lumma | b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e

Analysis

max time kernel
116s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe
Size

232KB
MD5

0f64159886f0ee668ffb0b74b8e2d4eb
SHA1

552b74d82f4a269c7bb1db3a95aeda90fb9347b5
SHA256

b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e
SHA512

78c10a98892db0ab4271af24f9c8a803160803475e0822315ef2f67b3cecc8d963dddf2a6c043a60948c86266d7438eebe31f80e32725b585ad3052c5d556f04
SSDEEP

3072:oXMCl1RZ72LBQwv2fOQD/coEcX/S/+7QxZjOCtsqe2Jfu8s5XDKyQ/uyhOC94c:6MU1RMLG82fOUhX/T7cJfu84DHXyUC

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1060-133-0x00000000006D0000-0x00000000006D9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

36 3900 rundll32.exe
1 3900 rundll32.exe
55 3900 rundll32.exe
58 3900 rundll32.exe
63 3900 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

D40E.exe291.exe

pid process

5096 D40E.exe
3196 291.exe

flow	pid	process
36	3900	rundll32.exe
1	3900	rundll32.exe
55	3900	rundll32.exe
58	3900	rundll32.exe
63	3900	rundll32.exe

pid	process
5096	D40E.exe
3196	291.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Checkers\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Checkers.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Checkers\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3900 rundll32.exe
4764 svchost.exe
4140 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3900	rundll32.exe
4764	svchost.exe
4140	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3900 set thread context of 2476	3900	rundll32.exe	rundll32.exe
PID 3900 set thread context of 3268	3900	rundll32.exe	rundll32.exe
PID 3900 set thread context of 4020	3900	rundll32.exe	rundll32.exe
PID 3900 set thread context of 948	3900	rundll32.exe	rundll32.exe
PID 3900 set thread context of 1228	3900	rundll32.exe	rundll32.exe
PID 3900 set thread context of 4428	3900	rundll32.exe	rundll32.exe

Drops file in Program Files directory 24 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eBook.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Close.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-mac.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_asym.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Checkers.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AGMGPUOptIn.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sendforcomments.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1912 5096 WerFault.exe D40E.exe
1628 3196 WerFault.exe 291.exe

pid	pid_target	process	target process
1912	5096	WerFault.exe	D40E.exe
1628	3196	WerFault.exe	291.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000030569259100054656d7000003a0009000400efbe6b558a6c305692592e00000000000000000000000000000000000000000000000000cac76b00540065006d007000000014000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3052

pid	process
3052

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe

pid	process
1060	b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe
1060	b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3052
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe

pid process

1060 b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe

pid	process
3052

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	3900	rundll32.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2476	rundll32.exe
3052
3052
3052
3052
3052
3052
3052
3052
3900	rundll32.exe
3268	rundll32.exe
3900	rundll32.exe
4020	rundll32.exe
3900	rundll32.exe
948	rundll32.exe
3900	rundll32.exe
1228	rundll32.exe
3900	rundll32.exe
4428	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3052
3052

pid	process
3052
3052

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

D40E.exesvchost.exerundll32.exe

description	pid	process	target process
PID 3052 wrote to memory of 5096	3052		D40E.exe
PID 3052 wrote to memory of 5096	3052		D40E.exe
PID 3052 wrote to memory of 5096	3052		D40E.exe
PID 5096 wrote to memory of 3900	5096	D40E.exe	rundll32.exe
PID 5096 wrote to memory of 3900	5096	D40E.exe	rundll32.exe
PID 5096 wrote to memory of 3900	5096	D40E.exe	rundll32.exe
PID 3052 wrote to memory of 3196	3052		291.exe
PID 3052 wrote to memory of 3196	3052		291.exe
PID 3052 wrote to memory of 3196	3052		291.exe
PID 4764 wrote to memory of 4140	4764	svchost.exe	rundll32.exe
PID 4764 wrote to memory of 4140	4764	svchost.exe	rundll32.exe
PID 4764 wrote to memory of 4140	4764	svchost.exe	rundll32.exe
PID 3900 wrote to memory of 2476	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2476	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2476	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2700	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 2700	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 2700	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4272	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4272	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4272	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 3268	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 3268	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 3268	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2508	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 2508	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 2508	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4020	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 4020	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 3644	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 3644	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 3644	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4020	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 1240	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 1240	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 1240	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 948	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 948	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 948	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 1784	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 1784	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 1784	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 3892	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 3892	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 3892	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 1228	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 1228	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 1228	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 4252	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4252	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4252	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4428	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 4428	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 4428	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2860	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 2860	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 2860	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4108	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4108	3900	rundll32.exe	schtasks.exe
PID 3900 wrote to memory of 4108	3900	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe
"C:\Users\Admin\AppData\Local\Temp\b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060

