Malware Analysis Report

2025-05-28 14:51

Sample ID 221219-mqkr6shh3s
Target aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f
SHA256 aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f
Tags
danabot banker collection discovery persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f

Threat Level: Known bad

The file aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f was found to be: Known bad.

Malicious Activity Summary

danabot banker collection discovery persistence spyware stealer trojan

Danabot

Sets service image path in registry

Sets DLL path for service in the registry

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook profiles

Checks installed software on the system

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-19 10:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 10:40

Reported

2022-12-19 10:42

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PDFSigQFormalRep\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PDFSigQFormalRep.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PDFSigQFormalRep\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2480 set thread context of 3124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\server_lg.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInTray.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\pdf.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\forms_received.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_ecc.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\arh.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\move.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AcroLayoutRecognizer.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Close2x.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\DarkTheme.acrotheme C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7BB55072FEF9E1AB4A53D5476B9CE4CC19C501B8 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7BB55072FEF9E1AB4A53D5476B9CE4CC19C501B8\Blob = 0300000001000000140000007bb55072fef9e1ab4a53d5476b9ce4cc19c501b820000000010000009602000030820292308201fba003020102020852aabef9392b8fc2300d06092a864886f70d01010b050030643136303406035504030c2d53796d616e74656320456e7465727072697365204d6f62716c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b3009060355040613025553301e170d3230313231393131343231335a170d3234313231383131343231335a30643136303406035504030c2d53796d616e74656320456e7465727072697365204d6f62716c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100bd6cf0e1fb655881cffc045ef554be4a7d74b30775dffbda6b3e0bfe38926dd611f786055ca0d5704746c61a1d964f426882905e9fd6ff454796bef4b5e1830d9ae08759875106034aed4025dec4fbe9572524bcfa6724db3d59cb9c5473773657ac521d2592dcce4cbd3173b823665d01081f3d0bba4e2fdf7803ac6692c11b0203010001a34d304b300f0603551d130101ff040530030101ff30380603551d110431302f822d53796d616e74656320456e7465727072697365204d6f62716c6520526f6f7420666f72204d6963726f736f6674300d06092a864886f70d01010b050003818100b6262ea1a9267b1bf5315ec56cd83c44f1233d06eddc3ddf17693cbe2b6be53db05cc8070181213bb05c6a755a4af0a96f9f67e5acfa784487d16081c9f99d2bf39ec7f46cd932f6d656a72640f28e15f023ece8be97009a31d5c78dbf08984b35aa92ab339866286f5373edbb42bdcf4b740bc5c0ec32609c056236ab1d7495 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 3124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2480 wrote to memory of 3124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2480 wrote to memory of 3124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4728 wrote to memory of 4156 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 4728 wrote to memory of 4156 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 4728 wrote to memory of 4156 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 4076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 4076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 4076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f.exe

"C:\Users\Admin\AppData\Local\Temp\aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2552 -ip 2552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 468

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23973

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\pdfsigqformalrep.dll",rlRaUQ==

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:1312 tcp
N/A 104.80.225.205:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:23973 tcp
N/A 14.162.244.28:443 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/2480-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/2552-135-0x0000000002185000-0x000000000225B000-memory.dmp

memory/2552-136-0x0000000002260000-0x0000000002375000-memory.dmp

memory/2552-137-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2480-138-0x0000000005D90000-0x00000000064B5000-memory.dmp

memory/2480-139-0x0000000005D90000-0x00000000064B5000-memory.dmp

memory/2480-141-0x0000000004AE0000-0x0000000004C20000-memory.dmp

memory/2480-140-0x0000000004AE0000-0x0000000004C20000-memory.dmp

memory/2480-142-0x0000000004AE0000-0x0000000004C20000-memory.dmp

memory/2480-143-0x0000000004AE0000-0x0000000004C20000-memory.dmp

memory/2480-144-0x0000000004AE0000-0x0000000004C20000-memory.dmp

memory/2480-145-0x0000000004AE0000-0x0000000004C20000-memory.dmp

memory/3124-146-0x00007FF65D106890-mapping.dmp

memory/3124-147-0x00000284AA230000-0x00000284AA370000-memory.dmp

memory/3124-149-0x00000284AA230000-0x00000284AA370000-memory.dmp

memory/2480-148-0x0000000004B59000-0x0000000004B5B000-memory.dmp

memory/3124-150-0x0000000000F90000-0x00000000011A9000-memory.dmp

memory/3124-151-0x00000284AA3B0000-0x00000284AA5DA000-memory.dmp

memory/3124-152-0x00000284AA3B0000-0x00000284AA5DA000-memory.dmp

memory/2480-153-0x0000000005D90000-0x00000000064B5000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\pdfsigqformalrep.dll

