danabot | 881c03c857c94709c03fcfbd8cf9bfc11b3d1f3579f0198a88e646d62575ee58

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d27e8cf4d45d944227148e218dabad.exe
Size

218KB
MD5

14d27e8cf4d45d944227148e218dabad
SHA1

64829bacebf8be9d3e16b21b1a607124cb23dc01
SHA256

881c03c857c94709c03fcfbd8cf9bfc11b3d1f3579f0198a88e646d62575ee58
SHA512

0672d6d2359d1554267cb010900248627eed7e0fe35bdd8e2fa07a3847ed95a89e253d156cc2ca60d93b69336963d54f519762f4cd1b6ef2c87e941f96564971
SSDEEP

3072:FTPEC+Lfi8P9RUUBlhxdM/agCEuMRSdso06fWR7b/T7NHCDml:FrF+LK8AUt3rIqxDfWJNCa

Score

10^/10

danabot smokeloader systembc backdoor banker trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/4752-133-0x0000000000590000-0x0000000000599000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Blocklisted process makes network request 3 IoCs

flow	pid	Process
52	3948	rundll32.exe
54	3948	rundll32.exe
71	3948	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
908	16B4.exe
3308	3D19.exe
3388	koatoi.exe
728	jthciea

Loads dropped DLL 1 IoCs

pid	Process
3948	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3948 set thread context of 3112	3948	rundll32.exe	97

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\create_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\pdf.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\libEGL.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGL.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eBook.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\createpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\MyriadCAD.otf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-ui-theme.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\BIB.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\koatoi.job	3D19.exe
File opened for modification	C:\Windows\Tasks\koatoi.job	3D19.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1248	908	WerFault.exe	89
3588	3308	WerFault.exe	94

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14d27e8cf4d45d944227148e218dabad.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14d27e8cf4d45d944227148e218dabad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jthciea
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jthciea
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jthciea
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14d27e8cf4d45d944227148e218dabad.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009455384e100054656d7000003a0009000400efbe21550a589455394e2e00000000000000000000000000000000000000000000000000f9c7e500540065006d007000000014000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3004	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	14d27e8cf4d45d944227148e218dabad.exe
4752	14d27e8cf4d45d944227148e218dabad.exe
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found
3004	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3004	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4752	14d27e8cf4d45d944227148e218dabad.exe
728	jthciea

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found
Token: SeShutdownPrivilege	3004	Process not Found
Token: SeCreatePagefilePrivilege	3004	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3112	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3004	Process not Found
3004	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 908	3004	Process not Found	89
PID 3004 wrote to memory of 908	3004	Process not Found	89
PID 3004 wrote to memory of 908	3004	Process not Found	89
PID 908 wrote to memory of 3948	908	16B4.exe	91
PID 908 wrote to memory of 3948	908	16B4.exe	91
PID 908 wrote to memory of 3948	908	16B4.exe	91
PID 3004 wrote to memory of 3308	3004	Process not Found	94
PID 3004 wrote to memory of 3308	3004	Process not Found	94
PID 3004 wrote to memory of 3308	3004	Process not Found	94
PID 3948 wrote to memory of 3112	3948	rundll32.exe	97
PID 3948 wrote to memory of 3112	3948	rundll32.exe	97
PID 3948 wrote to memory of 3112	3948	rundll32.exe	97

C:\Users\Admin\AppData\Local\Temp\14d27e8cf4d45d944227148e218dabad.exe
"C:\Users\Admin\AppData\Local\Temp\14d27e8cf4d45d944227148e218dabad.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4752

C:\Users\Admin\AppData\Local\Temp\16B4.exe
C:\Users\Admin\AppData\Local\Temp\16B4.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14150
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 536
  2⤵
  - Program crash
  PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 908 -ip 908
1⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\3D19.exe
C:\Users\Admin\AppData\Local\Temp\3D19.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 488
  2⤵
  - Program crash
  PID:3588

C:\ProgramData\gfmnuce\koatoi.exe
C:\ProgramData\gfmnuce\koatoi.exe start
1⤵
- Executes dropped EXE
PID:3388

