lumma | b9d365f8e01cb3b33d49a739a5f53f956fb537a78026d800230d9cab76fad639

Analysis

max time kernel
99s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe
Size

210KB
MD5

f9d5547d2b90217299de74cdce89c333
SHA1

0877d2eff69060fcb0ec06b7111d98cb1061be3f
SHA256

d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1
SHA512

b65da968ba9ab32346fea2ec1f9e590611e49a8f357946fae3c2c997ce9b22b8e51bdd286c1fcfe489d7964dbefaaf70081bf5404d3339b9378d90efde0b7644
SSDEEP

1536:TYQukbw0XBPu2+fYkFprewBYwPRjlEf5Zd5Tx4t4qHcuTuoLlJAhCLYnoJbUuiyj:TYXWwY+R+d5Q7TLk7noJgWFCfsJ+ri

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3544-133-0x0000000002CF0000-0x0000000002CF9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

46 5092 rundll32.exe
49 5092 rundll32.exe
63 5092 rundll32.exe
67 5092 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

327A.exe5EBB.exe

pid process

4156 327A.exe
4308 5EBB.exe

flow	pid	process
46	5092	rundll32.exe
49	5092	rundll32.exe
63	5092	rundll32.exe
67	5092	rundll32.exe

pid	process
4156	327A.exe
4308	5EBB.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fillandsign\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\fillandsign.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fillandsign\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

5092 rundll32.exe
4488 svchost.exe
2336 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5092	rundll32.exe
4488	svchost.exe
2336	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5092 set thread context of 4880	5092	rundll32.exe	rundll32.exe
PID 5092 set thread context of 2628	5092	rundll32.exe	rundll32.exe
PID 5092 set thread context of 4124	5092	rundll32.exe	rundll32.exe
PID 5092 set thread context of 452	5092	rundll32.exe	rundll32.exe
PID 5092 set thread context of 2232	5092	rundll32.exe	rundll32.exe

Drops file in Program Files directory 32 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WCChromeNativeMessagingHost.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DropboxStorage.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\64BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AXSLE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ahclient.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reflow.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Redact_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\server_issue.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2172 4156 WerFault.exe 327A.exe
4804 4308 WerFault.exe 5EBB.exe

pid	pid_target	process	target process
2172	4156	WerFault.exe	327A.exe
4804	4308	WerFault.exe	5EBB.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056074f100054656d7000003a0009000400efbe21550a583056074f2e000000000000000000000000000000000000000000000000003879c600540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3056

pid	process
3056

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe

pid	process
3544	d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe
3544	d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe

pid process

3544 d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe

pid	process
3056

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	5092	rundll32.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
4880	rundll32.exe
3056
3056
3056
3056
5092	rundll32.exe
3056
3056
3056
3056
2628	rundll32.exe
5092	rundll32.exe
4124	rundll32.exe
5092	rundll32.exe
452	rundll32.exe
2232	rundll32.exe
5092	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3056
3056

pid	process
3056
3056

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

327A.exerundll32.exesvchost.exe

description	pid	process	target process
PID 3056 wrote to memory of 4156	3056		327A.exe
PID 3056 wrote to memory of 4156	3056		327A.exe
PID 3056 wrote to memory of 4156	3056		327A.exe
PID 4156 wrote to memory of 5092	4156	327A.exe	rundll32.exe
PID 4156 wrote to memory of 5092	4156	327A.exe	rundll32.exe
PID 4156 wrote to memory of 5092	4156	327A.exe	rundll32.exe
PID 3056 wrote to memory of 4308	3056		5EBB.exe
PID 3056 wrote to memory of 4308	3056		5EBB.exe
PID 3056 wrote to memory of 4308	3056		5EBB.exe
PID 5092 wrote to memory of 4880	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 4880	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 4880	5092	rundll32.exe	rundll32.exe
PID 4488 wrote to memory of 2336	4488	svchost.exe	rundll32.exe
PID 4488 wrote to memory of 2336	4488	svchost.exe	rundll32.exe
PID 4488 wrote to memory of 2336	4488	svchost.exe	rundll32.exe
PID 5092 wrote to memory of 3988	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 3988	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 3988	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 1020	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 1020	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 1020	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 2628	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 2628	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 2628	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 3932	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 3932	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 3932	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4124	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 4124	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 4124	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 4500	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4500	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4500	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 452	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 452	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 452	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 1660	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 1660	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 1660	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4684	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4684	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4684	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 2232	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 2232	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 2232	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 1436	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 1436	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 1436	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4436	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4436	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4436	5092	rundll32.exe	schtasks.exe
PID 5092 wrote to memory of 4548	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 4548	5092	rundll32.exe	rundll32.exe
PID 5092 wrote to memory of 4548	5092	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe
"C:\Users\Admin\AppData\Local\Temp\d708c20c802eb0cd32e396585a88b761f76bb767a8bb5a2ce60d58499ad7aca1.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3544