C:\Users\Admin\AppData\Local\Temp\D40E.exe
C:\Users\Admin\AppData\Local\Temp\D40E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3900

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2476

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2700

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4272

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3268

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2508

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4020

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3644

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1240

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:948

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1784

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3892

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1228

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4252

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4428

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2860

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4108

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:4940

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3376

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3676

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:4152

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4144

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:4896

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:440

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4716

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:4344

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1760

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:3020

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5044

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2236

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:3180

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2468

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 292
2⤵
- Program crash
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5096 -ip 5096
1⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\291.exe
C:\Users\Admin\AppData\Local\Temp\291.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1264
2⤵
- Program crash
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3196 -ip 3196
1⤵
PID:3664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\checkers.dll",VQxJVUtPVmk=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Checkers.dll
Filesize
774KB

MD5
869943091ef668753b64b8bbe6ba1af7

SHA1
27a026124bbf3ffbdb80efbb4886c71cd9bfecfd

SHA256
6c0ef8b966dad39e8468b1994afe1aa49cbd670237e7dbaf33df277fdba87b03

SHA512
656038530773d3b157fcf7a7577da03ae15c45087f7c49791f7553684f87555f5658ba398792a28fd710bf06cc585620d7ec8b1df2f58f94ecc1d0117174040c

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Checkers.dll
Filesize
774KB

MD5
869943091ef668753b64b8bbe6ba1af7

SHA1
27a026124bbf3ffbdb80efbb4886c71cd9bfecfd

SHA256
6c0ef8b966dad39e8468b1994afe1aa49cbd670237e7dbaf33df277fdba87b03

SHA512
656038530773d3b157fcf7a7577da03ae15c45087f7c49791f7553684f87555f5658ba398792a28fd710bf06cc585620d7ec8b1df2f58f94ecc1d0117174040c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.osmuxmui.msi.16.en-us.xml
Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe.xml
Filesize
4KB

MD5
7eb2ff3e6ad26430b3d7c1d86bd55042

SHA1
3c1f961bb1317b63fa454d1938e2dfab8fa518be

SHA256
1469f5b82db4cb94fdb24580efe2cf3d30a9bc94ee4d4378b6cce50674999e1a

SHA512
89d6f1ae647cb3e3fc2cd8b1657f22e0fb023bff68482d159f61a6d1f8dd97b6c6d4e9c9edde989963e97740371a1dbd45b5f0524532c81cd082636e5d971e13

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
827B

MD5
ded8a0ae2ade3e3cab8bfbfea00b969f

SHA1
73752c78795a78ef3b742ad41737959e6f51ee42

SHA256
ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85

SHA512
3c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xml
Filesize
6KB

MD5
e2a07f037256d69937145aea357735fe

SHA1
07ce3d26f68b90604543f441bf75f57fbf6f5f99

SHA256
0f20839ad81a013e9700e22a629e7284a5b817adff6d992d4b761b6875ace257

SHA512
f78e8d10675b7c8d3fd8af0780fb979c1cca6b5ccfd1422529d7837f34f9973dc26a174f4b86587f7a1e1dbe1a3fe59cc0342379332a2e726a41c180a0dbad7d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe.xml
Filesize
1KB

MD5
d8c0aaaa1d4b2386b683f9f0e0150986

SHA1
98aa9efe9aa9e7c9b1c27eb70e1a704a5fc1315d

SHA256
47740c23beeeeccfc9a10b8ffc82c745385403faef48c5f4b9fb7c092f9e6083

SHA512
41c3f40a8ee3f353634fba846938a7aec4bb5b8f6b98f3f108c22c1278b4df4d97b1cf43a096f896b4130249040f5d6931cf1275876ec1ec0fc6a1e1cb99d56c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SettingsLocationTemplate2013.xsd
Filesize
11KB

