danabot | cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
Size

29KB
MD5

cb4573fa9acae5c637fced7e7cb8192c
SHA1

d2145f53a192e768b8bfbf9b633941790424ff7f
SHA256

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383
SHA512

450a7dd225a0534c78073fc4fd519af2a82fc86f78ce1e9ce92a990cc1132f26546182ec6e26880cfa75ff405bf0a682b1f0ed9cdfc3a9579b598294f89cc3cc
SSDEEP

768:0BCzbIqVpKx3Vy2C0Jjfp/zX+Y9Kw5LG3OILRSwEqqmhAZPg5W:0+Iqqx3VyExprXl9Kw5LGBcPma0W

Score

10^/10

danabot smokeloader systembc backdoor banker discovery persistence trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/404-132-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/404-133-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

38 4836 rundll32.exe
39 4836 rundll32.exe
62 4836 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

D43D.exe103D.exeecdolh.exe

pid process

3196 D43D.exe
4260 103D.exe
4636 ecdolh.exe

flow	pid	process
38	4836	rundll32.exe
39	4836	rundll32.exe
62	4836	rundll32.exe

pid	process
3196	D43D.exe
4260	103D.exe
4636	ecdolh.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\natives_blob\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\natives_blob.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\natives_blob\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\natives_blob.dllԀ"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\natives_blob\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

4836 rundll32.exe
3508 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4836 set thread context of 4440 4836 rundll32.exe rundll32.exe

pid	process
4836	rundll32.exe
3508	svchost.exe

description	pid	process	target process
PID 4836 set thread context of 4440	4836	rundll32.exe	rundll32.exe

Drops file in Program Files directory 32 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOnNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PDFPrevHndlr.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\index.html	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\end_review.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_hiContrast_bow.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\add_reviewer.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe

Drops file in Windows directory 2 IoCs

Processes:

103D.exe

description ioc process

File created C:\Windows\Tasks\ecdolh.job 103D.exe
File opened for modification C:\Windows\Tasks\ecdolh.job 103D.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4240 3196 WerFault.exe D43D.exe
3888 4260 WerFault.exe 103D.exe

description	ioc	process
File created	C:\Windows\Tasks\ecdolh.job	103D.exe
File opened for modification	C:\Windows\Tasks\ecdolh.job	103D.exe

pid	pid_target	process	target process
4240	3196	WerFault.exe	D43D.exe
3888	4260	WerFault.exe	103D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094559374100054656d7000003a0009000400efbe6b558a6c945594742e000000000000000000000000000000000000000000000000001cf19c00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1056

pid	process
1056

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe

pid	process
404	cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
404	cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe

pid process

404 cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe

pid	process
1056

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4440 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

1056
1056

pid	process
4440	rundll32.exe

pid	process
1056
1056

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

D43D.exerundll32.exe

description	pid	process	target process
PID 1056 wrote to memory of 3196	1056		D43D.exe
PID 1056 wrote to memory of 3196	1056		D43D.exe
PID 1056 wrote to memory of 3196	1056		D43D.exe
PID 3196 wrote to memory of 4836	3196	D43D.exe	rundll32.exe
PID 3196 wrote to memory of 4836	3196	D43D.exe	rundll32.exe
PID 3196 wrote to memory of 4836	3196	D43D.exe	rundll32.exe
PID 1056 wrote to memory of 4260	1056		103D.exe
PID 1056 wrote to memory of 4260	1056		103D.exe
PID 1056 wrote to memory of 4260	1056		103D.exe
PID 4836 wrote to memory of 4440	4836	rundll32.exe	rundll32.exe
PID 4836 wrote to memory of 4440	4836	rundll32.exe	rundll32.exe
PID 4836 wrote to memory of 4440	4836	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
"C:\Users\Admin\AppData\Local\Temp\cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:404

C:\Users\Admin\AppData\Local\Temp\D43D.exe
C:\Users\Admin\AppData\Local\Temp\D43D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 556
2⤵
- Program crash
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3196 -ip 3196
1⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\103D.exe
C:\Users\Admin\AppData\Local\Temp\103D.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 492
2⤵
- Program crash
PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2304