C:\Users\Admin\AppData\Roaming\jthciea
C:\Users\Admin\AppData\Roaming\jthciea
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3308 -ip 3308
1⤵
PID:1796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:1020
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\fillandsign.dll",fUozM1FxVg==
  2⤵
  PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.dll

Filesize
797KB

MD5
37391f45ab04753a1e368fdcb513dc81

SHA1
042e30d2ae40f66b308bdbad9fbf7c2c72387dba

SHA256
093e64d760c6ec2acacf1dc2fac01448096e82d9413c0947daa3bfb8f1de0801

SHA512
47bf42e142d87cc6c1d2a39629804ae9f750eb442074e6d57170b38453e5c9e5b32b92c9748fb629229385184b4442e9da6e101c2990792ad43bfd5f8f79d673

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.dll

Filesize
797KB

MD5
37391f45ab04753a1e368fdcb513dc81

SHA1
042e30d2ae40f66b308bdbad9fbf7c2c72387dba

SHA256
093e64d760c6ec2acacf1dc2fac01448096e82d9413c0947daa3bfb8f1de0801

SHA512
47bf42e142d87cc6c1d2a39629804ae9f750eb442074e6d57170b38453e5c9e5b32b92c9748fb629229385184b4442e9da6e101c2990792ad43bfd5f8f79d673

Download Submit
C:\ProgramData\gfmnuce\koatoi.exe

Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\gfmnuce\koatoi.exe

Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Active.GRL

Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml

Filesize
109KB

MD5
1ff29aea22999055b5c3dda5785a807c

SHA1
cd93580b22754e44c6fda2b1127bf6539deea0c6

SHA256
a738adb72546d0ea134a20abe3adbeb8bc6c7b90d04cc72d2f217c154c83ce11

SHA512
ab28afe92584956fd6656d05a9e910bf45312b2f7b23e97ab92e4a95ae014300c16a509c1e81dc18c7e180cf9c6a74a2146cf0b53083a4d9c99c0eb97b0323c5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\CiST0000.000

Filesize
240B

MD5
d20640a3df79babef40bad01d40cc900

SHA1
1b1f40b0a8a9bbb5550625636e87a7192a254dd6

SHA256
4d40459c351cfa95b5a21e65e0bcdee4f401a00a42ae95990dd2213763dc357e

SHA512
fa5513b0fc300974b5cf07b9044d854022f5c9f88ce2e69678f9ae33b6bc2fb559280190eae019ae026870f8d5394854526ad5a650007e555feed4b8810ad017

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
7e7e9913cbc2497e0de312f9931a96e7

SHA1
b69cd001fe4fdc568096b154f3a7b80854710197

SHA256
31ef6be3a2591a2ff4f349185d3ac4c63b49ba9448f95ad9c2accdaa65c4b06e

SHA512
1e98175603fe61868f566e5cd874b5f394353e227f558aeed108998df81f464f60f494083079472291f619fae7e18cfbfbf9188178d480095b346a3ccd09477d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
7e7e9913cbc2497e0de312f9931a96e7

SHA1
b69cd001fe4fdc568096b154f3a7b80854710197

SHA256
31ef6be3a2591a2ff4f349185d3ac4c63b49ba9448f95ad9c2accdaa65c4b06e

SHA512
1e98175603fe61868f566e5cd874b5f394353e227f558aeed108998df81f464f60f494083079472291f619fae7e18cfbfbf9188178d480095b346a3ccd09477d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.LockApp_10.0.19041.1023_neutral__cw5n1h2txyewy.xml

Filesize
2KB

MD5
2ff808c347a1bd28f3df3bc8873d73d6

SHA1
afc3b29446a1e5ea641db1c5f1521b2f5c814581

SHA256
6d6bb6749a28b69f42fede441d1c84dbff9c3f69938e637eee4fc260d0c92301

SHA512
33c2861f5b1f0b87be1f7a5d59313d5977d284ba70a126541f2daed6297ac35cf11c4f43107148f05da7e4748f49b3e99335d4c2164ba04e0a4f17830afd1706