MD5
492e8dea7892f6198ee95b42424eab81

SHA1
246cc91c7d3e5d780e78192ee033f791e516b127

SHA256
e86dc0cf66df362220ae64e89480897d23fc7a54b475be3f7f78fb9cdc9ab3b7

SHA512
577a6b692f0e09e03f294d1aaab112450fcc6abfc6240074997bdeb050f229c4849f76828d815f862b7215ec24cc3aad5aa516da0d0a1ec84b1041fdf2c3a63c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
cccea772d13a5229a7268ca976c849f0

SHA1
420eb801c8ddc724ee5ea766f274a04df077b1cf

SHA256
324b92ff8ee78d9fa7dbf5e1fc104b62193e9a0155404f4c51094b320e772970

SHA512
3c4d6d129538bb834e8fcd4b39aff4095b807c4871f2969697e1a775aec6da7879a0823782092b22159c0005409cf5a4168b5937e58795a963a6d6c3fdcdc3a3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml
Filesize
1KB

MD5
93a100713ff56b66e15f984d3100aab7

SHA1
4ffb9e5c0d7687a38cc9b9f767bd4b9d4a325656

SHA256
0c80edf0d6699061728f917d731ea29e7ad3c7f2ea067d4510a01369255cbd26

SHA512
df8b5e56e9dcf0c3e4737e8ab878a4182c757d731f8e893c0285fa5e5d89faec75f4f1f0e8fbf2d502a28632410198ae6dfed82ac5a593d23cf5c2bd59c3c4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\291.exe
Filesize
276KB

MD5
4c9333550914da09caa6121c2d5b0712

SHA1
e5487bf23307c6db60ba56b84815052a6f97a662

SHA256
5d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc

SHA512
1efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\291.exe
Filesize
276KB

MD5
4c9333550914da09caa6121c2d5b0712

SHA1
e5487bf23307c6db60ba56b84815052a6f97a662

SHA256
5d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc

SHA512
1efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D40E.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\D40E.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\checkers.dll
Filesize
774KB

MD5
869943091ef668753b64b8bbe6ba1af7

SHA1
27a026124bbf3ffbdb80efbb4886c71cd9bfecfd

SHA256
6c0ef8b966dad39e8468b1994afe1aa49cbd670237e7dbaf33df277fdba87b03

SHA512
656038530773d3b157fcf7a7577da03ae15c45087f7c49791f7553684f87555f5658ba398792a28fd710bf06cc585620d7ec8b1df2f58f94ecc1d0117174040c

Download Submit
memory/440-269-0x0000000000000000-mapping.dmp

Download
memory/948-212-0x00007FF72D7E6890-mapping.dmp

Download
memory/948-214-0x000001F40D8E0000-0x000001F40DB95000-memory.dmp

Filesize
2.7MB

Download
memory/948-215-0x000001F40F340000-0x000001F40F480000-memory.dmp

Filesize
1.2MB

Download
memory/948-217-0x000001F40D8E0000-0x000001F40DB95000-memory.dmp

Filesize
2.7MB

Download
memory/948-213-0x000001F40F340000-0x000001F40F480000-memory.dmp

Filesize
1.2MB

Download
memory/1060-132-0x00000000007CE000-0x00000000007E4000-memory.dmp

Filesize
88KB

Download
memory/1060-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-133-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/1228-228-0x0000014F143D0000-0x0000014F14685000-memory.dmp