C:\ProgramData\gqmqg\ecdolh.exe
C:\ProgramData\gqmqg\ecdolh.exe start
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4260 -ip 4260
1⤵
PID:3512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
PID:3508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\natives_blob.dll",ZFUPVm9N
2⤵
PID:4420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dll
Filesize
797KB

MD5
86d459a9a81434cf8c71f4f70468636d

SHA1
32f22a4874307095294b73cca3d0bfd89265b9d3

SHA256
c07ee0d93252f8d1822a0566839f2f2b7fbd9d1fae90a1b057e29a4f12468b70

SHA512
492150c89c9bacae900bc45b9aac090f86d006b6f2f5e318381f1adc774d5e4a64c1b12c77ee00707f695cd40ccaab5e8ad56187a7feda00bbbb361ce32a700c

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dll
Filesize
797KB

MD5
86d459a9a81434cf8c71f4f70468636d

SHA1
32f22a4874307095294b73cca3d0bfd89265b9d3

SHA256
c07ee0d93252f8d1822a0566839f2f2b7fbd9d1fae90a1b057e29a4f12468b70

SHA512
492150c89c9bacae900bc45b9aac090f86d006b6f2f5e318381f1adc774d5e4a64c1b12c77ee00707f695cd40ccaab5e8ad56187a7feda00bbbb361ce32a700c

Download Submit
C:\ProgramData\gqmqg\ecdolh.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\gqmqg\ecdolh.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.powerpointmui.msi.16.en-us.xml
Filesize
27KB

MD5
e9ed7134ebf28fea3f7aa5691a28438a

SHA1
ea1e55c279ed9f8dae333ae436204d8d67d46adf

SHA256
8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28

SHA512
535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml
Filesize
719KB

MD5
e9f03f8b71cac83b7d16ef685cabd0d0

SHA1
c5057520e0a65340360219618632037e7c0c474a

SHA256
fff80dc60d751bc2ff8c3085b5c338bc3f149a0e71976c3d82f30a0d43d284db

SHA512
1703ea88d9e8cd768308c246812cdd0d2a733a28e0beb039d019c1efd190ee05f9d045e280de7a75578d4282c161e768a48aebf8d97e58bfc7357cadbd5f208a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
db0acdbf49f80d3f3b0fb65a71b39341

SHA1
12c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae

SHA256
f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f

SHA512
3d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
ec28dd31cae734b3cebf46eac4f902ed

SHA1
b61f21a9dab5ccad76b8f1a7b116f95761650e72

SHA256
db9d05546ab6c1e27c2826fd98d77a529d33a755e1e8e643420015c586a32727

SHA512
f78804292052837a104ad6d10448df36b47e49962ee9fdfbde3375b96028f46ace6b829d28a9d1a19ac5852c7610ec88e3997b6d686d04ed3926aa6afd34f97f

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
ec28dd31cae734b3cebf46eac4f902ed

SHA1
b61f21a9dab5ccad76b8f1a7b116f95761650e72

SHA256
db9d05546ab6c1e27c2826fd98d77a529d33a755e1e8e643420015c586a32727

SHA512
f78804292052837a104ad6d10448df36b47e49962ee9fdfbde3375b96028f46ace6b829d28a9d1a19ac5852c7610ec88e3997b6d686d04ed3926aa6afd34f97f

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
26KB

MD5
2bc8ee174a90308d275eda81bf42d95e

SHA1
284647d3ee515e4794d1984d2f01989f33121d2d

SHA256
d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8

SHA512
fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
913B

MD5
1600f66ce0d9c342eb6a49155a2f8c14

SHA1
e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07

SHA256
8dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27

SHA512
ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xml
Filesize
6KB

MD5
e2a07f037256d69937145aea357735fe

SHA1
07ce3d26f68b90604543f441bf75f57fbf6f5f99

SHA256
0f20839ad81a013e9700e22a629e7284a5b817adff6d992d4b761b6875ace257

SHA512
f78e8d10675b7c8d3fd8af0780fb979c1cca6b5ccfd1422529d7837f34f9973dc26a174f4b86587f7a1e1dbe1a3fe59cc0342379332a2e726a41c180a0dbad7d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
26KB