MD5 f405963b2953a2fbbff61ae110ddb3bc
SHA1 70e96eb70d0d28473d3753d2d1b25b4762ef8a8d
SHA256 02b845a0aebb20dcb2a6947ed0511b2cccb56d85d99f765502397b5b4642583b
SHA512 472b0084f44cb65cbab4798f3fdd137fdf93dd9f2518924b6abdb91730c15c39a340be5f3bc980efbd7abb90d288a942aeac3dbabd9b8b77499be574d4e4d20a

C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.dll

MD5 f405963b2953a2fbbff61ae110ddb3bc
SHA1 70e96eb70d0d28473d3753d2d1b25b4762ef8a8d
SHA256 02b845a0aebb20dcb2a6947ed0511b2cccb56d85d99f765502397b5b4642583b
SHA512 472b0084f44cb65cbab4798f3fdd137fdf93dd9f2518924b6abdb91730c15c39a340be5f3bc980efbd7abb90d288a942aeac3dbabd9b8b77499be574d4e4d20a

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 dfd104fa07713fc0f9226f25b8894711
SHA1 5d65e3378d742ff381eb7201daec5fbb30a5709d
SHA256 04c002576680540887f79709616bcd5eebf69e70cbd9be1c4efc7c4760423a04
SHA512 b24875ebeff409d5148121d8e452b65b7fc49a055584283758b2aef99e5f2c601b181375de7151313dc5d8fb15810a508bef8dc73187448e069ca4faafca5bf8

memory/4728-157-0x00000000037B0000-0x0000000003ED5000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

MD5 dd8778eda0b96d5d71716fbb50300293
SHA1 17b3a49fe039ef5c930801c3a77922b30a61ee69
SHA256 61e06f4deff92e80d1605cb17a0c83604ac6cdb72fb3d4b1e3d0eb7e7bbbf4a0
SHA512 4efee799ddfb3d98a6b402aebed2ec79cfbd1cab200bfad1f95af432b91ce11e0404cd1cdf9f5a46324757c135928cb0ce42197c3021ae506ac6dd047127491b

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SettingsLocationTemplate2013A.xsd

MD5 91452b27335b69acc128a8a841bfe405
SHA1 7d63c758a2d4d16ef4175637ed17d5ad2080a329
SHA256 ce07da21a959291739ec76f403576ef995d1bb29826b490184c2fe6a4e5c7b10
SHA512 ba5ff3e4e596e685ec3dff0951c298c76fd2240f774d0d01b80bce6ad5e234a208d0f775c0d2b30d0b9dfefb3e8bce173db4b1e77a9ca16251dde662a005163b

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edbres00001.jrs

MD5 fcd6bcb56c1689fcef28b57c22475bad
SHA1 1adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256 de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA512 73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe.xml

MD5 7eb2ff3e6ad26430b3d7c1d86bd55042
SHA1 3c1f961bb1317b63fa454d1938e2dfab8fa518be
SHA256 1469f5b82db4cb94fdb24580efe2cf3d30a9bc94ee4d4378b6cce50674999e1a
SHA512 89d6f1ae647cb3e3fc2cd8b1657f22e0fb023bff68482d159f61a6d1f8dd97b6c6d4e9c9edde989963e97740371a1dbd45b5f0524532c81cd082636e5d971e13

memory/4156-171-0x0000000000000000-mapping.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.wordmui.msi.16.en-us.xml

MD5 50a33f3ee76c3f15703f82890efcc8c8
SHA1 b24e99bb702478edcbbda43f75457e5833abdc95
SHA256 77a2a4517a0c488c78bf9742e86de5af419d6c148346845d8b0f062d5f8a631a
SHA512 f14e224c1582476f09f969f1e29d5e2fa7855b22aa6b35682e264da0fc6cafdc1d62022dde5032206e1d973382604d9ccfa7495ebf90578a55c9c74bac1e606e

C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.dll

MD5 f405963b2953a2fbbff61ae110ddb3bc
SHA1 70e96eb70d0d28473d3753d2d1b25b4762ef8a8d
SHA256 02b845a0aebb20dcb2a6947ed0511b2cccb56d85d99f765502397b5b4642583b
SHA512 472b0084f44cb65cbab4798f3fdd137fdf93dd9f2518924b6abdb91730c15c39a340be5f3bc980efbd7abb90d288a942aeac3dbabd9b8b77499be574d4e4d20a

