

Download
memory/3956-164-0x0000000002490000-0x00000000025BE000-memory.dmp

Filesize
1.2MB

Download
memory/4188-198-0x0000028D8CE20000-0x0000028D8CF60000-memory.dmp

Filesize
1.2MB

Download
memory/4188-199-0x0000028D8CE20000-0x0000028D8CF60000-memory.dmp

Filesize
1.2MB

Download
memory/4188-200-0x0000000000080000-0x0000000000324000-memory.dmp

Filesize
2.6MB

Download
memory/4188-201-0x0000028D8B3C0000-0x0000028D8B675000-memory.dmp

Filesize
2.7MB

Download
memory/4188-204-0x0000028D8B3C0000-0x0000028D8B675000-memory.dmp

Filesize
2.7MB

Download
memory/4188-197-0x00007FF67F3B6890-mapping.dmp

Download
memory/4224-237-0x0000000000000000-mapping.dmp

Download
memory/4276-280-0x00000222540A0000-0x0000022254355000-memory.dmp

Filesize
2.7MB

Download
memory/4276-278-0x00000222540A0000-0x0000022254355000-memory.dmp

Filesize
2.7MB

Download
memory/4276-275-0x00007FF67F3B6890-mapping.dmp

Download
memory/4464-218-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-175-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-231-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-230-0x00000000076B0000-0x00000000077F0000-memory.dmp

Filesize
1.2MB

Download
memory/4464-240-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-241-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-242-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-243-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-160-0x0000000000000000-mapping.dmp

Download
memory/4464-208-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-172-0x0000000005650000-0x00000000061A5000-memory.dmp

Filesize
11.3MB

Download
memory/4464-219-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-220-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-229-0x00000000076B0000-0x00000000077F0000-memory.dmp

Filesize
1.2MB

Download
memory/4464-250-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-251-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-252-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-253-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-173-0x0000000005650000-0x00000000061A5000-memory.dmp

Filesize
11.3MB

Download
memory/4464-217-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-176-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-180-0x0000000005650000-0x00000000061A5000-memory.dmp

Filesize
11.3MB

Download
memory/4464-190-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-192-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-260-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-261-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-262-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-263-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-194-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-232-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-196-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4464-205-0x00000000076B0000-0x00000000077F0000-memory.dmp

Filesize
1.2MB

Download
memory/4464-206-0x00000000076B0000-0x00000000077F0000-memory.dmp

Filesize
1.2MB

Download
memory/4464-271-0x00000000076B0000-0x00000000077F0000-memory.dmp

Filesize
1.2MB

Download
memory/4464-207-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/4504-339-0x00007FF67F3B6890-mapping.dmp

Download
memory/4504-342-0x000001AF88720000-0x000001AF889D5000-memory.dmp

Filesize
2.7MB

Download
memory/4504-344-0x000001AF88720000-0x000001AF889D5000-memory.dmp

Filesize
2.7MB

Download
memory/4528-269-0x0000000000000000-mapping.dmp

Download
memory/4596-312-0x000001C5CFC50000-0x000001C5CFF05000-memory.dmp

Filesize
2.7MB

Download
memory/4596-306-0x00007FF67F3B6890-mapping.dmp

Download
memory/4596-309-0x000001C5CFC50000-0x000001C5CFF05000-memory.dmp

Filesize
2.7MB

Download
memory/4600-264-0x00007FF67F3B6890-mapping.dmp

Download
memory/4600-265-0x0000028793880000-0x00000287939C0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-266-0x0000028793880000-0x00000287939C0000-memory.dmp

Filesize
1.2MB

Download
memory/4600-270-0x0000028791E20000-0x00000287920D5000-memory.dmp

Filesize
2.7MB

Download
memory/4600-267-0x0000028791E20000-0x00000287920D5000-memory.dmp

Filesize
2.7MB

Download
memory/4652-223-0x0000000004F30000-0x0000000005A85000-memory.dmp

Filesize
11.3MB

Download
memory/4652-202-0x0000000004F30000-0x0000000005A85000-memory.dmp

Filesize
11.3MB

Download
memory/4652-191-0x0000000000000000-mapping.dmp

Download
memory/4652-203-0x0000000004F30000-0x0000000005A85000-memory.dmp

Filesize
11.3MB

Download
memory/4720-213-0x0000000000000000-mapping.dmp

Download
memory/4824-226-0x0000000000000000-mapping.dmp

Download
memory/4824-300-0x0000000000000000-mapping.dmp

Download
memory/4840-214-0x0000000000000000-mapping.dmp

Download
memory/4876-244-0x00007FF67F3B6890-mapping.dmp

Download
memory/4876-245-0x0000029B51EA0000-0x0000029B51FE0000-memory.dmp

Filesize
1.2MB

Download
memory/4876-246-0x0000029B51EA0000-0x0000029B51FE0000-memory.dmp

Filesize
1.2MB

Download
memory/4876-247-0x0000029B50440000-0x0000029B506F5000-memory.dmp

Filesize
2.7MB

Download
memory/4876-248-0x0000029B50440000-0x0000029B506F5000-memory.dmp

Filesize
2.7MB

Download
memory/4932-225-0x0000015F4BE60000-0x0000015F4C115000-memory.dmp

Filesize
2.7MB

Download
memory/4932-227-0x0000015F4BE60000-0x0000015F4C115000-memory.dmp

Filesize
2.7MB

Download
memory/4932-224-0x0000015F4D8C0000-0x0000015F4DA00000-memory.dmp

Filesize
1.2MB

Download
memory/4932-222-0x0000015F4D8C0000-0x0000015F4DA00000-memory.dmp

Filesize
1.2MB

Download
memory/4932-221-0x00007FF67F3B6890-mapping.dmp

Download
memory/5100-215-0x00000000046C0000-0x0000000005215000-memory.dmp

Filesize
11.3MB

Download
memory/5100-181-0x00000000046C0000-0x0000000005215000-memory.dmp

Filesize
11.3MB

Download
memory/5100-195-0x00000000046C0000-0x0000000005215000-memory.dmp

Filesize
11.3MB

Download
memory/5108-279-0x0000000000000000-mapping.dmp

Download