danabot | 37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20-12-2022 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f4070594e2008388c46be164a59d9ae.exe
Size

1.1MB
MD5

8f4070594e2008388c46be164a59d9ae
SHA1

bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69
SHA256

37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34
SHA512

2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8
SSDEEP

24576:D4MwERrcsuCg2luv/4QwWU7kTV4t83ZUcwFP:MhMcsBl2whOHUDFP

Score

10^/10

danabot banker discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	rundll32.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

2 2004 rundll32.exe
5 2004 rundll32.exe
9 2004 rundll32.exe
11 2004 rundll32.exe

flow	pid	process
2	2004	rundll32.exe
5	2004	rundll32.exe
9	2004	rundll32.exe
11	2004	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PDXFile_8\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Media Player\\en-US\\PDXFile_8.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PDXFile_8\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2004 rundll32.exe
1476 svchost.exe
1068 rundll32.exe
1068 rundll32.exe
1068 rundll32.exe
1068 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2004 set thread context of 1468 2004 rundll32.exe rundll32.exe

pid	process
2004	rundll32.exe
1476	svchost.exe
1068	rundll32.exe
1068	rundll32.exe
1068	rundll32.exe
1068	rundll32.exe

description	pid	process	target process
PID 2004 set thread context of 1468	2004	rundll32.exe	rundll32.exe

Drops file in Program Files directory 60 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\ACE.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\VDK10.STC	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\icucnv36.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\CP1254.TXT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Search.api	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\icudt36.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\TURKISH.TXT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Eula.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\MyriadPro-Regular.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\SC_Reader.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\DW20.EXE	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\PDXFile_8.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AiodLite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AcroTextExtractor.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\tr.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AcroRd32.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\blocklist.xml	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\GREEK.TXT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Identity-V	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\PDXFile_8.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D731B143FB38D9E6B3945AD88D2446B921A50B	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D731B143FB38D9E6B3945AD88D2446B921A50B\Blob = 030000000100000014000000c1d731b143fb38d9e6b3945ad88d2446b921a50b20000000010000003f0200003082023b308201a4a00302010202086de21a4a74879e90300d06092a864886f70d01010b050030433121301f06035504030c184d6963726f736f667420526f6f7420417574686f72696c79311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3230313232303130353731375a170d3234313231393130353731375a30433121301f06035504030c184d6963726f736f667420526f6f7420417574686f72696c79311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100b2217b98d87e4a19841102d47249d0ea00f079165c94b1b747936e3af272fdc252e26597122f5c4b465e924d97ec0a5f6e374687d76c014c2441c11ec98d40e4e58019c8fb7e27232f074e6a73914edc92dce29fbba89cc7abeec20f890e19e2df7ad3f1997326967b4eec9da89e4e053fd39c3323ed7420a3952035ad834eab0203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6963726f736f667420526f6f7420417574686f72696c79300d06092a864886f70d01010b050003818100738262e836526881bd8eb480acdcb1fd7aa93b33c08e24fac12c5b9527952bc00d5036495dfcec5f8348a87d8c38fef94db7ff673527308b4e674fac8ea2de12980ff821491a2b6207ace815b0ed3e03b40af8fcc50192fe1b1267a6b4358fc884e9a9e7a797181de1847e5068ad3771b24c079e389bfdf1224433419485af67	rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exerundll32.exe

pid process

1476 svchost.exe
2004 rundll32.exe
2004 rundll32.exe
2004 rundll32.exe
2004 rundll32.exe
1476 svchost.exe
1476 svchost.exe
1476 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2004 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1468 rundll32.exe

pid	process
1476	svchost.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
1476	svchost.exe
1476	svchost.exe
1476	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2004	rundll32.exe

pid	process
1468	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

8f4070594e2008388c46be164a59d9ae.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2044 wrote to memory of 2004	2044	8f4070594e2008388c46be164a59d9ae.exe	rundll32.exe
PID 2044 wrote to memory of 2004	2044	8f4070594e2008388c46be164a59d9ae.exe	rundll32.exe
PID 2044 wrote to memory of 2004	2044	8f4070594e2008388c46be164a59d9ae.exe	rundll32.exe
PID 2044 wrote to memory of 2004	2044	8f4070594e2008388c46be164a59d9ae.exe	rundll32.exe
PID 2044 wrote to memory of 2004	2044	8f4070594e2008388c46be164a59d9ae.exe	rundll32.exe
PID 2044 wrote to memory of 2004	2044	8f4070594e2008388c46be164a59d9ae.exe	rundll32.exe
PID 2044 wrote to memory of 2004	2044	8f4070594e2008388c46be164a59d9ae.exe	rundll32.exe
PID 2004 wrote to memory of 1468	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1468	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1468	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1468	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1468	2004	rundll32.exe	rundll32.exe
PID 1476 wrote to memory of 1068	1476	svchost.exe	rundll32.exe
PID 1476 wrote to memory of 1068	1476	svchost.exe	rundll32.exe
PID 1476 wrote to memory of 1068	1476	svchost.exe	rundll32.exe
PID 1476 wrote to memory of 1068	1476	svchost.exe	rundll32.exe
PID 1476 wrote to memory of 1068	1476	svchost.exe	rundll32.exe
PID 1476 wrote to memory of 1068	1476	svchost.exe	rundll32.exe
PID 1476 wrote to memory of 1068	1476	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8f4070594e2008388c46be164a59d9ae.exe
"C:\Users\Admin\AppData\Local\Temp\8f4070594e2008388c46be164a59d9ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Modifies visibility of file extensions in Explorer
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23998
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1468

