Analysis
-
max time kernel
84s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 21:40
Static task
static1
Behavioral task
behavioral1
Sample
27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe
Resource
win10v2004-20230220-en
General
-
Target
27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe
-
Size
4.8MB
-
MD5
6d7cf4d53df7fe8d601362305e67b2a3
-
SHA1
54868a950d0d9aa5ebfd615e476608b69f3562f4
-
SHA256
27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2
-
SHA512
4658a9a986f440ee64527d45c09e39509418f2243608e04135e0a7a3a5bf205017cf30fe2a28415ad46d48cffb46cee4693882aa70f41680cf2f4280dc42eb1f
-
SSDEEP
98304:KDbq/2B/zpkCX8VXWFNcwZlP8YEA0h0lZCr7IcOyXw5yVnRVMNKGf8J:yNBpcVoZBDEA0hYCrUDUuKG
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 17 5052 rundll32.exe 40 5052 rundll32.exe 76 5052 rundll32.exe 95 5052 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Search\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\Search.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Search\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exesvchost.exepid process 5052 rundll32.exe 5052 rundll32.exe 4244 svchost.exe 4244 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
rundll32.exedescription pid process target process PID 5052 set thread context of 1708 5052 rundll32.exe rundll32.exe PID 5052 set thread context of 2052 5052 rundll32.exe rundll32.exe -
Drops file in Program Files directory 45 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bl.gif rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Search.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\icucnv40.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\2d.x3d rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Words.pdf rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\forms_distributed.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cryptocme.dll rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AddressBook.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ended_review_or_form.gif rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Comments.aapp rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\warning.gif rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\end_review.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\review_email.gif rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\forms_super.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\license.html rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\rename.svg rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\weblink.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\arh.exe rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AXSLE.dll rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\main-cef-mac.css rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\duplicate.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1656 4896 WerFault.exe 27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe 2204 4244 WerFault.exe svchost.exe -
Checks processor information in registry 2 TTPs 48 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exerundll32.exedescription ioc process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 14 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
