lumma | 5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54

Analysis

max time kernel
121s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe
Size

232KB
MD5

815a4342153b6263bb0d174c67d1a59c
SHA1

ffab6fa76ec5e563d9e6cc09c57dd5502eb3c979
SHA256

5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54
SHA512

aff6974eab86d945d1a1151c3447604bc3629b1ce49da498064ed5c9b6b0f2b9c9a8090cf09361e31702d552bae508c15aef1c1305db4c97ac7ee447ea27e911
SSDEEP

6144:noQAJLuC4RZUjYziPqPUs9Cvz3jDHXyUC:noQ2y7RqPqPUsUvzfi

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2896-133-0x00000000005F0000-0x00000000005F9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

42 2632 rundll32.exe
45 2632 rundll32.exe
52 2632 rundll32.exe
53 2632 rundll32.exe
64 2632 rundll32.exe
70 2632 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

C837.exeD7F7.exe

pid process

4152 C837.exe
5008 D7F7.exe

flow	pid	process
42	2632	rundll32.exe
45	2632	rundll32.exe
52	2632	rundll32.exe
53	2632	rundll32.exe
64	2632	rundll32.exe
70	2632	rundll32.exe

pid	process
4152	C837.exe
5008	D7F7.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tesselate\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\tesselate.dll紀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tesselate\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\tesselate.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tesselate\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2632 rundll32.exe
4404 svchost.exe
4296 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2632	rundll32.exe
4404	svchost.exe
4296	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2632 set thread context of 432	2632	rundll32.exe	rundll32.exe
PID 2632 set thread context of 2032	2632	rundll32.exe	rundll32.exe
PID 2632 set thread context of 2008	2632	rundll32.exe	rundll32.exe
PID 2632 set thread context of 3744	2632	rundll32.exe	rundll32.exe
PID 2632 set thread context of 3276	2632	rundll32.exe	rundll32.exe
PID 2632 set thread context of 2212	2632	rundll32.exe	rundll32.exe
PID 2632 set thread context of 2712	2632	rundll32.exe	rundll32.exe

Drops file in Program Files directory 13 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cryptocme.sig	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tesselate.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_joined.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5044 4152 WerFault.exe C837.exe
3604 5008 WerFault.exe D7F7.exe

pid	pid_target	process	target process
5044	4152	WerFault.exe	C837.exe
3604	5008	WerFault.exe	D7F7.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1012

pid	process
1012

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe

pid	process
2896	5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe
2896	5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1012
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe

pid process

2896 5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe

pid	process
1012

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeDebugPrivilege	2632	rundll32.exe
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
432	rundll32.exe
1012
1012
1012
1012
1012
1012
1012
1012
2632	rundll32.exe
2032	rundll32.exe
2632	rundll32.exe
2008	rundll32.exe
3744	rundll32.exe
2632	rundll32.exe
3276	rundll32.exe
2632	rundll32.exe
2212	rundll32.exe
2632	rundll32.exe
2712	rundll32.exe
2632	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

1012
1012

pid	process
1012
1012

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C837.exesvchost.exerundll32.exe