C:\Users\Admin\AppData\Local\Temp\327A.exe
C:\Users\Admin\AppData\Local\Temp\327A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5092

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3988

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1020

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2628

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3932

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4124

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4500

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:452

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4684

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4436

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4548

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:4576

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3728

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1784

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3024

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2556

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4148

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3860

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:216

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3608

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2248

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3796

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5104

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 560
2⤵
- Program crash
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4156 -ip 4156
1⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\5EBB.exe
C:\Users\Admin\AppData\Local\Temp\5EBB.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1340
2⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4308 -ip 4308
1⤵
PID:1720

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\fillandsign.dll",SjkRUUg=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2336

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\fillandsign.dll",SjkRUUg=
2⤵
PID:3824

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\fillandsign.dll",SjkRUUg=
2⤵
PID:3096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.dll
Filesize
774KB

MD5
597148888685019850d4ff54f6f187f6

SHA1
030b3f2d930cedac99a7ed7661e5d235da326583

SHA256
750b62547126af2f5848d82b2468a07088e3c6c6809883ca11876c93475bba41

SHA512
24453c85b2c9c9fe97697026b2b35c2b4554529656b438a1a28dfe2da73b6b90206176dd36e8d297a0370742212c333dec2c0b43791bdcc797fa9021d353a7dd

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.dll
Filesize
774KB

MD5
597148888685019850d4ff54f6f187f6

SHA1
030b3f2d930cedac99a7ed7661e5d235da326583

SHA256
750b62547126af2f5848d82b2468a07088e3c6c6809883ca11876c93475bba41

SHA512
24453c85b2c9c9fe97697026b2b35c2b4554529656b438a1a28dfe2da73b6b90206176dd36e8d297a0370742212c333dec2c0b43791bdcc797fa9021d353a7dd

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.dll
Filesize
774KB

MD5
597148888685019850d4ff54f6f187f6

SHA1
030b3f2d930cedac99a7ed7661e5d235da326583

SHA256
750b62547126af2f5848d82b2468a07088e3c6c6809883ca11876c93475bba41

SHA512
24453c85b2c9c9fe97697026b2b35c2b4554529656b438a1a28dfe2da73b6b90206176dd36e8d297a0370742212c333dec2c0b43791bdcc797fa9021d353a7dd

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.dll
Filesize
774KB

MD5
597148888685019850d4ff54f6f187f6

SHA1
030b3f2d930cedac99a7ed7661e5d235da326583

SHA256
750b62547126af2f5848d82b2468a07088e3c6c6809883ca11876c93475bba41

SHA512
24453c85b2c9c9fe97697026b2b35c2b4554529656b438a1a28dfe2da73b6b90206176dd36e8d297a0370742212c333dec2c0b43791bdcc797fa9021d353a7dd

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch
Filesize
110B

MD5
37a1115747e63e1c0ead2c66301f22d3

SHA1
44339aa5b475ecc2669a69fa1850ffcbf6fc666e

SHA256
9496889b2cbda0bcb85b8ef91dc323107702c214ee37a7c1057b8fc9c8874589

SHA512
6ecc4b9f1d08bccc3f1ae111391e83b8a1ae3788f532ae3afac5ed91823891aaf6a56385e3856910730d312d5374c779bdab7760d82a685ee99c077a3180357d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml
Filesize
2KB

MD5
e52262399745fe981a7fba69c55f09dc

SHA1
795a06836db2ead992013b55d2d5a87420be43e7

SHA256
838e2cd11573dfcbb74c47621b30c5a7b62b2a063a41282a8e117b7b8fd5ebbc

SHA512
4b146141538edc8428d0bb0c8f314e3cc2f87e9888a82471f5c870a0779655944f8cfc34f5bc7bb2769d08d3ef3bac2cdf4f428d970bc1b480bce722a3b0291e

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.office32ww.msi.16.x-none.xml
Filesize
331KB

