danabot | 6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3

Analysis

max time kernel
149s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18-12-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3.exe
Size

1006KB
MD5

09ab2a3073c44472b97fc3ec002ea7c2
SHA1

29b4b86b5eeb1358ace14fc65d675fa6949bf71d
SHA256

6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3
SHA512

fec42d8c395c55bae94fb9147b47adc4794c938df01f43058595a4513b0a3885f20f01e6b3ab354de86b81c32c2a55388d7fb70fec6abada440ef969683e2f60
SSDEEP

24576:J2IB3hDMDd/lDA25k052TG1Ni9PWiLp5MYbXF:JtB3hDcZlDhfQG1EJTLX

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

1 2144 rundll32.exe
2 2144 rundll32.exe
11 2144 rundll32.exe
13 2144 rundll32.exe

flow	pid	process
1	2144	rundll32.exe
2	2144	rundll32.exe
11	2144	rundll32.exe
13	2144	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft.VCLibs.x86.14.00.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.VCLibs.x86.14.00..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft.VCLibs.x86.14.00.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2144 rundll32.exe
4628 svchost.exe
1640 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2144	rundll32.exe
4628	svchost.exe
1640	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2144 set thread context of 5096 2144 rundll32.exe rundll32.exe

description	pid	process	target process
PID 2144 set thread context of 5096	2144	rundll32.exe	rundll32.exe

Drops file in Program Files directory 39 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\br.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ended_review_or_form.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_highcontrast.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.VCLibs.x86.14.00..dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tl.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093555401100054656d7000003a0009000400efbe0c554b88935554012e000000000000000000000000000000000000000000000000004a039d00540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B0706D7D2FB7FF58E1D6951FAB893DE0471132C2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B0706D7D2FB7FF58E1D6951FAB893DE0471132C2\Blob = 030000000100000014000000b0706d7d2fb7ff58e1d6951fab893de0471132c220000000010000006e0200003082026a308201d3a00302010202086223b4526598a868300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f7265204379616572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230313231393030313233325a170d3234313231383030313233325a305a3122302006035504030c1942616c74696d6f7265204379616572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100c82337846362db89bc5e213cdca248e2e29e774bcc129be665034b1aa57382a28e37e7ad6635805816bbbe35e12addad835c6815509424ec005f4dfee4fa6668fc7e07898e0e72995a91a17dc0c688473ca1a565d88b562fb607cc5c9c9ae8bc779e7e15e8b39ff5badb86ac33caf5b3e82433a4d296dafe15b7cbaf9f9beee50203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f7265204379616572547275737420526f6f74300d06092a864886f70d01010b050003818100937f89bcd007a75581eb4e87bcbeb4deed2838fe4b82252116738e0cb486233b92db0f0ba4d1ad01118716ba98e8aa8618336b0764b05271c87a8df708ea0e4cb1067edd612f5573b3f2d066a7c53ceb2a01144ed16ac4701e1c5ba7e658b734695b3996f55138ebba53e35e38300a4c46ee92228ba44dc446e58f3d9c313846	rundll32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

svchost.exerundll32.exe

pid	process
4628	svchost.exe
4628	svchost.exe
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe
4628	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2144 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

5096 rundll32.exe
2144 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2144	rundll32.exe