description	pid	process	target process
PID 1012 wrote to memory of 4152	1012		C837.exe
PID 1012 wrote to memory of 4152	1012		C837.exe
PID 1012 wrote to memory of 4152	1012		C837.exe
PID 1012 wrote to memory of 5008	1012		D7F7.exe
PID 1012 wrote to memory of 5008	1012		D7F7.exe
PID 1012 wrote to memory of 5008	1012		D7F7.exe
PID 4152 wrote to memory of 2632	4152	C837.exe	rundll32.exe
PID 4152 wrote to memory of 2632	4152	C837.exe	rundll32.exe
PID 4152 wrote to memory of 2632	4152	C837.exe	rundll32.exe
PID 4404 wrote to memory of 4296	4404	svchost.exe	rundll32.exe
PID 4404 wrote to memory of 4296	4404	svchost.exe	rundll32.exe
PID 4404 wrote to memory of 4296	4404	svchost.exe	rundll32.exe
PID 2632 wrote to memory of 432	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 432	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 432	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 4444	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4444	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4444	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2032	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2032	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2032	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2424	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2424	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2424	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 3940	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 3940	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 3940	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2008	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2008	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2008	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 1552	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 1552	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 1552	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 3744	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 3744	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 3744	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2432	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2432	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2432	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4152	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4152	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4152	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 3276	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 3276	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 3276	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 4992	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4992	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4992	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4436	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4436	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4436	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2212	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2212	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2212	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 1828	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 1828	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 1828	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2712	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2712	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 4896	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4896	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 4896	2632	rundll32.exe	schtasks.exe
PID 2632 wrote to memory of 2712	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 3728	2632	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe
"C:\Users\Admin\AppData\Local\Temp\5402bb9bdc834258402ce782268c9099783e0ca7f9ead90a15827e7d3d3dcd54.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2896

C:\Users\Admin\AppData\Local\Temp\C837.exe
C:\Users\Admin\AppData\Local\Temp\C837.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2632

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:432

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4444

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2032

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2424

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3940

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2008

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1552

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3744

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4152

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3276

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4992

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4436

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2212

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1828

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Suspicious use of FindShellTrayWindow
PID:2712

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4896

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3728

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1068

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3368

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3996

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5108

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 564
2⤵
- Program crash
PID:5044

C:\Users\Admin\AppData\Local\Temp\D7F7.exe
C:\Users\Admin\AppData\Local\Temp\D7F7.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1352
2⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4152 -ip 4152
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5008 -ip 5008
1⤵
PID:4584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\tesselate.dll",ZxRTNWFJ
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4296

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\tesselate.dll",ZxRTNWFJ
2⤵
PID:2444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\tesselate.dll
Filesize
774KB

MD5
885d4ae3e0f4f0a51463f2176be0e748

SHA1
4504dbabf398245d435fba46a78ede06ace27d48

SHA256
edff258e70d1661ef5ca2eb17ab689e0b3151186cea489f8b94da4db0cf75b5a

SHA512
fefa936cefef3c721b464a59f8ef042e38426124f3d04dbcbabc6e63e1dc7c78d6c04eb49705c0c015fd8725f90328257db4841414c4ce851de6360d929a4bf9

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\tesselate.dll
Filesize
774KB

MD5
885d4ae3e0f4f0a51463f2176be0e748

SHA1
4504dbabf398245d435fba46a78ede06ace27d48

SHA256
edff258e70d1661ef5ca2eb17ab689e0b3151186cea489f8b94da4db0cf75b5a

SHA512
fefa936cefef3c721b464a59f8ef042e38426124f3d04dbcbabc6e63e1dc7c78d6c04eb49705c0c015fd8725f90328257db4841414c4ce851de6360d929a4bf9

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\tesselate.dll
Filesize
774KB

MD5
885d4ae3e0f4f0a51463f2176be0e748

SHA1
4504dbabf398245d435fba46a78ede06ace27d48

SHA256
edff258e70d1661ef5ca2eb17ab689e0b3151186cea489f8b94da4db0cf75b5a

SHA512
fefa936cefef3c721b464a59f8ef042e38426124f3d04dbcbabc6e63e1dc7c78d6c04eb49705c0c015fd8725f90328257db4841414c4ce851de6360d929a4bf9

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.osmuxmui.msi.16.en-us.xml
Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.LockApp_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
2KB

MD5
2ff808c347a1bd28f3df3bc8873d73d6

SHA1
afc3b29446a1e5ea641db1c5f1521b2f5c814581

SHA256
6d6bb6749a28b69f42fede441d1c84dbff9c3f69938e637eee4fc260d0c92301

SHA512
33c2861f5b1f0b87be1f7a5d59313d5977d284ba70a126541f2daed6297ac35cf11c4f43107148f05da7e4748f49b3e99335d4c2164ba04e0a4f17830afd1706