MD5
b5cf5d15a8e6c6f2eb99a5645a2c2336

SHA1
7efe1b634ce1253a6761eb0c54f79dd42b79325f

SHA256
f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c

SHA512
83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
827B

MD5
cf7d0dd53bde6261338a343a4a92c3f5

SHA1
f5326546a46c8a7d2400d743fca320a166331757

SHA256
df0af4b8242dcab107aab8d00add27b9797c00002669ff953667869abb6c77c6

SHA512
9cf52da12c7e703fefff7a5295b7475d95a568d050b210a7b53470dad257793257a4242c89fb00fa22c7319c8be96144b193ec1e51c4d3a751af6765a6935148

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xml
Filesize
6KB

MD5
e2a07f037256d69937145aea357735fe

SHA1
07ce3d26f68b90604543f441bf75f57fbf6f5f99

SHA256
0f20839ad81a013e9700e22a629e7284a5b817adff6d992d4b761b6875ace257

SHA512
f78e8d10675b7c8d3fd8af0780fb979c1cca6b5ccfd1422529d7837f34f9973dc26a174f4b86587f7a1e1dbe1a3fe59cc0342379332a2e726a41c180a0dbad7d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftLync2010.xml
Filesize
3KB

MD5
701beb4f8c252fb3c9f5dbdc94648048

SHA1
556ba20475a502b68b7992454be6c64ab355b4ec

SHA256
620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67

SHA512
28c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
37270760a12a107b452241fa948916f7

SHA1
2f552aa350ad6e901ce2fec0c6f52c82f8079575

SHA256
cbc8ee8f65135e04b5de5628d824a68746f982c730e779f8b148d3ff68a59112

SHA512
6d62a8ad4f27b237750e042f74433936b2c067ee17478202ff328edd61a8d8b931c5de936410b5e82c4f8e274b444e401585b33f1328e9b89e1fabe6d02be176

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml
Filesize
1KB

MD5
66963736ebb1e54dc596701206eaed3f

SHA1
18bc8dfc779d407398af193f3d265ff93f253bc2

SHA256
fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b

SHA512
96aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\stream.x64.en-us.db
Filesize
438KB

MD5
a3c50402ad84ef273e1cbeb541d73389

SHA1
f5821ac76fff71ce7d447da98b5689278032511b

SHA256
d1cc394435822035a1467be9ad69281de6ecb1b1c83750cb7ccd6202d4c96971

SHA512
9518c804b317917243eb3d017a4ba9aed4cd4cbf86477646c33a83777f7cd6d30bacd576cc51069432a5e14f5888e64d9803d9709c10ba25c34bb4234305a53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\327A.exe
Filesize
1.1MB

MD5
dcbea7655543025cd758fdefafd76cde

SHA1
b4075079fc7b3db2373b2d8d0ee07415a146132e

SHA256
e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5

SHA512
908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\327A.exe
Filesize
1.1MB

MD5
dcbea7655543025cd758fdefafd76cde

SHA1
b4075079fc7b3db2373b2d8d0ee07415a146132e

SHA256
e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5

SHA512
908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EBB.exe
Filesize
276KB

MD5
4c9333550914da09caa6121c2d5b0712

SHA1
e5487bf23307c6db60ba56b84815052a6f97a662

SHA256
5d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc

SHA512
1efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EBB.exe
Filesize
276KB

MD5
4c9333550914da09caa6121c2d5b0712

SHA1
e5487bf23307c6db60ba56b84815052a6f97a662

SHA256
5d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc

SHA512
1efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\fillandsign.dll
Filesize
774KB

MD5
597148888685019850d4ff54f6f187f6

SHA1
030b3f2d930cedac99a7ed7661e5d235da326583

SHA256
750b62547126af2f5848d82b2468a07088e3c6c6809883ca11876c93475bba41

SHA512
24453c85b2c9c9fe97697026b2b35c2b4554529656b438a1a28dfe2da73b6b90206176dd36e8d297a0370742212c333dec2c0b43791bdcc797fa9021d353a7dd