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2016Win64.xml

MD5 dfb978df0faed93e4ec5ad1135e908ae
SHA1 31e7bb7856fad49be905210ee15a15e5f79fae3e
SHA256 bf05f685c4c0b4fae3c0ef014535d83a89088e026b1872ef6ad50ffa381b4490
SHA512 198e2ee755cc5e29884af59f65b96f6bcd0513cd4bf93867732b32f3e9487300508a1abdd9105183a8d99ebd5fda33b1946db244409380a4f4cae515038add82

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml

MD5 98de295b21abe2451f86b82df3be269a
SHA1 1665a23d307748e8c1c0164ba7939275f9fb676c
SHA256 fd3507cd60edf41093c8fe843d1601e33db9cbe1cd36247cec587c265109bcfa
SHA512 230ae283c81771496dcae9ef84787379712106738ea82754b101af9047ae27cadb8b1f4aed00d146a699c22fd1c505c31068418a70d2b535c85c3017726d91cc

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe.xml

MD5 56cc188f572451b90ca1f71b44ac4e64
SHA1 790a449a478a6fbfd0fa2cc38d541ee62098746b
SHA256 df14300ee7cae37c4264ca6b10a60e30f8f94cba7b0e6430576decbf031c4eaa
SHA512 1b42c9e22cf3b8cb0433716364f8f775368c175ddce94026ae30743c352b73a1c4574603967120d28fdcad1f8cf977104f907c7f8140c41b2064d6658945fd83

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml

MD5 52cf638286d2e53bf8536fb9f4d8014d
SHA1 da04999d41cd61d6f6bf0dd87d515dcc85d33e29
SHA256 c6aea09422e8d810106006e4abe46a68bc918fc2b02ad135c90f68cd648e3b4a
SHA512 2398c927e9818ff3bf663463fb12120b4de3fdd9da2da241edefce2f2e5633f94274d66f1299acc13288bf9a7aca5ca40d91528807968227142e7842867012ed

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftWordpad.xml

MD5 576da3ac22d84c085a753ad324e5af0f
SHA1 1ce9245047e7da3eb4e81356434ca190fe4f924f
SHA256 214762acb145e4bbfabd685705707097bd5f5b8dc739c1c18b200d50c5c2f303
SHA512 dde20be02f91f438350752ff98bc6cd21dd9f2cb057fcc3f08d90ea889a69e0bb3e7f7a8fb554a7767d5a3ab74de3e8c090943730e5e197b07304221c2a8b9c0

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

MD5 2208598032bb288d2418ac683aa1c52e
SHA1 05ee06da9d4966b7b42f4d32acaa6a3c4c716b2b
SHA256 63c1ca505cf74b0f5c0fa35937730ee43a05cd9be03ee2489ab99d513bde741a
SHA512 9081c48088fe654ca64d94040d81473326a327714da7031da73f3bddf1ebfb17c1af1efa0ae3e4aeefe18b2425124bdfd86c5285271281bd10e88109f49edf3c

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ECApp_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml

MD5 13eb9cfbca43ebcd240e1fcff5acab4d
SHA1 5a0da86ab3f30905433677284eb843742f05afe5
SHA256 616d6a37866683e848fac3a17cecdea05e51da55420adcf947e40d062f587bb8
SHA512 256879b3d2c86ed4c3e8fccc8ffa09d11ae6eb6a2c9da4afa834f36b399752d7c46ceb638497cb28c48d874db0ccde15b73a22f1aa894b376aafd00f20b23352

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c.xml

MD5 d838647709cc692e5baa42ed5e612a15
SHA1 28403026cfc539e10cec2de39cc4273dfffa506e
SHA256 54e71797852c8b4dfe12af952c305db2d2416ded7e2cae5c1ea766070be981da
SHA512 1b3eac54dad342ba0bff5fdb66b569ae14cff892bae71dd3f9a5e0e1ff2f8f03656649c68a3f7ba9d106eec57ea56e0cb039747e435339ffe9a46dc96f58575c

memory/4728-173-0x00000000037B0000-0x0000000003ED5000-memory.dmp

memory/4156-174-0x00000000043B0000-0x0000000004AD5000-memory.dmp

memory/4156-175-0x00000000043B0000-0x0000000004AD5000-memory.dmp

memory/4076-176-0x0000000000000000-mapping.dmp

memory/2096-177-0x0000000000000000-mapping.dmp

memory/4728-178-0x00000000037B0000-0x0000000003ED5000-memory.dmp