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftLync2013Win64.xml
Filesize
2KB

MD5
e3a68bbd204d36868c6f5570e4576675

SHA1
bc5c44144e8e962c62f7febabdb3d0ba20a8162a

SHA256
11031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac

SHA512
7c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SystemIndex.1.Crwl
Filesize
1KB

MD5
bbe25f9676ef1a2707f160f75e6c2650

SHA1
9a77c871abc3b03bd6fe2fabe2ae98cd253f21be

SHA256
f7763d2680a56d6f905125b25da6cfc5685d5ce620df355e2f5c1d21d52cdc88

SHA512
ad30d3cc20e52e90f589b5329ba3734d6435a789698d65d0075b12b37b24c51713faebabf9a02d3db9fe512feda4bc29442447c46a65b6aeccf42d9902eac734

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
8e46d52f9eb2aab18a58025f88f04836

SHA1
660e0b367daf20a53821754895e79c9e65bd7876

SHA256
cbcd4bb1118306f59ec2a4ebd0aabe6c27ba23347b4e54912300aa903ebc177e

SHA512
dc9deb60bcb46639814556faa603d33f33de0015ce14eede9bb8cff4b7cb8776ee16882be0036ee7c3fb45977045f49c1e1cf2173476001d9363832e6c9ba250

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\background.png
Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C837.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\C837.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7F7.exe
Filesize
276KB

MD5
4c9333550914da09caa6121c2d5b0712

SHA1
e5487bf23307c6db60ba56b84815052a6f97a662

SHA256
5d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc

SHA512
1efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7F7.exe
Filesize
276KB

MD5
4c9333550914da09caa6121c2d5b0712

SHA1
e5487bf23307c6db60ba56b84815052a6f97a662

SHA256
5d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc

SHA512
1efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\tesselate.dll
Filesize
774KB

MD5
885d4ae3e0f4f0a51463f2176be0e748

SHA1
4504dbabf398245d435fba46a78ede06ace27d48

SHA256
edff258e70d1661ef5ca2eb17ab689e0b3151186cea489f8b94da4db0cf75b5a

SHA512
fefa936cefef3c721b464a59f8ef042e38426124f3d04dbcbabc6e63e1dc7c78d6c04eb49705c0c015fd8725f90328257db4841414c4ce851de6360d929a4bf9

Download Submit
memory/432-198-0x0000027A111B0000-0x0000027A112F0000-memory.dmp

Filesize
1.2MB

Download
memory/432-197-0x00007FF6B45A6890-mapping.dmp

Download
memory/432-200-0x0000027A111B0000-0x0000027A112F0000-memory.dmp

Filesize
1.2MB

Download
memory/432-201-0x0000027A11330000-0x0000027A115E5000-memory.dmp

Filesize
2.7MB

Download
memory/432-199-0x0000000000EE0000-0x0000000001184000-memory.dmp

Filesize
2.6MB

Download
memory/432-206-0x0000027A11330000-0x0000027A115E5000-memory.dmp

Filesize
2.7MB

Download
memory/1012-160-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-149-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-156-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-157-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-158-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-159-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-161-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-148-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-162-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-163-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-164-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-165-0x0000000007B00000-0x0000000007B10000-memory.dmp

Filesize
64KB

Download
memory/1012-167-0x0000000007B20000-0x0000000007B30000-memory.dmp

Filesize
64KB

Download
memory/1012-166-0x0000000007B20000-0x0000000007B30000-memory.dmp

Filesize
64KB

Download
memory/1012-168-0x0000000007B20000-0x0000000007B30000-memory.dmp

Filesize
64KB

Download
memory/1012-150-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-151-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-153-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-152-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-173-0x0000000007B20000-0x0000000007B30000-memory.dmp

Filesize
64KB

Download
memory/1012-174-0x0000000007B20000-0x0000000007B30000-memory.dmp

Filesize
64KB

Download
memory/1012-175-0x0000000007B20000-0x0000000007B30000-memory.dmp

Filesize
64KB

Download
memory/1012-154-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1012-155-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1068-273-0x0000000000000000-mapping.dmp