Download Submit
memory/116-239-0x0000000000000000-mapping.dmp

Download
memory/216-269-0x0000000000000000-mapping.dmp

Download
memory/452-212-0x00007FF70AF46890-mapping.dmp

Download
memory/452-218-0x000002A019F40000-0x000002A01A1F5000-memory.dmp

Filesize
2.7MB

Download
memory/452-216-0x000002A019F40000-0x000002A01A1F5000-memory.dmp

Filesize
2.7MB

Download
memory/452-214-0x000002A01B9A0000-0x000002A01BAE0000-memory.dmp

Filesize
1.2MB

Download
memory/452-213-0x000002A01B9A0000-0x000002A01BAE0000-memory.dmp

Filesize
1.2MB

Download
memory/1020-185-0x0000000000000000-mapping.dmp

Download
memory/1436-227-0x0000000000000000-mapping.dmp

Download
memory/1572-258-0x00007FF70AF46890-mapping.dmp

Download
memory/1572-259-0x00000231AEF40000-0x00000231AF080000-memory.dmp

Filesize
1.2MB

Download
memory/1572-261-0x00000231AD4C0000-0x00000231AD775000-memory.dmp

Filesize
2.7MB

Download
memory/1572-260-0x00000231AEF40000-0x00000231AF080000-memory.dmp

Filesize
1.2MB

Download
memory/1660-215-0x0000000000000000-mapping.dmp

Download
memory/1784-263-0x0000000000000000-mapping.dmp

Download
memory/2232-224-0x00000226DED60000-0x00000226DEEA0000-memory.dmp

Filesize
1.2MB

Download
memory/2232-226-0x00000226DD300000-0x00000226DD5B5000-memory.dmp

Filesize
2.7MB

Download
memory/2232-225-0x00000226DED60000-0x00000226DEEA0000-memory.dmp

Filesize
1.2MB

Download
memory/2232-228-0x00000226DD300000-0x00000226DD5B5000-memory.dmp

Filesize
2.7MB

Download
memory/2232-223-0x00007FF70AF46890-mapping.dmp

Download
memory/2248-271-0x0000000000000000-mapping.dmp

Download
memory/2336-181-0x00000000053A0000-0x0000000005EF5000-memory.dmp

Filesize
11.3MB

Download
memory/2336-195-0x00000000053A0000-0x0000000005EF5000-memory.dmp

Filesize
11.3MB

Download
memory/2336-171-0x0000000000000000-mapping.dmp

Download
memory/2336-182-0x00000000053A0000-0x0000000005EF5000-memory.dmp

Filesize
11.3MB

Download
memory/2388-279-0x0000000000000000-mapping.dmp

Download
memory/2556-266-0x0000000000000000-mapping.dmp

Download
memory/2628-192-0x0000021FE2960000-0x0000021FE2AA0000-memory.dmp

Filesize
1.2MB

Download
memory/2628-191-0x0000021FE2960000-0x0000021FE2AA0000-memory.dmp

Filesize
1.2MB

Download
memory/2628-193-0x0000021FE1090000-0x0000021FE1345000-memory.dmp

Filesize
2.7MB

Download
memory/2628-190-0x00007FF70AF46890-mapping.dmp

Download
memory/2628-197-0x0000021FE1090000-0x0000021FE1345000-memory.dmp

Filesize
2.7MB

Download
memory/3024-264-0x0000000000000000-mapping.dmp

Download
memory/3096-278-0x0000000005170000-0x0000000005CC5000-memory.dmp

Filesize
11.3MB

Download
memory/3096-276-0x0000000005170000-0x0000000005CC5000-memory.dmp

Filesize
11.3MB

Download
memory/3096-274-0x0000000000000000-mapping.dmp

Download
memory/3544-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3544-133-0x0000000002CF0000-0x0000000002CF9000-memory.dmp

Filesize
36KB

Download
memory/3544-132-0x0000000002D58000-0x0000000002D69000-memory.dmp

Filesize
68KB

Download
memory/3544-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3608-270-0x0000000000000000-mapping.dmp