MD5
26b4cb86e7313855e188214dfee0abe4

SHA1
c4488e4c3c91bb6bd49cc3e68d9fce83c59f8422

SHA256
d182821a1030c629318d6e379cba49ac00db7a2b6aab70a3d245f7418ef490bc

SHA512
78dd7247c0fd372bc146562f46dd453aaa9fc3e4a49fb669240f76bd90249534bf6ca660058bf854eb4c05170a2e2ddabc0813223b61f09f0673fb3939f6f2b1

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c.xml
Filesize
3KB

MD5
7c7088d81be7468216906e3c2e9b171b

SHA1
2c4acc956ac68eae04b8f86c93a62f411ed730a7

SHA256
9db8e860ebfbcec743ab4779801f4b4772ec6b5d295c894dd3a58c9767f08564

SHA512
6a2e6a3a26cc0c98db5039514d56232d592ed44b72ebe27dfe9fb965ce6fedc4202ecc3f49cf6be01aaa4780b7ad31f158523c51a158ad99ad86c596794cc9c4

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftEdgeUpdate.log
Filesize
104KB

MD5
ab6bb281ae5e3a7a65113f5dd03f951e

SHA1
e97c970fdc2e5452fa70968720cf3c267ac2d92d

SHA256
b46039499671d11723afcb250c2e71c6de04ccb04ac95fa674b9d88fe93aa9d4

SHA512
678c96e18f315909b80532077675f43cde39d18d1561adffb43ac013b3403609e8982fea4ccbb078b5fc7d283f7e1d19a1b84696d666d155ed867b852348fd4a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2013Office365Win64.xml
Filesize
10KB

MD5
46353bb25b4eb2e9d26a25744c716563

SHA1
a9a9c2a1260542b5246fd642425dcc2a29a098c1

SHA256
3fae1d780e8a63d73847dc38412952c238d0e3ca01a97caee718489a3d424893

SHA512
09027ff22d03712258dbd10d6fe2cafbefd90e974210b09d20008d8eb6b569915064c65a7403187b0d78e79c96838cc0bba49b089acc7c7ab790866359719197

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\behavior.xml
Filesize
2KB

MD5
e819bd42f70abd4d77fcdd8e9027f87d

SHA1
a6c541f7cc2c56b7e249f8c56c24208e742acce7

SHA256
8931d34acc2d60b807f30ae7fc661691fb03d18a7f1448b84d0fd92d7ba8efac

SHA512
cab282bd90653a067c760e65205bb26353af21649ba559ac3599077d4258e84752d1c67b697f745cf116a4c91ea82d111c2501128aa908aa55f4c24c3ac0dec4

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\stream.x64.en-us.dat.cat
Filesize
109KB

MD5
2800ad935a91f65e3a39d28d7ec8b12b

SHA1
2e87ae6f577e833894abaa85117f29fd8c2178db

SHA256
7a9e9a26077199809f7a69d4486b58d98b5b972a2652084de0e212bc070410bd

SHA512
3564cdd0ff8efd862f6f3e123f8a5990d255bf735ee7eed3d622ecd40dfe53b9e1ae0c623a9d0036ca73e24a7c4f91b9a0174129084536362d23b10e6c730dff

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\user-192.png
Filesize
2KB

MD5
00974aab6b9832933e8ac609e50e5dce

SHA1
6fa57587c15d3de9c9ace6da93ab80830bd87771

SHA256
7e9997f40d13b32c724ca4ecef283f377ce9965d31534167994e654d6e6623b6

SHA512
c104286c58629920fa51b5f764c409b87ce9cbff3ea33d634cfa5d7804294a345c5e4150780f84d85c8a7a0aea7d6089eb4f31494096a4c5e9982364f9ad2e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\103D.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\103D.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\D43D.exe
Filesize
1.1MB

