lumma | bd4a95599739c3ec1816aeb7ccd54e17a3516587af80884d9798a8efb20a46d6

Analysis

max time kernel
115s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
Size

210KB
MD5

e9090853ebfa9e70a1e0fab65e348bd5
SHA1

eba6b6894ec013d8cc4ce791150de1be61ec9fe0
SHA256

308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb
SHA512

5afd7ca05af9c92c699b33bc4c7e5530cd8b44b5fdaf35b442981ae716b77c74ec0346a0ca452e796a2f2a73227ed6d60827f85368632b36a898b95c7c2a3f3c
SSDEEP

3072:CYXDd+LSr8Gyd5BsGBbzSUOjsw9YptAf6loqZuT8ti:CsWSRPcSUKYptccodT8

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/796-133-0x0000000002E30000-0x0000000002E39000-memory.dmp	family_smokeloader
behavioral2/memory/796-137-0x0000000002E30000-0x0000000002E39000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

46 3312 rundll32.exe
48 3312 rundll32.exe
62 3312 rundll32.exe
68 3312 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

3F7A.exe7502.exe

pid process

2704 3F7A.exe
1060 7502.exe

flow	pid	process
46	3312	rundll32.exe
48	3312	rundll32.exe
62	3312	rundll32.exe
68	3312	rundll32.exe

pid	process
2704	3F7A.exe
1060	7502.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Edit_R_Exp_RHP..dll耀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Edit_R_Exp_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3312 rundll32.exe
676 svchost.exe
1248 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3312	rundll32.exe
676	svchost.exe
1248	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3312 set thread context of 4080 3312 rundll32.exe rundll32.exe

description	pid	process	target process
PID 3312 set thread context of 4080	3312	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\init.js	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3752 2704 WerFault.exe 3F7A.exe
752 1060 WerFault.exe 7502.exe

pid	pid_target	process	target process
3752	2704	WerFault.exe	3F7A.exe
752	1060	WerFault.exe	7502.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe

pid	process
796	308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
796	308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

652
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe

pid process

796 308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe

pid	process
652

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeDebugPrivilege	3312	rundll32.exe
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4080 rundll32.exe
652
652
652
652
3312 rundll32.exe
652
652
652
652
3312 rundll32.exe
3312 rundll32.exe
3312 rundll32.exe
3312 rundll32.exe
3312 rundll32.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

652

pid	process
4080	rundll32.exe
652
652
652
652
3312	rundll32.exe
652
652
652
652
3312	rundll32.exe
3312	rundll32.exe
3312	rundll32.exe
3312	rundll32.exe
3312	rundll32.exe

pid	process
652

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

3F7A.exesvchost.exerundll32.exe

description	pid	process	target process
PID 652 wrote to memory of 2704	652		3F7A.exe
PID 652 wrote to memory of 2704	652		3F7A.exe
PID 652 wrote to memory of 2704	652		3F7A.exe
PID 2704 wrote to memory of 3312	2704	3F7A.exe	rundll32.exe
PID 2704 wrote to memory of 3312	2704	3F7A.exe	rundll32.exe
PID 2704 wrote to memory of 3312	2704	3F7A.exe	rundll32.exe
PID 652 wrote to memory of 1060	652		7502.exe
PID 652 wrote to memory of 1060	652		7502.exe
PID 652 wrote to memory of 1060	652		7502.exe
PID 676 wrote to memory of 1248	676	svchost.exe	rundll32.exe
PID 676 wrote to memory of 1248	676	svchost.exe	rundll32.exe
PID 676 wrote to memory of 1248	676	svchost.exe	rundll32.exe
PID 3312 wrote to memory of 4080	3312	rundll32.exe	rundll32.exe
PID 3312 wrote to memory of 4080	3312	rundll32.exe	rundll32.exe
PID 3312 wrote to memory of 4080	3312	rundll32.exe	rundll32.exe
PID 3312 wrote to memory of 3432	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 3432	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 3432	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1372	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1372	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1372	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4680	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4680	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4680	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1560	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1560	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1560	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2392	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2392	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2392	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 5108	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 5108	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 5108	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 3824	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 3824	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 3824	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4000	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4000	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4000	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2364	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2364	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2364	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4256	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4256	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 4256	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2608	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2608	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 2608	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1840	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1840	3312	rundll32.exe	schtasks.exe
PID 3312 wrote to memory of 1840	3312	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
"C:\Users\Admin\AppData\Local\Temp\308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:796

C:\Users\Admin\AppData\Local\Temp\3F7A.exe
C:\Users\Admin\AppData\Local\Temp\3F7A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3312

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Suspicious use of FindShellTrayWindow
PID:4080

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3432

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1560

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5108

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3824

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4000

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2364

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4256

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2608

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1840

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4992

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4288

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2036

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2704

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2936

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4016

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4248

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 288
2⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2704 -ip 2704
1⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\7502.exe
C:\Users\Admin\AppData\Local\Temp\7502.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1360
2⤵
- Program crash
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1060 -ip 1060
1⤵
PID:4280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\edit_r_exp_rhp..dll",SiAqSE1OSQ==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dll
Filesize
774KB