Download
memory/3728-262-0x0000000000000000-mapping.dmp

Download
memory/3796-273-0x0000000000000000-mapping.dmp

Download
memory/3824-252-0x0000000005480000-0x0000000005FD5000-memory.dmp

Filesize
11.3MB

Download
memory/3824-272-0x0000000005480000-0x0000000005FD5000-memory.dmp

Filesize
11.3MB

Download
memory/3824-251-0x0000000005480000-0x0000000005FD5000-memory.dmp

Filesize
11.3MB

Download
memory/3824-249-0x0000000000000000-mapping.dmp

Download
memory/3824-265-0x0000000005480000-0x0000000005FD5000-memory.dmp

Filesize
11.3MB

Download
memory/3860-268-0x0000000000000000-mapping.dmp

Download
memory/3932-196-0x0000000000000000-mapping.dmp

Download
memory/3988-183-0x0000000000000000-mapping.dmp

Download
memory/4124-202-0x00007FF70AF46890-mapping.dmp

Download
memory/4124-204-0x00000241CB6B0000-0x00000241CB7F0000-memory.dmp

Filesize
1.2MB

Download
memory/4124-206-0x00000241C9C50000-0x00000241C9F05000-memory.dmp

Filesize
2.7MB

Download
memory/4124-207-0x00000241C9C50000-0x00000241C9F05000-memory.dmp

Filesize
2.7MB

Download
memory/4124-203-0x00000241CB6B0000-0x00000241CB7F0000-memory.dmp

Filesize
1.2MB

Download
memory/4148-267-0x0000000000000000-mapping.dmp

Download
memory/4156-143-0x00000000022F0000-0x000000000241E000-memory.dmp

Filesize
1.2MB

Download
memory/4156-144-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4156-142-0x00000000021FE000-0x00000000022E7000-memory.dmp

Filesize
932KB

Download
memory/4156-136-0x0000000000000000-mapping.dmp

Download
memory/4308-148-0x000000000056D000-0x0000000000587000-memory.dmp

Filesize
104KB

Download
memory/4308-145-0x0000000000000000-mapping.dmp

Download
memory/4308-149-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/4308-150-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4308-151-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4436-229-0x0000000000000000-mapping.dmp

Download
memory/4488-175-0x00000000045F0000-0x0000000005145000-memory.dmp

Filesize
11.3MB

Download
memory/4488-194-0x00000000045F0000-0x0000000005145000-memory.dmp

Filesize
11.3MB

Download
memory/4488-160-0x00000000045F0000-0x0000000005145000-memory.dmp

Filesize
11.3MB

Download
memory/4500-205-0x0000000000000000-mapping.dmp

Download
memory/4548-235-0x000001DA34810000-0x000001DA34950000-memory.dmp

Filesize
1.2MB

Download
memory/4548-238-0x000001DA32DB0000-0x000001DA33065000-memory.dmp

Filesize
2.7MB

Download
memory/4548-237-0x000001DA32DB0000-0x000001DA33065000-memory.dmp

Filesize
2.7MB

Download
memory/4548-236-0x000001DA34810000-0x000001DA34950000-memory.dmp

Filesize
1.2MB

Download
memory/4548-234-0x00007FF70AF46890-mapping.dmp

Download
memory/4576-253-0x000001D367CA0000-0x000001D367F55000-memory.dmp

Filesize
2.7MB

Download
memory/4576-248-0x000001D367CA0000-0x000001D367F55000-memory.dmp

Filesize
2.7MB

Download
memory/4576-246-0x000001D369700000-0x000001D369840000-memory.dmp

Filesize
1.2MB

Download
memory/4576-245-0x000001D369700000-0x000001D369840000-memory.dmp

Filesize
1.2MB

Download
memory/4576-244-0x00007FF70AF46890-mapping.dmp

Download
memory/4684-217-0x0000000000000000-mapping.dmp

Download
memory/4824-247-0x0000000000000000-mapping.dmp

Download
memory/4880-178-0x0000019A51F30000-0x0000019A52070000-memory.dmp

Filesize
1.2MB

Download
memory/4880-184-0x0000019A520B0000-0x0000019A52365000-memory.dmp

Filesize
2.7MB

Download
memory/4880-176-0x00007FF70AF46890-mapping.dmp

Download
memory/4880-177-0x0000019A51F30000-0x0000019A52070000-memory.dmp

Filesize
1.2MB

Download
memory/4880-179-0x0000000000C60000-0x0000000000F04000-memory.dmp

Filesize
2.6MB

Download
memory/4880-180-0x0000019A520B0000-0x0000019A52365000-memory.dmp

Filesize
2.7MB

Download
memory/5092-189-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-187-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-243-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-230-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-208-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-209-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-210-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-211-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-200-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-199-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-198-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-219-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-222-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-254-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-255-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-256-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-257-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-233-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-188-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-242-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-186-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-241-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-240-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-201-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-220-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-231-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-232-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-173-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-172-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-170-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-165-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-221-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-159-0x00000000046D0000-0x0000000005225000-memory.dmp

Filesize
11.3MB

Download
memory/5092-155-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-154-0x0000000005390000-0x00000000054D0000-memory.dmp

Filesize
1.2MB

Download
memory/5092-139-0x0000000000000000-mapping.dmp

Download
memory/5092-153-0x00000000046D0000-0x0000000005225000-memory.dmp

Filesize
11.3MB

Download
memory/5092-152-0x00000000046D0000-0x0000000005225000-memory.dmp

Filesize
11.3MB

Download
memory/5104-277-0x0000000000000000-mapping.dmp

Download