174b5203c86120a117a0686c1ed754f0919c04c1e61b776abe5d3486cbc27b82

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28/12/2022, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

174b5203c86120a117a0686c1ed754f0919c04c1e61b776abe5d3486cbc27b82.exe
Size

1021KB
MD5

e073b490d67a1788b4ec971c6482a988
SHA1

a4f08f6b0a953ce04b9dda6d53e69a50e662284d
SHA256

174b5203c86120a117a0686c1ed754f0919c04c1e61b776abe5d3486cbc27b82
SHA512

94874e7e59686bad5fe7480c302645714288a283db9e8702c70fbc3ff2b02ada9bad2bce8eb9280b0646a6fff82ff1ea73af9446f68cf91705b3e96b3c41e405
SSDEEP

12288:zwY0LpXQR7lMHinDAtfSlnYczC45gQeM8mnicPjMjY1eORJsCVYp9IvqU7aJFZ14:SLKRpFDISRN5beyJ3qp94qOsFZ09

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
1	4696	rundll32.exe
2	4696	rundll32.exe
11	4696	rundll32.exe
14	4696	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cryptocme\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\Temp\\cryptocme.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cryptocme\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4696	rundll32.exe
4852	svchost.exe
4472	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4696 set thread context of 4872	4696	rundll32.exe	68

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\adobe_spinner_mini.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\ccme_base_non_fips.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\manifest.json	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\LICENSE.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\cryptocme.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009c55c536100054656d7000003a0009000400efbe0c554b889c55c5362e000000000000000000000000000000000000000000000000007aeb0d01540065006d007000000014000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\628A34F4BB3FCDECE557FF5F809E462E2CFB3731	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\628A34F4BB3FCDECE557FF5F809E462E2CFB3731\Blob = 030000000100000014000000628a34f4bb3fcdece557ff5f809e462e2cfb373120000000010000003f0200003082023b308201a4a003020102020847f6ebc1659b5eb3300d06092a864886f70d01010b050030433121301f06035504030c184d6963726f736f667420526f6f7420417574696f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3230313232383036353631315a170d3234313232373036353631315a30433121301f06035504030c184d6963726f736f667420526f6f7420417574696f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100cb23f74ab23625e0456de2a89be4ad6c0f18fefa0d6a084784616ffd996d5caf62a5015a2d8a7e7d72112c00c409022df00ac901fb234785f032b85a168445f9f9d9898b6542c3e77d7f91a2a3bad7d6093367fd3372d755193a4c6cf9f0b226f3a9727d80f3991c99b7db943815d30ffba5f13350daa6d02e951a57d4e6c1670203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6963726f736f667420526f6f7420417574696f72697479300d06092a864886f70d01010b050003818100ad4af6b54527864f74430e2a7140e7dcba4fc8549abc3f2b135c0d48b3eaeede8be3988572d3e80854aa9fac78767d9fc7a54f6a6f8b43e034d5e113bd43cd7a7357f063231df319943167863baca8e5f06320988f2afe2849cae11f5cb740b8e1d41902ed8fe6bd1da0224c80c4fbf6b26ede30739e55900e2759f7ed5fbfe5	rundll32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4852	svchost.exe
4852	svchost.exe
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	rundll32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4872	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 4696	2712	174b5203c86120a117a0686c1ed754f0919c04c1e61b776abe5d3486cbc27b82.exe	67
PID 2712 wrote to memory of 4696	2712	174b5203c86120a117a0686c1ed754f0919c04c1e61b776abe5d3486cbc27b82.exe	67
PID 2712 wrote to memory of 4696	2712	174b5203c86120a117a0686c1ed754f0919c04c1e61b776abe5d3486cbc27b82.exe	67
PID 4696 wrote to memory of 4872	4696	rundll32.exe	68
PID 4696 wrote to memory of 4872	4696	rundll32.exe	68
PID 4696 wrote to memory of 4872	4696	rundll32.exe	68
PID 4696 wrote to memory of 4480	4696	rundll32.exe	71
PID 4696 wrote to memory of 4480	4696	rundll32.exe	71
PID 4696 wrote to memory of 4480	4696	rundll32.exe	71
PID 4696 wrote to memory of 4556	4696	rundll32.exe	73
PID 4696 wrote to memory of 4556	4696	rundll32.exe	73
PID 4696 wrote to memory of 4556	4696	rundll32.exe	73
PID 4696 wrote to memory of 3292	4696	rundll32.exe	76
PID 4696 wrote to memory of 3292	4696	rundll32.exe	76
PID 4696 wrote to memory of 3292	4696	rundll32.exe	76
PID 4696 wrote to memory of 1724	4696	rundll32.exe	79
PID 4696 wrote to memory of 1724	4696	rundll32.exe	79
PID 4696 wrote to memory of 1724	4696	rundll32.exe	79
PID 4852 wrote to memory of 4472	4852	svchost.exe	81
PID 4852 wrote to memory of 4472	4852	svchost.exe	81
PID 4852 wrote to memory of 4472	4852	svchost.exe	81
PID 4696 wrote to memory of 4900	4696	rundll32.exe	82
PID 4696 wrote to memory of 4900	4696	rundll32.exe	82
PID 4696 wrote to memory of 4900	4696	rundll32.exe	82
PID 4696 wrote to memory of 3616	4696	rundll32.exe	84
PID 4696 wrote to memory of 3616	4696	rundll32.exe	84
PID 4696 wrote to memory of 3616	4696	rundll32.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\174b5203c86120a117a0686c1ed754f0919c04c1e61b776abe5d3486cbc27b82.exe
"C:\Users\Admin\AppData\Local\Temp\174b5203c86120a117a0686c1ed754f0919c04c1e61b776abe5d3486cbc27b82.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4696
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14002
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\cryptocme.dll",Z0odTTFFNw==
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\120__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml