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe.xml

Filesize
24KB

MD5
56cc188f572451b90ca1f71b44ac4e64

SHA1
790a449a478a6fbfd0fa2cc38d541ee62098746b

SHA256
df14300ee7cae37c4264ca6b10a60e30f8f94cba7b0e6430576decbf031c4eaa

SHA512
1b42c9e22cf3b8cb0433716364f8f775368c175ddce94026ae30743c352b73a1c4574603967120d28fdcad1f8cf977104f907c7f8140c41b2064d6658945fd83

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
913B

MD5
1600f66ce0d9c342eb6a49155a2f8c14

SHA1
e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07

SHA256
8dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27

SHA512
ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftLync2013Win64.xml

Filesize
2KB

MD5
e3a68bbd204d36868c6f5570e4576675

SHA1
bc5c44144e8e962c62f7febabdb3d0ba20a8162a

SHA256
11031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac

SHA512
7c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft_Office_Office Feature Updates Logon.xml

Filesize
3KB

MD5
9663230fbff7b7ea27acf7cb5b2eb224

SHA1
c9061dc5a74944235155461a761456af38ec7de5

SHA256
189d7c143926ab4402258ecf47d9b4a6a2b55aa7564b853ddd81bbfcd2113bdb

SHA512
b96f74946a99d9cca64f7727dd0664fafd16a6a1242af773b36c5f531c071dbf1b91ff873962be2cd160bdcc128b3aaa5715a38f997e5cfa1b78863ab146493d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\guest.png

Filesize
5KB

MD5
d7ee4543371744836d520e0ce24a9ee6

SHA1
a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0

SHA256
98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9

SHA512
e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

Download Submit
C:\Users\Admin\AppData\Local\Temp\16B4.exe

Filesize
1.1MB

MD5
c8beb87469647c6fb577d2bfec8e0fcd

SHA1
dcbbd759d34cb4d23c53d67943c47a250ee32767

SHA256
c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6

SHA512
678bbc9fcaa886d4babf499303afdbdf737d0e98d830bc404bcd74255742595229fa99c757f2b6c90b729b3fe260faecd2928405aaa641d774fda96fd80870fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\16B4.exe

Filesize
1.1MB

MD5
c8beb87469647c6fb577d2bfec8e0fcd

SHA1
dcbbd759d34cb4d23c53d67943c47a250ee32767

SHA256
c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6

SHA512
678bbc9fcaa886d4babf499303afdbdf737d0e98d830bc404bcd74255742595229fa99c757f2b6c90b729b3fe260faecd2928405aaa641d774fda96fd80870fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D19.exe

Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D19.exe

Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Roaming\jthciea

Filesize
218KB

MD5
14d27e8cf4d45d944227148e218dabad

SHA1
64829bacebf8be9d3e16b21b1a607124cb23dc01

SHA256
881c03c857c94709c03fcfbd8cf9bfc11b3d1f3579f0198a88e646d62575ee58

SHA512
0672d6d2359d1554267cb010900248627eed7e0fe35bdd8e2fa07a3847ed95a89e253d156cc2ca60d93b69336963d54f519762f4cd1b6ef2c87e941f96564971

Download Submit
C:\Users\Admin\AppData\Roaming\jthciea

Filesize
218KB

MD5
14d27e8cf4d45d944227148e218dabad

SHA1
64829bacebf8be9d3e16b21b1a607124cb23dc01

SHA256
881c03c857c94709c03fcfbd8cf9bfc11b3d1f3579f0198a88e646d62575ee58

SHA512
0672d6d2359d1554267cb010900248627eed7e0fe35bdd8e2fa07a3847ed95a89e253d156cc2ca60d93b69336963d54f519762f4cd1b6ef2c87e941f96564971

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\fillandsign.dll

Filesize
797KB

MD5
37391f45ab04753a1e368fdcb513dc81

SHA1
042e30d2ae40f66b308bdbad9fbf7c2c72387dba

SHA256
093e64d760c6ec2acacf1dc2fac01448096e82d9413c0947daa3bfb8f1de0801

SHA512
47bf42e142d87cc6c1d2a39629804ae9f750eb442074e6d57170b38453e5c9e5b32b92c9748fb629229385184b4442e9da6e101c2990792ad43bfd5f8f79d673