Filesize
2.7MB

Download
memory/1228-223-0x00007FF72D7E6890-mapping.dmp

Download
memory/1228-226-0x0000014F143D0000-0x0000014F14685000-memory.dmp

Filesize
2.7MB

Download
memory/1228-225-0x0000014F15E30000-0x0000014F15F70000-memory.dmp

Filesize
1.2MB

Download
memory/1228-224-0x0000014F15E30000-0x0000014F15F70000-memory.dmp

Filesize
1.2MB

Download
memory/1240-207-0x0000000000000000-mapping.dmp

Download
memory/1760-280-0x0000000000000000-mapping.dmp

Download
memory/1784-216-0x0000000000000000-mapping.dmp

Download
memory/2236-291-0x0000000000000000-mapping.dmp

Download
memory/2412-308-0x00007FF72D7E6890-mapping.dmp

Download
memory/2468-301-0x0000000000000000-mapping.dmp

Download
memory/2476-180-0x00000227EA1E0000-0x00000227EA320000-memory.dmp

Filesize
1.2MB

Download
memory/2476-178-0x00007FF72D7E6890-mapping.dmp

Download
memory/2476-184-0x00000227EA340000-0x00000227EA5F5000-memory.dmp

Filesize
2.7MB

Download
memory/2476-182-0x00000227EA340000-0x00000227EA5F5000-memory.dmp

Filesize
2.7MB

Download
memory/2476-181-0x0000000000F10000-0x00000000011B4000-memory.dmp

Filesize
2.6MB

Download
memory/2476-179-0x00000227EA1E0000-0x00000227EA320000-memory.dmp

Filesize
1.2MB

Download
memory/2508-195-0x0000000000000000-mapping.dmp

Download
memory/2700-183-0x0000000000000000-mapping.dmp

Download
memory/2860-237-0x0000000000000000-mapping.dmp

Download
memory/3020-292-0x0000028F6CD80000-0x0000028F6D035000-memory.dmp

Filesize
2.7MB

Download
memory/3020-289-0x0000028F6CD80000-0x0000028F6D035000-memory.dmp

Filesize
2.7MB

Download
memory/3020-286-0x00007FF72D7E6890-mapping.dmp

Download
memory/3180-300-0x00000157B5380000-0x00000157B5635000-memory.dmp

Filesize
2.7MB

Download
memory/3180-303-0x00000157B5380000-0x00000157B5635000-memory.dmp

Filesize
2.7MB

Download
memory/3180-297-0x00007FF72D7E6890-mapping.dmp

Download
memory/3196-151-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3196-150-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3196-149-0x00000000006A0000-0x00000000006CA000-memory.dmp

Filesize
168KB

Download
memory/3196-148-0x000000000078D000-0x00000000007A7000-memory.dmp

Filesize
104KB

Download
memory/3196-145-0x0000000000000000-mapping.dmp

Download
memory/3268-191-0x00000242A95F0000-0x00000242A9730000-memory.dmp

Filesize
1.2MB

Download
memory/3268-192-0x00000242A95F0000-0x00000242A9730000-memory.dmp

Filesize
1.2MB

Download
memory/3268-193-0x00000242A7D20000-0x00000242A7FD5000-memory.dmp

Filesize
2.7MB

Download
memory/3268-190-0x00007FF72D7E6890-mapping.dmp

Download
memory/3268-196-0x00000242A7D20000-0x00000242A7FD5000-memory.dmp

Filesize
2.7MB

Download
memory/3376-248-0x0000000000000000-mapping.dmp

Download
memory/3644-198-0x0000000000000000-mapping.dmp

Download
memory/3676-250-0x0000000000000000-mapping.dmp

Download
memory/3892-218-0x0000000000000000-mapping.dmp

Download
memory/3900-252-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-177-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-200-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-253-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-154-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-254-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-153-0x0000000005BF0000-0x0000000006745000-memory.dmp

Filesize
11.3MB

Download
memory/3900-152-0x0000000005BF0000-0x0000000006745000-memory.dmp

Filesize
11.3MB

Download
memory/3900-199-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-208-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-209-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-210-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-211-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-197-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-275-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-189-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-188-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-187-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-186-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-274-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-219-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-220-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-221-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-222-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-273-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-251-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-176-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-175-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-272-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-173-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-229-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-230-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-231-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-232-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-201-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-156-0x0000000005BF0000-0x0000000006745000-memory.dmp

Filesize
11.3MB

Download
memory/3900-155-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-264-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-263-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-261-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-262-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-240-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-241-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-243-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-242-0x0000000005210000-0x0000000005350000-memory.dmp