pid	process
5096	rundll32.exe
2144	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2788 wrote to memory of 2144	2788	6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3.exe	rundll32.exe
PID 2788 wrote to memory of 2144	2788	6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3.exe	rundll32.exe
PID 2788 wrote to memory of 2144	2788	6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3.exe	rundll32.exe
PID 2144 wrote to memory of 5096	2144	rundll32.exe	rundll32.exe
PID 2144 wrote to memory of 5096	2144	rundll32.exe	rundll32.exe
PID 2144 wrote to memory of 5096	2144	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 1640	4628	svchost.exe	rundll32.exe
PID 4628 wrote to memory of 1640	4628	svchost.exe	rundll32.exe
PID 4628 wrote to memory of 1640	4628	svchost.exe	rundll32.exe
PID 2144 wrote to memory of 3004	2144	rundll32.exe	schtasks.exe
PID 2144 wrote to memory of 3004	2144	rundll32.exe	schtasks.exe
PID 2144 wrote to memory of 3004	2144	rundll32.exe	schtasks.exe
PID 2144 wrote to memory of 3284	2144	rundll32.exe	schtasks.exe
PID 2144 wrote to memory of 3284	2144	rundll32.exe	schtasks.exe
PID 2144 wrote to memory of 3284	2144	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3.exe
"C:\Users\Admin\AppData\Local\Temp\6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2144

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23955
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5096

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3004

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\microsoft.vclibs.x86.14.00..dll",MRoXV1poVQ==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml
Filesize
724B

MD5
e35e989f15346f85053036033098e528

SHA1
77a25f7bac700d0bec6a5275eaa67fdbc42b6ec2

SHA256
2451da54b6198123bd32ab3a6eb62b183b43dee419dc3f7fb755a99dab07b538

SHA512
a3f804f0c721655aba7b5a4770e921bcfe05bc3b85507a66be14337611386584c823f4c1c500bf3d7f754ea3fcb55368ae8be0f1c45836137150ccd5bc78fa65

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml
Filesize
715B

MD5
da930f9f25da0ddec84b9f94278128c6

SHA1
35247a204b51fb79532b0af686e0e7bd036c2b76

SHA256
f5f1679d550ad4f730c7bf59e0a8e83fdadd6a24ee2658e89423a681e5559985

SHA512
39882d1f70c27cd6da383f37c5861f5d1b5391b81a2c5674642ba48f36e77ec2611baad761d39abf726e1578aa00d1589d46ed72c8b15c69282aeb32a8c637f0

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml
Filesize
719B

MD5
4c387be25b6b7e96062f8c8aa50d187c

SHA1
862eb3032e34d5c89cc7b23bab962e8a1e85221f

SHA256
ff64f361e99a00311898f61dab4579f6bf9ee4cac1207f124e0d419c07f432d5

SHA512
489ad3b5a40515d9d8617e05c39a87063eb1a765bd822c79cf9a56c28e6807560a145831273a435047d3efed0b2c179d7363fc1afd12ebf1d6728590e266fc9d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\165__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml
Filesize
654B

MD5
edccf012937269bff9e364429ee9591c

SHA1
6b89ba59e665bc91f3e924c9e49b26ad2b21cc33

SHA256
2921fc440117537131b21d23e898ff98ed12814bb6f0f3ad3eba448c9726c87a

SHA512
92ccacd1496f1c59acdf0f8a9c98263f53ed89c72e85c442b3fcd0d6619bb1f0e75a242cb692f6ccf808334969544343f14f53081ac53c21ca528582824d3ca9

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml
Filesize
2KB

MD5
e52262399745fe981a7fba69c55f09dc

SHA1
795a06836db2ead992013b55d2d5a87420be43e7

SHA256
838e2cd11573dfcbb74c47621b30c5a7b62b2a063a41282a8e117b7b8fd5ebbc

SHA512
4b146141538edc8428d0bb0c8f314e3cc2f87e9888a82471f5c870a0779655944f8cfc34f5bc7bb2769d08d3ef3bac2cdf4f428d970bc1b480bce722a3b0291e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
7ea0449944c18cb590e5bc61bf7c0b99

SHA1
af1097ddbe9d9910b7de594d85b54650b1eef20e

SHA256
736a96223420209545693df556aaab48095c94da0d21364ad5b48e37aaae0545

SHA512
66d3ef4a4bd3ab770d025e93a1abaa0d96c54dc97dc87430c64eb05a33725e0a5909bb8948a2660eb0ae6f054d319c90cde97998d327e76eaa1ccaccc378c9d8

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\customizations.xml
Filesize
1KB