rundll32.exepid process 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 5052 rundll32.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 1708 rundll32.exe 5052 rundll32.exe 2052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exerundll32.exedescription pid process target process PID 4896 wrote to memory of 5052 4896 27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe rundll32.exe PID 4896 wrote to memory of 5052 4896 27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe rundll32.exe PID 4896 wrote to memory of 5052 4896 27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe rundll32.exe PID 5052 wrote to memory of 1708 5052 rundll32.exe rundll32.exe PID 5052 wrote to memory of 1708 5052 rundll32.exe rundll32.exe PID 5052 wrote to memory of 1708 5052 rundll32.exe rundll32.exe PID 5052 wrote to memory of 3500 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 3500 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 3500 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4332 5052 rundll32.exe Conhost.exe PID 5052 wrote to memory of 4332 5052 rundll32.exe Conhost.exe PID 5052 wrote to memory of 4332 5052 rundll32.exe Conhost.exe PID 5052 wrote to memory of 2052 5052 rundll32.exe rundll32.exe PID 5052 wrote to memory of 2052 5052 rundll32.exe rundll32.exe PID 5052 wrote to memory of 2052 5052 rundll32.exe rundll32.exe PID 5052 wrote to memory of 2648 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 2648 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 2648 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 2140 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 2140 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 2140 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4344 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4344 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4344 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 404 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 404 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 404 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4736 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4736 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4736 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4988 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4988 5052 rundll32.exe schtasks.exe PID 5052 wrote to memory of 4988 5052 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe"C:\Users\Admin\AppData\Local\Temp\27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll,start2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 140403⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 140403⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 5122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4896 -ip 48961⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 9402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4244 -ip 42441⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Search.dllFilesize
5.3MB
MD5258487b25bf2885ae299cdef8a2a3055
SHA1513da32eaf287fc2d653da9a6d54031c7f34f753
SHA256f9182052a3d0737e758974f182efa5a1de69a8aec2dbfa7e27db93ba7c85bca4
SHA512615f4e8c768913bd277b63a062e4d70ac4975e59773314d63a38011f0960fea40b5b8186432d1488666bedca66f494c6c99235bb90ddd2c4cc88e8d9c0fdfc7c
-
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Search.dllFilesize
5.3MB
MD5258487b25bf2885ae299cdef8a2a3055
SHA1513da32eaf287fc2d653da9a6d54031c7f34f753
SHA256f9182052a3d0737e758974f182efa5a1de69a8aec2dbfa7e27db93ba7c85bca4
SHA512615f4e8c768913bd277b63a062e4d70ac4975e59773314d63a38011f0960fea40b5b8186432d1488666bedca66f494c6c99235bb90ddd2c4cc88e8d9c0fdfc7c
-
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\3CCD5499-87A8-4B10-A215-608888DD3B55.vschFilesize
262B
MD50c19329f1a0959d6e069dd77dc32e7fc
SHA18216c5d18000ff6c11f0b562a85d650b3e07da7c
SHA256ca469f2580e20b3d1077355a1e0e673be724ac15ab15e859b7bc3bcf60854120
SHA512fbbe1626c32f7b77c77fa1e0e5f0c22562d3bdc15a4290cf300625efa782c31d9ac461ea2b6552dbc42f16137bfc226d98ee2f002a353245eae6afca873e912d
-
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\C2RManifest.Proof.Culture.msi.16.es-es.xmlFilesize
23KB
MD5156b3ab70b2cce134d493104d047e6fa
SHA19907a741812bef8c5b55d0e73c9ac5c0d973c4be
SHA2565fba15e64d0ff7075951a8e6bf758d81d4c14fa98e6b8604d5bbc43317da8c01