Download Submit
memory/728-224-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/728-223-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/728-222-0x0000000000708000-0x0000000000718000-memory.dmp

Filesize
64KB

Download
memory/908-162-0x000000000223D000-0x000000000232C000-memory.dmp

Filesize
956KB

Download
memory/908-158-0x0000000000000000-mapping.dmp

Download
memory/908-163-0x0000000002330000-0x0000000002460000-memory.dmp

Filesize
1.2MB

Download
memory/908-166-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1020-231-0x00000000038C0000-0x0000000003FE5000-memory.dmp

Filesize
7.1MB

Download
memory/1020-244-0x00000000038C0000-0x0000000003FE5000-memory.dmp

Filesize
7.1MB

Download
memory/1812-246-0x0000000004CD0000-0x00000000053F5000-memory.dmp

Filesize
7.1MB

Download
memory/1812-242-0x0000000000000000-mapping.dmp

Download
memory/3004-188-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/3004-156-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3004-169-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-171-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-172-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/3004-170-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-173-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-174-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-175-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-176-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-177-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-178-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-179-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-180-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-181-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-182-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-183-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-184-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-185-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-186-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-187-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-136-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-189-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/3004-137-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-167-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3004-138-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-139-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-140-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-141-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-196-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/3004-197-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/3004-198-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/3004-199-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/3004-143-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-144-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/3004-142-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-145-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-146-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-157-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3004-168-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3004-155-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-154-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-147-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-148-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-149-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-150-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-151-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-152-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3004-153-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3112-215-0x00000270F4650000-0x00000270F4790000-memory.dmp

Filesize
1.2MB

Download
memory/3112-217-0x0000000000980000-0x0000000000B99000-memory.dmp

Filesize
2.1MB

Download
memory/3112-213-0x00007FF69F7E6890-mapping.dmp

Download
memory/3112-218-0x00000270F2E10000-0x00000270F303A000-memory.dmp

Filesize
2.2MB

Download
memory/3112-214-0x00000270F4650000-0x00000270F4790000-memory.dmp

Filesize
1.2MB

Download
memory/3308-195-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3308-204-0x0000000000739000-0x000000000074A000-memory.dmp

Filesize
68KB

Download
memory/3308-190-0x0000000000000000-mapping.dmp

Download
memory/3308-226-0x0000000000739000-0x000000000074A000-memory.dmp

Filesize
68KB

Download
memory/3308-227-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3308-193-0x0000000000739000-0x000000000074A000-memory.dmp

Filesize
68KB

Download
memory/3308-194-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/3388-220-0x00000000006C3000-0x00000000006D3000-memory.dmp

Filesize
64KB

Download
memory/3388-225-0x00000000006C3000-0x00000000006D3000-memory.dmp

Filesize
64KB

Download
memory/3388-219-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3948-202-0x0000000005680000-0x00000000057C0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-210-0x0000000005680000-0x00000000057C0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-203-0x0000000005680000-0x00000000057C0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-221-0x0000000004E60000-0x0000000005585000-memory.dmp

Filesize
7.1MB

Download
memory/3948-201-0x0000000004E60000-0x0000000005585000-memory.dmp

Filesize
7.1MB

Download
memory/3948-200-0x0000000004E60000-0x0000000005585000-memory.dmp

Filesize
7.1MB

Download
memory/3948-216-0x00000000056F9000-0x00000000056FB000-memory.dmp

Filesize
8KB

Download
memory/3948-209-0x0000000005680000-0x00000000057C0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-212-0x0000000005680000-0x00000000057C0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-161-0x0000000000000000-mapping.dmp

Download
memory/3948-211-0x0000000005680000-0x00000000057C0000-memory.dmp

Filesize
1.2MB

Download
memory/4752-132-0x00000000004A8000-0x00000000004B9000-memory.dmp

Filesize
68KB

Download
memory/4752-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4752-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4752-133-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download