MD5
fb2ffd70c29a029e35353dc9656bb416

SHA1
f35815f55ea9cdab7ae063e5c459f00869e9ff26

SHA256
ada92a94b8a6d9cbf8f6ed379f7b9b035b6b6be0ccfef667ca0539032bf60149

SHA512
4bb3907b3a895b781de4cc0addab1a582be2da9ecfdba0b684b0d44dbee9ea3586ac43132e15f9b912456eef8f2a2a0fcfdbb9e9619d42c4dc661ded0bda9ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\microsoft.vclibs.x86.14.00..dll
Filesize
726KB

MD5
520775d4f89a67982aafb594b8d03801

SHA1
b6d0c8f58ac608230588461b2dad53f44f40305c

SHA256
b9524aab5d8bfbe51f3477ea4b0c2a2491a0046dbcb9fa2debec797833d14eb6

SHA512
8dee81357e5ff05c5cde1c9bca6c6b5ea8a8e719e0a606730cdd4d6aae0cf955b920774befd2972329b87e3c50512ec639b20bdf8c09e24a9402038f2ebf3f06

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.VCLibs.x86.14.00..dll
Filesize
726KB

MD5
520775d4f89a67982aafb594b8d03801

SHA1
b6d0c8f58ac608230588461b2dad53f44f40305c

SHA256
b9524aab5d8bfbe51f3477ea4b0c2a2491a0046dbcb9fa2debec797833d14eb6

SHA512
8dee81357e5ff05c5cde1c9bca6c6b5ea8a8e719e0a606730cdd4d6aae0cf955b920774befd2972329b87e3c50512ec639b20bdf8c09e24a9402038f2ebf3f06

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.VCLibs.x86.14.00..dll
Filesize
726KB

MD5
520775d4f89a67982aafb594b8d03801

SHA1
b6d0c8f58ac608230588461b2dad53f44f40305c

SHA256
b9524aab5d8bfbe51f3477ea4b0c2a2491a0046dbcb9fa2debec797833d14eb6

SHA512
8dee81357e5ff05c5cde1c9bca6c6b5ea8a8e719e0a606730cdd4d6aae0cf955b920774befd2972329b87e3c50512ec639b20bdf8c09e24a9402038f2ebf3f06

Download Submit
\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
memory/1640-376-0x0000000000000000-mapping.dmp

Download
memory/1640-450-0x0000000005B50000-0x0000000006275000-memory.dmp

Filesize
7.1MB

Download
memory/1640-464-0x0000000005B50000-0x0000000006275000-memory.dmp

Filesize
7.1MB

Download
memory/2144-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-161-0x0000000000000000-mapping.dmp

Download
memory/2144-279-0x0000000007120000-0x0000000007845000-memory.dmp

Filesize
7.1MB

Download
memory/2144-263-0x0000000007120000-0x0000000007845000-memory.dmp

Filesize
7.1MB

Download
memory/2144-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-138-0x0000000002260000-0x0000000002341000-memory.dmp

Filesize
900KB

Download
memory/2788-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-116-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-164-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2788-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-141-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2788-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-139-0x00000000023A0000-0x00000000024B5000-memory.dmp

Filesize
1.1MB

Download
memory/2788-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-117-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3004-465-0x0000000000000000-mapping.dmp

Download
memory/3284-483-0x0000000000000000-mapping.dmp

Download
memory/4628-398-0x0000000004D80000-0x00000000054A5000-memory.dmp

Filesize
7.1MB

Download
memory/4628-501-0x0000000004D80000-0x00000000054A5000-memory.dmp

Filesize
7.1MB

Download
memory/5096-278-0x000001C011BD0000-0x000001C011DFA000-memory.dmp

Filesize
2.2MB

Download
memory/5096-277-0x0000000000780000-0x0000000000999000-memory.dmp

Filesize
2.1MB

Download
memory/5096-272-0x00007FF6ED485FD0-mapping.dmp

Download