Download
memory/1552-227-0x0000000000000000-mapping.dmp

Download
memory/1828-260-0x0000000000000000-mapping.dmp

Download
memory/2008-228-0x0000024574D40000-0x0000024574FF5000-memory.dmp

Filesize
2.7MB

Download
memory/2008-223-0x00007FF6B45A6890-mapping.dmp

Download
memory/2008-224-0x0000024576610000-0x0000024576750000-memory.dmp

Filesize
1.2MB

Download
memory/2008-226-0x0000024574D40000-0x0000024574FF5000-memory.dmp

Filesize
2.7MB

Download
memory/2008-225-0x0000024576610000-0x0000024576750000-memory.dmp

Filesize
1.2MB

Download
memory/2032-211-0x00007FF6B45A6890-mapping.dmp

Download
memory/2032-217-0x0000026145F30000-0x00000261461E5000-memory.dmp

Filesize
2.7MB

Download
memory/2032-213-0x0000026147990000-0x0000026147AD0000-memory.dmp

Filesize
1.2MB

Download
memory/2032-214-0x0000026147990000-0x0000026147AD0000-memory.dmp

Filesize
1.2MB

Download
memory/2032-215-0x0000026145F30000-0x00000261461E5000-memory.dmp

Filesize
2.7MB

Download
memory/2212-261-0x000002AB43690000-0x000002AB43945000-memory.dmp

Filesize
2.7MB

Download
memory/2212-259-0x000002AB43690000-0x000002AB43945000-memory.dmp

Filesize
2.7MB

Download
memory/2212-258-0x000002AB450F0000-0x000002AB45230000-memory.dmp

Filesize
1.2MB

Download
memory/2212-256-0x00007FF6B45A6890-mapping.dmp

Download
memory/2212-257-0x000002AB450F0000-0x000002AB45230000-memory.dmp

Filesize
1.2MB

Download
memory/2424-212-0x0000000000000000-mapping.dmp

Download
memory/2432-237-0x0000000000000000-mapping.dmp

Download
memory/2444-281-0x0000000000000000-mapping.dmp

Download
memory/2444-283-0x0000000004C40000-0x0000000005795000-memory.dmp

Filesize
11.3MB

Download
memory/2444-284-0x0000000004C40000-0x0000000005795000-memory.dmp

Filesize
11.3MB

Download
memory/2632-178-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-280-0x0000000005960000-0x00000000064B5000-memory.dmp

Filesize
11.3MB

Download
memory/2632-266-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-265-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-263-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-247-0x0000000005070000-0x0000000005072000-memory.dmp

Filesize
8KB

Download
memory/2632-207-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-208-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-209-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-210-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-253-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-243-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-142-0x0000000000000000-mapping.dmp

Download
memory/2632-196-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-195-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-262-0x0000000005070000-0x0000000005072000-memory.dmp

Filesize
8KB

Download
memory/2632-194-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-193-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-219-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-220-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-221-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-222-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-254-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-267-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-242-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-241-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-180-0x0000000005960000-0x00000000064B5000-memory.dmp

Filesize
11.3MB

Download
memory/2632-179-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-229-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-230-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-231-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-232-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-177-0x0000000005960000-0x00000000064B5000-memory.dmp

Filesize
11.3MB

Download
memory/2632-176-0x0000000005960000-0x00000000064B5000-memory.dmp

Filesize
11.3MB

Download
memory/2632-240-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-255-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2632-252-0x0000000005070000-0x00000000051B0000-memory.dmp