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows media player\en-us\pdxfile_8.dll",Ui4k
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_MKWD_BestBet.H1W

Filesize
357KB

MD5
ec26153da5c31ac99b6cb7cf2b664df4

SHA1
772ae3f3f654dee5c65b93e7c7320dc6bd61006e

SHA256
c961c40399f3ef2e9e6d1607608ff68eb5fced25c559509f881ec8555ae895a2

SHA512
9897b908e9d1508f99f66dbbab2289d30c81196474210afea846c807b614140dc039f848795c71e3c041cf5fb56ec4cffa600e455b9c3fd8dc19b6c934212bb3

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_MTOC_help.H1H

Filesize
546KB

MD5
f7c7588f055fad4ec7f9320108ed5cc5

SHA1
7d0af5a8b2df77a272e53ab695357e7656c2256c

SHA256
d6312cf350da32332bbb3178ecaaf65817999fca23c35ed5e913eb1a87ef1c51

SHA512
dd63eb8c11c565ef1b0556d6389e42b341eef3c24e53d6ec4a01c7069418bdb19b9588ec4501b910af6ec028bf21bb710739d09da48bbef1febe3c26cff8d66b

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\OUTLWVW.DLL.trx_dll

Filesize
10KB

MD5
825606fc68efead707357cf7f9ecd540

SHA1
5cadf7678e725b26f39678478a87fcd2f512ab8a

SHA256
3c703e3b17a1ad4a31f90c52150a0397eadcc8b78b95d04aa805161c40f17d92

SHA512
c40cc78d6a331e9cb46c4a09179844d1148e9ce8821e3c2a923016a70056158335d4fc066bb7da9fdda48a28894fa36b19cb0b1cced0071c9c8fe6cf4aa1d1b5

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
ae29f316ed11ed986ef55f4ba65247d0

SHA1
e586edba793929774172be94e69372e7123b5914

SHA256
e17a606f0273521590be07e62880dc5fc38c84677f84ed2b53049570e499bb50

SHA512
928551a3a54c0ecaf050e1e453e03f0ac22ee1e220adc34ceedfffe012dc624d54d42cdd78711083cb25ee868dfd2306a291201a6d2491df3b26688e0e2fe1d5

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
a07fa586d5c7fb56f753c081aa81c4c6

SHA1
f22f0a3ea4dd23e0af5c91f6c92a0b9b6684bbb2

SHA256
c5c48f381ec13f3dc56754cf94d3131933483106637726adc6c74cf038f04ba1

SHA512
eea1f728f206431e636db83969c650636f601742a947d8e96f6df65e5eac55130d0d3ff7fa50a4876e7f20628522c722da9dbddfef0ad340e635cca68b98decd

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\pictures.ico

Filesize
81KB

MD5
8e3fed079e101c5dcb906371c2b546a3

SHA1
7fbf444c9361684228f643984f1333c271e86bf2

SHA256
b0203f1dc9e443dc5081b0f882934241645a5de4cc4b1e47b3460d17446a87d4

SHA512
898c825d9f20f3d20cb389328561ff70bd0c762dcc1369bd0bb633130aee9dcf60b433da66c3a37dd1d46a70614abd955a323589917ed85e0ec5698cdd0268c2

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile27.bmp

Filesize
48KB

MD5
f15bc24c02b8f476f211ce728a29e7ac

SHA1
836b9ad7237e61174c4bb3d0f86a37a7386d398d

SHA256
cff71b59c648f09654dfefd33469ec68cbeed35ddaf3e053b0a9f78686a06c6d

SHA512
859224f58ab146a1a453ad39f717ec85dadc1b781c7d57fdc81ebe6c3f39d7a33dbc60c5812905822ab197f0488b0e631de8d672ab66da89979c2301e83714fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windows media player\en-us\pdxfile_8.dll

Filesize
726KB

MD5
85c02f66df9c21469c433f0382d87387

SHA1
f6da651cb54aed9296b8e7559b71b7f9f8b28187

SHA256
57b0a1aeba5cd47b7e1c1ea9ff59a4fe1fb06b4a4b0415846b3c787b6b22ebd4

SHA512
4bd6b748915c13d3d065637428be09552ce8c9003debbe0682b9b013f8a21d0664095313a24454d579b9d6c7d54e63e7b59ac9f4d2c58c548e4a372aa7335272

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDXFile_8.dll

Filesize
726KB

MD5
85c02f66df9c21469c433f0382d87387

SHA1
f6da651cb54aed9296b8e7559b71b7f9f8b28187

SHA256
57b0a1aeba5cd47b7e1c1ea9ff59a4fe1fb06b4a4b0415846b3c787b6b22ebd4

SHA512
4bd6b748915c13d3d065637428be09552ce8c9003debbe0682b9b013f8a21d0664095313a24454d579b9d6c7d54e63e7b59ac9f4d2c58c548e4a372aa7335272