SHA512f3b2157c6aaf1b9e450872057fd5ddaad36bd30be98a48c28c0617c7a638a378dc38cbdbfb9f4b66858b32dfa3e79d577f99fd488b73b6000d1d8887640e7cbd
-
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xmlFilesize
2KB
MD51f8001c5a3ab09524c8185d2657e471c
SHA12297cd6ba695d3fa72f2a70a7db95f2e241116ab
SHA256c8c2ac11232a448dd5d78c34752f56b8f5b8e18fe79b3176fdd88759d5b703d5
SHA512d038b9b97a96b267684ba1a7d2458ddf63d3fd3ea8c58a213b5085196da9c7001fe1dbadfc75d2364befc09c9618c133b331ed487fcb043b6a923f3951be0b37
-
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xmlFilesize
13KB
MD5c7405e2e68aec89e44862595ccc0d186
SHA12cc8d73f93dd875134917795633bb606911f1069
SHA2569a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37
SHA5120cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22
-
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
820B
MD5a8664f5906d9060a0a87bc01e35179bb
SHA11bbbc9f10431d2941805907a8a6d4009f4e2938c
SHA256a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309
SHA512389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f
-
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Urpdpfsaas.tmpFilesize
3.5MB
MD5cd35e466184e88cb3795834fb35572f9
SHA153fab0a36760e9309f7c3f6b2d5b9a7d31e459c3
SHA256fa7a760a69b543e6adeaf5c5f189b72200a1d4a7db58258053c7ba8aa9c9e70d
SHA5127336fa2550ee32179052a91c72b1899912edb1237e377463bb457dcc5248b5c50ed7f685e1744d72e7c33f3816af157ab7c2224bcdfa3fa21c32cd808fddf413
-
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\background.pngFilesize
126KB
MD59adaf3a844ce0ce36bfed07fa2d7ef66
SHA13a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5
-
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\resource.xmlFilesize
1KB
MD566963736ebb1e54dc596701206eaed3f
SHA118bc8dfc779d407398af193f3d265ff93f253bc2
SHA256fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b
SHA51296aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598
-
C:\Users\Admin\AppData\Local\Temp\AytswiyaeftpeFilesize
46KB
MD5b13fcb3223116f6eec60be9143cae98b
SHA19a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88
SHA256961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b
SHA51289d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d
-
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dllFilesize
5.3MB
MD52ce492ba05cf3da559b66af7d253548d
SHA102cb0be04cb0a7a6e61d5781c7fbd1d26adeadfc
SHA256c33c9a667f7168e88511a06a2cbccda9f8aff9fd6c72849fefcfd1c5c033492e
SHA5120a6af6423feaaff6bfecc0395d284b3991bd494693243abd48802a6b3ea978c55cd782939b7ed2768019c9bb8af7a12a69b75766c73846aafd9e16e11043ddd3
-
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dllFilesize
5.3MB
MD52ce492ba05cf3da559b66af7d253548d
SHA102cb0be04cb0a7a6e61d5781c7fbd1d26adeadfc
SHA256c33c9a667f7168e88511a06a2cbccda9f8aff9fd6c72849fefcfd1c5c033492e
SHA5120a6af6423feaaff6bfecc0395d284b3991bd494693243abd48802a6b3ea978c55cd782939b7ed2768019c9bb8af7a12a69b75766c73846aafd9e16e11043ddd3
-
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dllFilesize
5.3MB
MD52ce492ba05cf3da559b66af7d253548d
SHA102cb0be04cb0a7a6e61d5781c7fbd1d26adeadfc
SHA256c33c9a667f7168e88511a06a2cbccda9f8aff9fd6c72849fefcfd1c5c033492e
SHA5120a6af6423feaaff6bfecc0395d284b3991bd494693243abd48802a6b3ea978c55cd782939b7ed2768019c9bb8af7a12a69b75766c73846aafd9e16e11043ddd3
-
C:\Users\Admin\AppData\Local\Temp\EafqwqoiwqqswufFilesize
112KB
MD5780853cddeaee8de70f28a4b255a600b
SHA1ad7a5da33f7ad12946153c497e990720b09005ed
SHA2561055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8
-
C:\Users\Admin\AppData\Local\Temp\Efduroudsheuydo.tmpFilesize
3.5MB
MD5cd35e466184e88cb3795834fb35572f9
SHA153fab0a36760e9309f7c3f6b2d5b9a7d31e459c3
SHA256fa7a760a69b543e6adeaf5c5f189b72200a1d4a7db58258053c7ba8aa9c9e70d
SHA5127336fa2550ee32179052a91c72b1899912edb1237e377463bb457dcc5248b5c50ed7f685e1744d72e7c33f3816af157ab7c2224bcdfa3fa21c32cd808fddf413