Filesize
1.2MB

Download
memory/3900-139-0x0000000000000000-mapping.dmp

Download
memory/4020-206-0x00000260A8E10000-0x00000260A90C5000-memory.dmp

Filesize
2.7MB

Download
memory/4020-205-0x00000260A8E10000-0x00000260A90C5000-memory.dmp

Filesize
2.7MB

Download
memory/4020-204-0x00000260A8CC0000-0x00000260A8E00000-memory.dmp

Filesize
1.2MB

Download
memory/4020-203-0x00000260A8CC0000-0x00000260A8E00000-memory.dmp

Filesize
1.2MB

Download
memory/4020-202-0x00007FF72D7E6890-mapping.dmp

Download
memory/4108-238-0x0000000000000000-mapping.dmp

Download
memory/4140-171-0x0000000004690000-0x00000000051E5000-memory.dmp

Filesize
11.3MB

Download
memory/4140-169-0x0000000000000000-mapping.dmp

Download
memory/4140-172-0x0000000004690000-0x00000000051E5000-memory.dmp

Filesize
11.3MB

Download
memory/4140-174-0x0000000004690000-0x00000000051E5000-memory.dmp

Filesize
11.3MB

Download
memory/4144-260-0x0000000000000000-mapping.dmp

Download
memory/4152-255-0x00007FF72D7E6890-mapping.dmp

Download
memory/4152-256-0x0000022DA5EA0000-0x0000022DA5FE0000-memory.dmp

Filesize
1.2MB

Download
memory/4152-257-0x0000022DA5EA0000-0x0000022DA5FE0000-memory.dmp

Filesize
1.2MB

Download
memory/4152-258-0x0000022DA45D0000-0x0000022DA4885000-memory.dmp

Filesize
2.7MB

Download
memory/4152-259-0x0000022DA45D0000-0x0000022DA4885000-memory.dmp

Filesize
2.7MB

Download
memory/4252-227-0x0000000000000000-mapping.dmp

Download
memory/4272-185-0x0000000000000000-mapping.dmp

Download
memory/4344-279-0x00000110A2C50000-0x00000110A2F05000-memory.dmp

Filesize
2.7MB

Download
memory/4344-277-0x00000110A46B0000-0x00000110A47F0000-memory.dmp

Filesize
1.2MB

Download
memory/4344-276-0x00007FF72D7E6890-mapping.dmp

Download
memory/4344-281-0x00000110A2C50000-0x00000110A2F05000-memory.dmp

Filesize
2.7MB

Download
memory/4428-239-0x00000250DD5C0000-0x00000250DD875000-memory.dmp

Filesize
2.7MB

Download
memory/4428-233-0x00007FF72D7E6890-mapping.dmp

Download
memory/4428-234-0x00000250DEEA0000-0x00000250DEFE0000-memory.dmp

Filesize
1.2MB

Download
memory/4428-235-0x00000250DD5C0000-0x00000250DD875000-memory.dmp

Filesize
2.7MB

Download
memory/4428-236-0x00000250DEEA0000-0x00000250DEFE0000-memory.dmp

Filesize
1.2MB

Download
memory/4716-271-0x0000000000000000-mapping.dmp

Download
memory/4764-161-0x0000000004030000-0x0000000004B85000-memory.dmp

Filesize
11.3MB

Download
memory/4764-160-0x0000000004030000-0x0000000004B85000-memory.dmp

Filesize
11.3MB

Download
memory/4764-194-0x0000000004030000-0x0000000004B85000-memory.dmp

Filesize
11.3MB

Download
memory/4824-302-0x0000000000000000-mapping.dmp

Download
memory/4896-268-0x000001ED98790000-0x000001ED98A45000-memory.dmp

Filesize
2.7MB

Download
memory/4896-270-0x000001ED98790000-0x000001ED98A45000-memory.dmp

Filesize
2.7MB

Download
memory/4896-267-0x000001ED9A1F0000-0x000001ED9A330000-memory.dmp

Filesize
1.2MB

Download
memory/4896-266-0x000001ED9A1F0000-0x000001ED9A330000-memory.dmp

Filesize
1.2MB

Download
memory/4896-265-0x00007FF72D7E6890-mapping.dmp

Download
memory/4940-247-0x000001DA12560000-0x000001DA12815000-memory.dmp

Filesize
2.7MB

Download
memory/4940-249-0x000001DA12560000-0x000001DA12815000-memory.dmp

Filesize
2.7MB

Download
memory/4940-246-0x000001DA13FC0000-0x000001DA14100000-memory.dmp

Filesize
1.2MB

Download
memory/4940-245-0x000001DA13FC0000-0x000001DA14100000-memory.dmp

Filesize
1.2MB

Download
memory/4940-244-0x00007FF72D7E6890-mapping.dmp

Download
memory/5044-290-0x0000000000000000-mapping.dmp

Download
memory/5096-144-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5096-143-0x00000000023D0000-0x00000000024FE000-memory.dmp

Filesize
1.2MB

Download
memory/5096-142-0x00000000021DE000-0x00000000022C7000-memory.dmp

Filesize
932KB

Download
memory/5096-136-0x0000000000000000-mapping.dmp

Download