MD5
3967f9e696a6bf35357fd4a240c4018e

SHA1
999bf859c09e824863ce2cd5222ef200f18bc95b

SHA256
e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a

SHA512
0cc1f3d64120d9b00389ad45197393fa7fff01da006c3f6624f731e82c268a78dcdc26e13dd26e742984185b3c23c77c072132dc95c9de2696869538837b3103

Download Submit
C:\Users\Admin\AppData\Local\Temp\D43D.exe
Filesize
1.1MB

MD5
3967f9e696a6bf35357fd4a240c4018e

SHA1
999bf859c09e824863ce2cd5222ef200f18bc95b

SHA256
e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a

SHA512
0cc1f3d64120d9b00389ad45197393fa7fff01da006c3f6624f731e82c268a78dcdc26e13dd26e742984185b3c23c77c072132dc95c9de2696869538837b3103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\natives_blob.dll
Filesize
797KB

MD5
86d459a9a81434cf8c71f4f70468636d

SHA1
32f22a4874307095294b73cca3d0bfd89265b9d3

SHA256
c07ee0d93252f8d1822a0566839f2f2b7fbd9d1fae90a1b057e29a4f12468b70

SHA512
492150c89c9bacae900bc45b9aac090f86d006b6f2f5e318381f1adc774d5e4a64c1b12c77ee00707f695cd40ccaab5e8ad56187a7feda00bbbb361ce32a700c

Download Submit
memory/404-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/404-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3196-142-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3196-141-0x0000000002250000-0x0000000002380000-memory.dmp

Filesize
1.2MB

Download
memory/3196-134-0x0000000000000000-mapping.dmp

Download
memory/3196-140-0x000000000215B000-0x0000000002249000-memory.dmp

Filesize
952KB

Download
memory/3508-190-0x0000000003D10000-0x0000000004435000-memory.dmp

Filesize
7.1MB

Download
memory/3508-173-0x0000000003D10000-0x0000000004435000-memory.dmp

Filesize
7.1MB

Download
memory/4260-166-0x00000000005E9000-0x00000000005FA000-memory.dmp

Filesize
68KB

Download
memory/4260-143-0x0000000000000000-mapping.dmp

Download
memory/4260-169-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4260-149-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/4260-148-0x00000000005E9000-0x00000000005FA000-memory.dmp

Filesize
68KB

Download
memory/4260-151-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4420-191-0x0000000004530000-0x0000000004C55000-memory.dmp

Filesize
7.1MB

Download
memory/4420-187-0x0000000000000000-mapping.dmp

Download
memory/4420-192-0x0000000004530000-0x0000000004C55000-memory.dmp

Filesize
7.1MB

Download
memory/4440-162-0x0000019946D40000-0x0000019946F6A000-memory.dmp

Filesize
2.2MB

Download
memory/4440-159-0x0000019948710000-0x0000019948850000-memory.dmp

Filesize
1.2MB

Download
memory/4440-157-0x00007FF6E22E6890-mapping.dmp

Download
memory/4440-161-0x0000000000A70000-0x0000000000C89000-memory.dmp

Filesize
2.1MB

Download
memory/4440-160-0x0000019948710000-0x0000019948850000-memory.dmp

Filesize
1.2MB

Download
memory/4636-167-0x0000000000602000-0x0000000000613000-memory.dmp

Filesize
68KB

Download
memory/4636-168-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4836-158-0x0000000005D69000-0x0000000005D6B000-memory.dmp

Filesize
8KB

Download
memory/4836-155-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/4836-163-0x0000000005420000-0x0000000005B45000-memory.dmp

Filesize
7.1MB

Download
memory/4836-156-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/4836-154-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/4836-153-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/4836-152-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/4836-150-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/4836-147-0x0000000005420000-0x0000000005B45000-memory.dmp

Filesize
7.1MB

Download
memory/4836-146-0x0000000005420000-0x0000000005B45000-memory.dmp

Filesize
7.1MB

Download
memory/4836-137-0x0000000000000000-mapping.dmp

Download