Filesize
704B

MD5
4a0b3d1da2f40dac62ca663af5509136

SHA1
bc6c403efae8d56f56cdc670f207f7de1c58fa57

SHA256
c55473046557eb904780d27044462c0c31b1d189aafa15bc2fc90e3f3afc2ed4

SHA512
bd5becb34953d49b29c3076f4a9a05f66a65200d31a7068e092569349aa35d76bb27207ed0e2fb0806622b4b69d1fb0f8cffeb4eb4fa0a130444fbd6ff40e7cc

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\128__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml

Filesize
701B

MD5
acc1cdd85db5e94b98bdbf55e2df877a

SHA1
cbd2b8777c65dbc039f5048024bac42e29e8202c

SHA256
3388bb0959f8f8c1c9d1ce2a9a4a8f7a762c6546c7141cc24e558dafd9205f33

SHA512
cb304a8bec037e9061ec6623af02e4ba701fa035c54a75bde608c3b9f0e61b5cde1931d26cf4ce8a4e88593c4d67c9259e713dff1b74bacde49045fcc4bf5ae0

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\132__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml

Filesize
660B

MD5
31c75abebce693d705e2ab0eece289ef

SHA1
3f34ad274c9fa5572b2d8081899ff0d2bfe732e4

SHA256
7fe830f36b49ca4d26a6253e08d2fc53c477fad0c396b7f179df4beacce1f243

SHA512
d830ec13c8b0a32538fb94587a6ee6ed8aeb78f3d2b3e1dc09f6fbdda029080ff896478e531f51c627fa2df0f3ffc006f97e4e524603f01dc697fa63286f230e

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
0b3edd8152fa94651ff17f3f2918e70f