MD5
32614e6da6a653bbc160ba14ec81b7df

SHA1
8d6f97828a0b66fd7f2c964b62552673efe4567a

SHA256
620a0f7ae3423773ded2ac3b62203e446e65ddccda425937436a746952906284

SHA512
bf8b062a03fbc69542c29aa1e4da71eff3e78004c5e720153a0de7578e1ddee99ccd0dd2b46e48cfc1e753fbe36f9e4ab4f0817ba541b1fc249c6c6ea55390d2

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dll
Filesize
774KB

MD5
32614e6da6a653bbc160ba14ec81b7df

SHA1
8d6f97828a0b66fd7f2c964b62552673efe4567a

SHA256
620a0f7ae3423773ded2ac3b62203e446e65ddccda425937436a746952906284

SHA512
bf8b062a03fbc69542c29aa1e4da71eff3e78004c5e720153a0de7578e1ddee99ccd0dd2b46e48cfc1e753fbe36f9e4ab4f0817ba541b1fc249c6c6ea55390d2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_9_1_10_58_57.etl
Filesize
256KB

MD5
14bf75c4c6eade0702d34bdc48a80e81

SHA1
b1e52e86dd4dbd86448fa94895bc48959c361892

SHA256
c2ea048057c3c9eb78ad8653a1731aac2dd848a2410842ef69c44874a9e2a8cd

SHA512
2c7c6a0abc5c59c0705be9c09cf28122ea93bc8557848fbea6e79ad0b078f92817c0bc81fc2e70dbc3c5ea2713edc777ece360f997d5da17b2873d3bc2dbc8e0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
27KB

MD5
539930de67b99bab23fe2c67000eeddb

SHA1
6b0e5ece46ecb0b019ec71caa44facf122647059

SHA256
2f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c

SHA512
ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2016BackupWin32.xml
Filesize
12KB

MD5
ffbc41d3c63bccdca27c2c88ab0e85c4

SHA1
f3923962734058dc0b91515b2981d1eb33f8a8dd

SHA256
caf2eef3b42d36b4d6d4a24597557a7feada559e99abedb56287248286531dea

SHA512
9da5dd978c9faa7de1552117207fb694e97f895b054a457ffe0b9444251e7203774b142ee558317136dd8f240c12f7309b137eb930417c181c404f8318a3f8fa

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
3907e89709593c980f31293e7ae04e44

SHA1
d969bc2d647a2cd7af281024f4b068fca46e6975

SHA256
aca97127d5c34564c9ace879fd9e1341fa2bde9a6fac4e697370d449ff06f871

SHA512
1e586dd27fdecc8838682620f70ad21b50507ee11ec812c41394c80d47cd192215ab5eb385f21ca0399de5bdbc0d027a1e96ee388e4b7be06832d80cbc844e70

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\settings.ico
Filesize
66KB

MD5
4896c2ad8ca851419425b06ec0fd95f2

SHA1
7d52e9355998f1b4487f8ef2b1b3785dec35d981

SHA256
1160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3

SHA512
271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\wlidsvcconfig.xml
Filesize
12KB

MD5
f9f25c79e2df9c8c8209b5d052a557b0

SHA1
2d4a14e2df96245a599bacb530e396c2900a5b61

SHA256
385214231d70603caaf00c1f2e9f115be35cc603d289dd878069f9933aa591b5

SHA512
7c9d68d4f96cef25f4703fe4db68fda9689308df759ef05666421c74f0e57b4c25fa8d1c6cf9e5a6a0e9a81d230669b8656279076e60ebfd1ba5b56770fa4ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F7A.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F7A.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\7502.exe
Filesize
276KB

MD5
4c9333550914da09caa6121c2d5b0712

SHA1
e5487bf23307c6db60ba56b84815052a6f97a662

SHA256
5d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc

SHA512
1efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7502.exe
Filesize
276KB

MD5
4c9333550914da09caa6121c2d5b0712

SHA1
e5487bf23307c6db60ba56b84815052a6f97a662

SHA256
5d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc

SHA512
1efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\edit_r_exp_rhp..dll
Filesize
774KB

MD5
32614e6da6a653bbc160ba14ec81b7df

SHA1
8d6f97828a0b66fd7f2c964b62552673efe4567a

SHA256
620a0f7ae3423773ded2ac3b62203e446e65ddccda425937436a746952906284

SHA512
bf8b062a03fbc69542c29aa1e4da71eff3e78004c5e720153a0de7578e1ddee99ccd0dd2b46e48cfc1e753fbe36f9e4ab4f0817ba541b1fc249c6c6ea55390d2

Download Submit
memory/676-186-0x0000000003EC0000-0x0000000004A15000-memory.dmp

Filesize
11.3MB

Download
memory/676-162-0x0000000003EC0000-0x0000000004A15000-memory.dmp

Filesize
11.3MB

Download
memory/676-163-0x0000000003EC0000-0x0000000004A15000-memory.dmp

Filesize
11.3MB

Download
memory/796-135-0x0000000002EC8000-0x0000000002ED9000-memory.dmp

Filesize
68KB

Download
memory/796-136-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/796-132-0x0000000002EC8000-0x0000000002ED9000-memory.dmp