Filesize
1.2MB

Download
memory/2712-274-0x000001E763270000-0x000001E763525000-memory.dmp

Filesize
2.7MB

Download
memory/2712-271-0x000001E763270000-0x000001E763525000-memory.dmp

Filesize
2.7MB

Download
memory/2712-270-0x000001E763110000-0x000001E763250000-memory.dmp

Filesize
1.2MB

Download
memory/2712-269-0x000001E763110000-0x000001E763250000-memory.dmp

Filesize
1.2MB

Download
memory/2712-268-0x00007FF6B45A6890-mapping.dmp

Download
memory/2896-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-132-0x00000000004AE000-0x00000000004C4000-memory.dmp

Filesize
88KB

Download
memory/2896-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-133-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/3208-279-0x0000000000000000-mapping.dmp

Download
memory/3276-246-0x0000021054900000-0x0000021054A40000-memory.dmp

Filesize
1.2MB

Download
memory/3276-250-0x0000021052EA0000-0x0000021053155000-memory.dmp

Filesize
2.7MB

Download
memory/3276-248-0x0000021052EA0000-0x0000021053155000-memory.dmp

Filesize
2.7MB

Download
memory/3276-245-0x0000021054900000-0x0000021054A40000-memory.dmp

Filesize
1.2MB

Download
memory/3276-244-0x00007FF6B45A6890-mapping.dmp

Download
memory/3368-275-0x0000000000000000-mapping.dmp

Download
memory/3728-272-0x0000000000000000-mapping.dmp

Download
memory/3744-236-0x000001B2A32D0000-0x000001B2A3585000-memory.dmp

Filesize
2.7MB

Download
memory/3744-239-0x000001B2A32D0000-0x000001B2A3585000-memory.dmp

Filesize
2.7MB

Download
memory/3744-235-0x000001B2A4D30000-0x000001B2A4E70000-memory.dmp

Filesize
1.2MB

Download
memory/3744-234-0x000001B2A4D30000-0x000001B2A4E70000-memory.dmp

Filesize
1.2MB

Download
memory/3744-233-0x00007FF6B45A6890-mapping.dmp

Download
memory/3940-218-0x0000000000000000-mapping.dmp

Download
memory/3996-277-0x0000000000000000-mapping.dmp

Download
memory/4152-238-0x0000000000000000-mapping.dmp

Download
memory/4152-145-0x000000000215B000-0x0000000002244000-memory.dmp

Filesize
932KB

Download
memory/4152-146-0x0000000002350000-0x000000000247E000-memory.dmp

Filesize
1.2MB

Download
memory/4152-147-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4152-136-0x0000000000000000-mapping.dmp

Download
memory/4296-202-0x0000000004DA0000-0x00000000058F5000-memory.dmp

Filesize
11.3MB

Download
memory/4296-204-0x0000000004DA0000-0x00000000058F5000-memory.dmp

Filesize
11.3MB

Download
memory/4296-191-0x0000000000000000-mapping.dmp

Download
memory/4296-203-0x0000000004DA0000-0x00000000058F5000-memory.dmp

Filesize
11.3MB

Download
memory/4404-185-0x0000000004490000-0x0000000004FE5000-memory.dmp

Filesize
11.3MB

Download
memory/4404-184-0x0000000004490000-0x0000000004FE5000-memory.dmp

Filesize
11.3MB

Download
memory/4404-216-0x0000000004490000-0x0000000004FE5000-memory.dmp

Filesize
11.3MB

Download
memory/4436-251-0x0000000000000000-mapping.dmp

Download
memory/4444-205-0x0000000000000000-mapping.dmp

Download
memory/4672-276-0x0000000000000000-mapping.dmp

Download
memory/4896-264-0x0000000000000000-mapping.dmp

Download
memory/4992-249-0x0000000000000000-mapping.dmp

Download
memory/5008-169-0x00000000006FD000-0x0000000000717000-memory.dmp

Filesize
104KB

Download
memory/5008-170-0x00000000006A0000-0x00000000006CA000-memory.dmp

Filesize
168KB

Download
memory/5008-171-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5008-139-0x0000000000000000-mapping.dmp

Download
memory/5008-172-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5108-278-0x0000000000000000-mapping.dmp

Download