SHA1
88245e5200570d142ed0de676610a6d191f9f302

SHA256
1890628536ecc9596f136b68c55ee1b2063420ccc4f518986cb66ed2293a44eb

SHA512
f0215f87b635e1090ba3f1dcff0b27c645e5d44b8c042cc2ba1b24e4a01ba212c9590c46a0faed54bbcc82cc3929f3b009ed8978704d8415868846f05c0e7c3c

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\MasterDatastore.xml

Filesize
271B

MD5
d6650e3886f3c95fb42d4f0762b04173

SHA1
1da4b8bb6bb45d576616ad843cf6e4c2e9d4784b

SHA256
9101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9

SHA512
1f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\folder.ico

Filesize
52KB

MD5
bbf9dbdc079c0cd95f78d728aa3912d4

SHA1
051f76cc8c6520768bac9559bb329abeebd70d7c

SHA256
bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2

SHA512
af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
\??\c:\program files (x86)\google\temp\cryptocme.dll

Filesize
792KB

MD5
9367d0f706f53570b69c4dbb3a42a430

SHA1
53d15b8d8c8b5807e254805b466ae220ff2c8406

SHA256
f56a8a446d067687d01a84ecfc5d142c9596cbf424c75a914c9bde10f053cd61

SHA512
dac804b40ae5120df27575cab4751b43dfc38e165313bb5e8fd618846243946323c121e675b0019609ea00d7086652796c731602733450f24b91f74d4dd30397

Download Submit
\Program Files (x86)\Google\Temp\cryptocme.dll

Filesize
792KB

MD5
9367d0f706f53570b69c4dbb3a42a430

SHA1
53d15b8d8c8b5807e254805b466ae220ff2c8406

SHA256
f56a8a446d067687d01a84ecfc5d142c9596cbf424c75a914c9bde10f053cd61

SHA512
dac804b40ae5120df27575cab4751b43dfc38e165313bb5e8fd618846243946323c121e675b0019609ea00d7086652796c731602733450f24b91f74d4dd30397

Download Submit
\Program Files (x86)\Google\Temp\cryptocme.dll

Filesize
792KB

MD5
9367d0f706f53570b69c4dbb3a42a430

SHA1
53d15b8d8c8b5807e254805b466ae220ff2c8406

SHA256
f56a8a446d067687d01a84ecfc5d142c9596cbf424c75a914c9bde10f053cd61

SHA512
dac804b40ae5120df27575cab4751b43dfc38e165313bb5e8fd618846243946323c121e675b0019609ea00d7086652796c731602733450f24b91f74d4dd30397

Download Submit
\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
memory/2712-152-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-157-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-133-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-134-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-135-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-136-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-138-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-143-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-144-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-145-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-151-0x0000000002330000-0x0000000002411000-memory.dmp

Filesize
900KB

Download
memory/2712-131-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-154-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2712-155-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-156-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2712-132-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-162-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-163-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-120-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-121-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-122-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-119-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-130-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-167-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2712-123-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-129-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-128-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-127-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-126-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2712-124-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-536-0x0000000006DF0000-0x000000000794D000-memory.dmp

Filesize
11.4MB

Download
memory/4472-553-0x0000000006DF0000-0x000000000794D000-memory.dmp

Filesize
11.4MB

Download
memory/4696-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-186-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-187-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-188-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-265-0x0000000006620000-0x000000000717D000-memory.dmp

Filesize
11.4MB

Download
memory/4696-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-182-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-344-0x0000000006620000-0x000000000717D000-memory.dmp

Filesize
11.4MB

Download
memory/4696-180-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-179-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-177-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-184-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4852-478-0x00000000064F0000-0x000000000704D000-memory.dmp

Filesize
11.4MB

Download
memory/4852-572-0x00000000064F0000-0x000000000704D000-memory.dmp

Filesize
11.4MB

Download
memory/4872-287-0x0000021B56300000-0x0000021B565AE000-memory.dmp

Filesize
2.7MB

Download
memory/4872-286-0x0000000000E70000-0x000000000110C000-memory.dmp

Filesize
2.6MB

Download