Filesize
68KB

Download
memory/796-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/796-133-0x0000000002E30000-0x0000000002E39000-memory.dmp

Filesize
36KB

Download
memory/796-137-0x0000000002E30000-0x0000000002E39000-memory.dmp

Filesize
36KB

Download
memory/1060-151-0x00000000005A0000-0x00000000005CA000-memory.dmp

Filesize
168KB

Download
memory/1060-152-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1060-150-0x000000000060D000-0x0000000000627000-memory.dmp

Filesize
104KB

Download
memory/1060-155-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1060-147-0x0000000000000000-mapping.dmp

Download
memory/1248-169-0x0000000000000000-mapping.dmp

Download
memory/1248-177-0x00000000050B0000-0x0000000005C05000-memory.dmp

Filesize
11.3MB

Download
memory/1248-183-0x00000000050B0000-0x0000000005C05000-memory.dmp

Filesize
11.3MB

Download
memory/1248-171-0x00000000050B0000-0x0000000005C05000-memory.dmp

Filesize
11.3MB

Download
memory/1372-185-0x0000000000000000-mapping.dmp

Download
memory/1560-190-0x0000000000000000-mapping.dmp

Download
memory/1840-198-0x0000000000000000-mapping.dmp

Download
memory/1880-208-0x0000000000000000-mapping.dmp

Download
memory/2036-201-0x0000000000000000-mapping.dmp

Download
memory/2364-195-0x0000000000000000-mapping.dmp

Download
memory/2392-191-0x0000000000000000-mapping.dmp

Download
memory/2520-205-0x0000000000000000-mapping.dmp

Download
memory/2608-197-0x0000000000000000-mapping.dmp

Download
memory/2704-202-0x0000000000000000-mapping.dmp

Download
memory/2704-144-0x0000000002266000-0x000000000234F000-memory.dmp

Filesize
932KB

Download
memory/2704-145-0x0000000002350000-0x000000000247E000-memory.dmp

Filesize
1.2MB

Download
memory/2704-146-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2704-138-0x0000000000000000-mapping.dmp

Download
memory/2936-203-0x0000000000000000-mapping.dmp

Download
memory/3040-204-0x0000000000000000-mapping.dmp

Download
memory/3312-173-0x0000000005600000-0x0000000005740000-memory.dmp

Filesize
1.2MB

Download
memory/3312-156-0x0000000005600000-0x0000000005740000-memory.dmp

Filesize
1.2MB

Download
memory/3312-157-0x0000000005600000-0x0000000005740000-memory.dmp

Filesize
1.2MB

Download
memory/3312-161-0x00000000048D0000-0x0000000005425000-memory.dmp

Filesize
11.3MB

Download
memory/3312-180-0x000000000567F000-0x0000000005681000-memory.dmp

Filesize
8KB

Download
memory/3312-175-0x0000000005600000-0x0000000005740000-memory.dmp

Filesize
1.2MB

Download
memory/3312-187-0x000000000567F000-0x0000000005681000-memory.dmp

Filesize
8KB

Download
memory/3312-174-0x0000000005600000-0x0000000005740000-memory.dmp

Filesize
1.2MB

Download
memory/3312-154-0x00000000048D0000-0x0000000005425000-memory.dmp

Filesize
11.3MB

Download
memory/3312-153-0x00000000048D0000-0x0000000005425000-memory.dmp

Filesize
11.3MB

Download
memory/3312-141-0x0000000000000000-mapping.dmp

Download
memory/3312-172-0x0000000005600000-0x0000000005740000-memory.dmp

Filesize
1.2MB

Download
memory/3432-184-0x0000000000000000-mapping.dmp

Download
memory/3824-193-0x0000000000000000-mapping.dmp

Download
memory/4000-194-0x0000000000000000-mapping.dmp

Download
memory/4016-206-0x0000000000000000-mapping.dmp

Download
memory/4080-188-0x00000235877C0000-0x0000023587A75000-memory.dmp

Filesize
2.7MB

Download
memory/4080-176-0x00007FF621C56890-mapping.dmp

Download
memory/4080-178-0x0000023589220000-0x0000023589360000-memory.dmp

Filesize
1.2MB

Download
memory/4080-181-0x00000000004D0000-0x0000000000774000-memory.dmp

Filesize
2.6MB

Download
memory/4080-179-0x0000023589220000-0x0000023589360000-memory.dmp

Filesize
1.2MB

Download
memory/4080-182-0x00000235877C0000-0x0000023587A75000-memory.dmp

Filesize
2.7MB

Download
memory/4248-207-0x0000000000000000-mapping.dmp

Download
memory/4256-196-0x0000000000000000-mapping.dmp

Download
memory/4288-200-0x0000000000000000-mapping.dmp

Download
memory/4680-189-0x0000000000000000-mapping.dmp

Download
memory/4992-199-0x0000000000000000-mapping.dmp

Download
memory/5108-192-0x0000000000000000-mapping.dmp

Download