-
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.logFilesize
25KB
MD55ff530a14c6d0151cfeeb22de29da349
SHA1b51d60488ddf57ca3a256b699373a4044f3d10d4
SHA256e18fe90d31699cba0949191fb15b2ec7e287a9ab2a98c31bb6d01b0161e0fb13
SHA512f0cf7096a12ea63d3fc4d69508448ace84a98957fc4a9177ddf31d36e74c4c611156d3cfa13ba91299081dc4f2b3113d5ffbf95db28913218794d6904313ab40
-
C:\Users\Admin\AppData\Local\Temp\OieahedqsruuFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\ROBKQPFG-20230220-1902.logFilesize
56KB
MD5a828223d1f16939ea173da749f4d20ac
SHA133d797ed5621fb647ec867b5ead7e725ecd31df3
SHA25646447d3548b290d7ec8d3efff84a195ce9f85e31be90eefa93ca057ce9651a8e
SHA512c289a113015d7bb786cf6edb9c6aa7eee81b8512ae6c82d363fe2cc1e631eef626d7cc36d0115817b7c547c8c469faaa960c7253c543a6703ec2b049e8dec069
-
C:\Users\Admin\AppData\Local\Temp\RedeeyihtedepohFilesize
96KB
MD50bd7048b89df665f465414c2d18b5654
SHA15fc660a8ccd406062db0edad7f7661372a120a21
SHA25640c6dc144615020bc6f4023a59ff4c2ab21ae00d27e1a37835bd1db1cd1d91c2
SHA51299a5a53b00c1a00fcd0e58cc0a214aebcdba4933bf4c4edf0dd4e31517b48e6708c65a3943c837e8a728acca94329720f293ae4f792ce090ce4a7f724f2ddc32
-
C:\Users\Admin\AppData\Local\Temp\aria-debug-4028.logFilesize
470B
MD5b59c7586d27af51f3b9ff591fbe1674e
SHA11f315af1d63ff9ed82f42f466e80ca15b7884b10
SHA256f51ac064bc24fea5d00bfc97ffe17cbccce9f361d63595393cf27548be06c365
SHA512d7aec6abc6a62981301222426b045f3a6b116f0029361291aca9aa6fde20cf7208ca046db4e024b5a5d5676bb1455679cb93f2efa3cde7dc3596f258cd34e56e
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
6KB
MD5a29e15d1244006e6bae4e6685b5c0f78
SHA10b5b63e8ecbe65b640c4a630f050fa4dc8275947
SHA25662c92a84de3fcc725d5914e763c5b2568a466eed21c72bc3858803ed27eabbc8
SHA51283b3bc53c3cb951ba7bdb54dea1ce639cf08d2e0ce562e1f64d117dc314c675239083f54889efa9a584a0954d0e425bc14f2c0232c848db61054390f71e14b50
-
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txtFilesize
1KB
MD559013fd9bf0cf779fa53e2bcb2176af3
SHA12a01e4e77b651ada4943179df629f88e70ac807f
SHA256fa4db33fe626aada7c0aa9230b27d2d345ab656f5b96bb3cda58ab74f3d5bfd1
SHA51238ad2154c8033f546f7ca5e2adc81af8232c2b4cde794e410be48b6c599ab71bafbf70584f13957e02189b3670cd049813f8dd651b9844156eb346a96a2c6904
-
C:\Users\Admin\AppData\Local\Temp\wct2A5D.tmpFilesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
697B
MD5e5cca803cf51902eb907a5546cd500d0
SHA174d4e3d8df223b8ac1a2fc52bb0a03a80bf606fb
SHA2565e190c91bdb1270bc0f5616165ef033a8cc7c1df134607106129e964354224e0
SHA512ef396788663e1ea59d11d05e64bbfac07838c2ce6c3460edb9f3887f8e8497580a01873994c70d1769afafc81fc9de1ba2c2e81527a9ffcc2509dbb7ff9a2a06
-
\??\c:\program files (x86)\windows sidebar\shared gadgets\search.dllFilesize
5.3MB
MD5258487b25bf2885ae299cdef8a2a3055
SHA1513da32eaf287fc2d653da9a6d54031c7f34f753
SHA256f9182052a3d0737e758974f182efa5a1de69a8aec2dbfa7e27db93ba7c85bca4
SHA512615f4e8c768913bd277b63a062e4d70ac4975e59773314d63a38011f0960fea40b5b8186432d1488666bedca66f494c6c99235bb90ddd2c4cc88e8d9c0fdfc7c
-
memory/1708-380-0x000001B91B770000-0x000001B91BA12000-memory.dmpFilesize
2.6MB
-
memory/1708-364-0x000001B91D1C0000-0x000001B91D300000-memory.dmpFilesize
1.2MB
-
memory/1708-377-0x000001B91B770000-0x000001B91BA12000-memory.dmpFilesize
2.6MB
-
memory/1708-366-0x00000000003F0000-0x0000000000681000-memory.dmpFilesize
2.6MB
-
memory/1708-362-0x00007FFDC86F0000-0x00007FFDC86F1000-memory.dmpFilesize
4KB
-
memory/1708-363-0x000001B91D1C0000-0x000001B91D300000-memory.dmpFilesize
1.2MB
-
memory/1708-365-0x000001B91B770000-0x000001B91BA12000-memory.dmpFilesize
2.6MB
-
memory/2052-418-0x000001E24C200000-0x000001E24C4A2000-memory.dmpFilesize
2.6MB
-
memory/4244-333-0x0000000002450000-0x0000000002F96000-memory.dmpFilesize
11.3MB
-