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDXFile_8.dll

Filesize
726KB

MD5
85c02f66df9c21469c433f0382d87387

SHA1
f6da651cb54aed9296b8e7559b71b7f9f8b28187

SHA256
57b0a1aeba5cd47b7e1c1ea9ff59a4fe1fb06b4a4b0415846b3c787b6b22ebd4

SHA512
4bd6b748915c13d3d065637428be09552ce8c9003debbe0682b9b013f8a21d0664095313a24454d579b9d6c7d54e63e7b59ac9f4d2c58c548e4a372aa7335272

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDXFile_8.dll

Filesize
726KB

MD5
85c02f66df9c21469c433f0382d87387

SHA1
f6da651cb54aed9296b8e7559b71b7f9f8b28187

SHA256
57b0a1aeba5cd47b7e1c1ea9ff59a4fe1fb06b4a4b0415846b3c787b6b22ebd4

SHA512
4bd6b748915c13d3d065637428be09552ce8c9003debbe0682b9b013f8a21d0664095313a24454d579b9d6c7d54e63e7b59ac9f4d2c58c548e4a372aa7335272

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDXFile_8.dll

Filesize
726KB

MD5
85c02f66df9c21469c433f0382d87387

SHA1
f6da651cb54aed9296b8e7559b71b7f9f8b28187

SHA256
57b0a1aeba5cd47b7e1c1ea9ff59a4fe1fb06b4a4b0415846b3c787b6b22ebd4

SHA512
4bd6b748915c13d3d065637428be09552ce8c9003debbe0682b9b013f8a21d0664095313a24454d579b9d6c7d54e63e7b59ac9f4d2c58c548e4a372aa7335272

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDXFile_8.dll

Filesize
726KB

MD5
85c02f66df9c21469c433f0382d87387

SHA1
f6da651cb54aed9296b8e7559b71b7f9f8b28187

SHA256
57b0a1aeba5cd47b7e1c1ea9ff59a4fe1fb06b4a4b0415846b3c787b6b22ebd4

SHA512
4bd6b748915c13d3d065637428be09552ce8c9003debbe0682b9b013f8a21d0664095313a24454d579b9d6c7d54e63e7b59ac9f4d2c58c548e4a372aa7335272

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
memory/1068-105-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1068-95-0x0000000000000000-mapping.dmp

Download
memory/1068-102-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1068-104-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1468-80-0x0000000001DC0000-0x0000000001FEA000-memory.dmp

Filesize
2.2MB

Download
memory/1468-70-0x0000000000140000-0x0000000000359000-memory.dmp

Filesize
2.1MB

Download
memory/1468-78-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

Filesize
8KB

Download
memory/1468-79-0x0000000000140000-0x0000000000359000-memory.dmp

Filesize
2.1MB

Download
memory/1468-77-0x00000000020F0000-0x0000000002230000-memory.dmp

Filesize
1.2MB

Download
memory/1468-76-0x00000000020F0000-0x0000000002230000-memory.dmp

Filesize
1.2MB

Download
memory/1468-75-0x00000000FF5C3CEC-mapping.dmp

Download
memory/1476-111-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1476-86-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1476-88-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1476-89-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1888-110-0x0000000000000000-mapping.dmp

Download
memory/2004-72-0x0000000005500000-0x0000000005640000-memory.dmp

Filesize
1.2MB

Download
memory/2004-65-0x0000000004440000-0x0000000004B65000-memory.dmp

Filesize
7.1MB

Download
memory/2004-73-0x0000000004C30000-0x0000000004D70000-memory.dmp

Filesize
1.2MB

Download
memory/2004-69-0x0000000005500000-0x0000000005640000-memory.dmp

Filesize
1.2MB

Download
memory/2004-68-0x0000000004C30000-0x0000000004D70000-memory.dmp

Filesize
1.2MB

Download
memory/2004-67-0x0000000004C30000-0x0000000004D70000-memory.dmp

Filesize
1.2MB

Download
memory/2004-66-0x0000000004440000-0x0000000004B65000-memory.dmp

Filesize
7.1MB

Download
memory/2004-81-0x0000000004440000-0x0000000004B65000-memory.dmp

Filesize
7.1MB

Download
memory/2004-63-0x0000000004440000-0x0000000004B65000-memory.dmp

Filesize
7.1MB

Download
memory/2004-74-0x0000000004C30000-0x0000000004D70000-memory.dmp

Filesize
1.2MB

Download
memory/2004-56-0x0000000000000000-mapping.dmp

Download
memory/2044-57-0x0000000001D40000-0x0000000001E16000-memory.dmp

Filesize
856KB

Download
memory/2044-58-0x0000000001EC0000-0x0000000001FD5000-memory.dmp

Filesize
1.1MB

Download
memory/2044-55-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/2044-60-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2044-54-0x0000000001D40000-0x0000000001E16000-memory.dmp

Filesize
856KB

Download