memory/4244-353-0x0000000003310000-0x0000000003E56000-memory.dmpFilesize
11.3MB
-
memory/4244-334-0x00000000032E0000-0x00000000032E1000-memory.dmpFilesize
4KB
-
memory/4244-335-0x0000000002450000-0x0000000002F96000-memory.dmpFilesize
11.3MB
-
memory/4244-379-0x0000000001800000-0x0000000001D64000-memory.dmpFilesize
5.4MB
-
memory/4244-336-0x0000000003300000-0x0000000003301000-memory.dmpFilesize
4KB
-
memory/4244-315-0x0000000001800000-0x0000000001D64000-memory.dmpFilesize
5.4MB
-
memory/4244-316-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/4896-134-0x0000000002EC0000-0x0000000003566000-memory.dmpFilesize
6.6MB
-
memory/4896-144-0x0000000002EC0000-0x0000000003566000-memory.dmpFilesize
6.6MB
-
memory/4896-143-0x0000000000400000-0x0000000000B97000-memory.dmpFilesize
7.6MB
-
memory/4896-140-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/5052-222-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-239-0x00000000041D0000-0x0000000004310000-memory.dmpFilesize
1.2MB
-
memory/5052-238-0x00000000041D0000-0x0000000004310000-memory.dmpFilesize
1.2MB
-
memory/5052-237-0x0000000002F60000-0x0000000002F61000-memory.dmpFilesize
4KB
-
memory/5052-236-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-235-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-234-0x0000000002340000-0x00000000028A4000-memory.dmpFilesize
5.4MB
-
memory/5052-233-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-232-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-231-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-230-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-228-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-227-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-344-0x0000000002340000-0x00000000028A4000-memory.dmpFilesize
5.4MB
-
memory/5052-350-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-352-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-354-0x00000000041D0000-0x0000000004310000-memory.dmpFilesize
1.2MB
-
memory/5052-225-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-355-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-357-0x00000000041D0000-0x0000000004310000-memory.dmpFilesize
1.2MB
-
memory/5052-358-0x0000000002FA0000-0x0000000002FA1000-memory.dmpFilesize
4KB
-
memory/5052-359-0x00000000041D0000-0x0000000004310000-memory.dmpFilesize
1.2MB
-
memory/5052-360-0x00000000041D0000-0x0000000004310000-memory.dmpFilesize
1.2MB
-
memory/5052-361-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-224-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-223-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-203-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-202-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-201-0x0000000004320000-0x0000000004321000-memory.dmpFilesize
4KB
-
memory/5052-200-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-199-0x0000000002340000-0x00000000028A4000-memory.dmpFilesize
5.4MB
-
memory/5052-146-0x0000000002340000-0x00000000028A4000-memory.dmpFilesize
5.4MB
-
memory/5052-382-0x0000000002340000-0x00000000028A4000-memory.dmpFilesize
5.4MB
-
memory/5052-383-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-385-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-386-0x0000000004C60000-0x0000000004DA0000-memory.dmpFilesize
1.2MB
-
memory/5052-389-0x0000000004C60000-0x0000000004DA0000-memory.dmpFilesize
1.2MB
-
memory/5052-388-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-387-0x00000000035C0000-0x0000000004106000-memory.dmpFilesize
11.3MB
-
memory/5052-145-0x0000000002340000-0x00000000028A4000-memory.dmpFilesize
5.4MB
-
memory/5052-142-0x0000000002D90000-0x0000000002D91000-memory.dmpFilesize
4KB
-
memory/5052-141-0x0000000002A20000-0x0000000002A21000-memory.dmpFilesize
4KB
-
memory/5052-139-0x0000000002340000-0x00000000028A4000-memory.dmpFilesize
5.4MB