Malware Analysis Report

2025-05-05 21:44

Sample ID 221220-rvjswsaa32
Target c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628
SHA256 c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628
Tags
danabot banker discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628

Threat Level: Known bad

The file c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628 was found to be: Known bad.

Malicious Activity Summary

danabot banker discovery persistence trojan

Danabot

Blocklisted process makes network request

Sets service image path in registry

Sets DLL path for service in the registry

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 14:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 14:30

Reported

2022-12-20 14:33

Platform

win7-20220812-en

Max time kernel

127s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#1

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\main\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\main.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\main\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1852 set thread context of 1480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\UKRAINE.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\main.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\brt04.hsp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\AdobePiStd.otf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\ICELAND.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\AdobeCollabSync.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FLT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\QuickTime.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\digest.s C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CGMIMP32.FLT C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20209

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:20209 tcp
N/A 127.0.0.1:1312 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:20209 tcp

Files

memory/1852-54-0x0000000000000000-mapping.dmp

memory/1852-55-0x0000000075521000-0x0000000075523000-memory.dmp

memory/1852-56-0x0000000002110000-0x0000000002381000-memory.dmp

memory/1852-57-0x0000000002110000-0x0000000002381000-memory.dmp

memory/1852-58-0x0000000002110000-0x0000000002381000-memory.dmp

memory/1852-59-0x0000000003260000-0x0000000003985000-memory.dmp

memory/1852-60-0x0000000003260000-0x0000000003985000-memory.dmp

memory/1852-62-0x0000000003260000-0x0000000003985000-memory.dmp

memory/1852-63-0x0000000003260000-0x0000000003985000-memory.dmp

memory/1852-64-0x0000000003990000-0x0000000003AD0000-memory.dmp

memory/1852-65-0x0000000003990000-0x0000000003AD0000-memory.dmp

memory/1852-66-0x0000000003990000-0x0000000003AD0000-memory.dmp

memory/1480-67-0x0000000000230000-0x0000000000449000-memory.dmp

memory/1852-69-0x0000000003990000-0x0000000003AD0000-memory.dmp

memory/1480-72-0x00000000FF423CEC-mapping.dmp

memory/1852-71-0x0000000003990000-0x0000000003AD0000-memory.dmp

memory/1852-70-0x0000000003990000-0x0000000003AD0000-memory.dmp

memory/1480-74-0x0000000002100000-0x0000000002240000-memory.dmp

memory/1480-73-0x0000000002100000-0x0000000002240000-memory.dmp

memory/1480-75-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

memory/1480-77-0x0000000001ED0000-0x00000000020FA000-memory.dmp

memory/1480-76-0x0000000000230000-0x0000000000449000-memory.dmp

memory/1852-78-0x0000000003260000-0x0000000003985000-memory.dmp

\??\c:\program files (x86)\microsoft sync framework\v1.0\main.dll

MD5 cfa4bbfed587aafe14ed013bfec53acc
SHA1 92515ac4d124fe70f86c9298941ebaa4fd2efedd
SHA256 6240ce38131d8e010628849e53f9e0088791005ee75b896ec59e3053cfca2475
SHA512 2419a18da3779743988660609b619cb7fe89586482226053f28f8c8cfc4eabb93116478d2e86436189c4572761bc38bf5294c5f03a063c8b27fd74c719e9e830

\Program Files (x86)\Microsoft Sync Framework\v1.0\main.dll

MD5 cfa4bbfed587aafe14ed013bfec53acc
SHA1 92515ac4d124fe70f86c9298941ebaa4fd2efedd
SHA256 6240ce38131d8e010628849e53f9e0088791005ee75b896ec59e3053cfca2475
SHA512 2419a18da3779743988660609b619cb7fe89586482226053f28f8c8cfc4eabb93116478d2e86436189c4572761bc38bf5294c5f03a063c8b27fd74c719e9e830

memory/1036-81-0x0000000002190000-0x0000000002401000-memory.dmp

memory/1036-83-0x0000000002190000-0x0000000002401000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

MD5 4fe2d16e65f0219e9c44bae797634fc3
SHA1 314484cc0db5527a4b127a39d0f09df307bc815d
SHA256 6fef448647b6ac57e2d1fbf230e1dd9f5aeb6775293b737d97366950ab446d09
SHA512 d80981a69fb0aa3758ea591004dcc4f5ca25fef551cef2e5b794ff8fa2cd24037fc99f7ca335cbcf7ce9eafe1a56190f252af8d4199e138739712369d3987cac

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MTOC_help.H1H

MD5 d08f5887bbd05d85fc0ddedb103fbbfa
SHA1 7c1948e47afb8ba8611280d130c340757bbc8bef
SHA256 859373e8a8ee2d5f81b8a375bda2eb622b4c9d27302615836ba493df6b86afab
SHA512 8cebf1d76454777e9557659493a233b183adf311df93632302db88aa0f92b89ceb465c0228039ea9227114154872926ac7cf2e510c5992f19dfa36b2a5707a5a

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Character Map.lnk

MD5 3fdf384789965b672fce2fd5d1fbe1d3
SHA1 f77691e9490c41d1bed43f516ed31afb5ad0ccc9
SHA256 235feb312f7b00d9cb04aec2e26cd2e65dccf3ad9e8f8c49e73326d7480477e0
SHA512 0e459af6b8c2dfc7e10b0b0d7c7eb7aa67eb7d0e9a7bbf80ea65bc9ab8f62b8b6f527ed15f81d373054575600b16ac78c19d1c46af44badaabf21de15b2d7d36

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db

MD5 0b497eb3695e9d4935fc1cde58f8dd01
SHA1 b5441bfc6fb21343e07fa5c4f46292e3a1014ecb
SHA256 79fdd0f3657d019594518df8e077daecb1861341039ab55d3775c8b8db729793
SHA512 2a20010c3dd74f29ea8b7fdd302d1b3abde020c93a585d38858c8e08e83a50724f6d62e6ff6e45914003f966923d23b0a55964824c685c879773d62548957d44

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\GRINTL32.DLL.trx_dll

MD5 c8c28478cdf173e8743f51a3435851cf
SHA1 aef15f0a21b3f3ed49614108d7c6b4514c185157
SHA256 aed69f76f184a4e287a136b4f5f4d2be1343b324c6f28a99f460593952164a6d
SHA512 57c11e345608b830e5f14e5cd5d1188b7883fafc089a6f93ffcfc121a4ab752fe94e0d6c97b5bf6e060009cdd8ed7e89fdfb75dc1cf05a8223b03a0bc73e4e6d

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\usertile38.bmp

MD5 4e5c3e1452d39fb8742ce676a5033456
SHA1 fe6df7a297d5697cbce86a110d53f604da85db94
SHA256 bad04b1a9e50673c4f79fef48d129e474be08b367291ad738f0988ac58631a7a
SHA512 3263f77fa90239f2a7f17afb1a9b88fe6df1e33ee247e95b5f6ba4a962eaf780b148dc0d911f1c7a8eb71dcf540405c494636a084ec8be794b86bb70c4bdcec9

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\usertile16.bmp

MD5 d342c2b5f3d16dc992db22cb737ad617
SHA1 615a98744fb22809454b706174597a4d6b6d128b
SHA256 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA512 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

memory/1036-91-0x0000000002730000-0x0000000002E55000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-20 14:30

Reported

2022-12-20 14:33

Platform

win10v2004-20220901-en

Max time kernel

116s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#1

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\64BitMAPIBroker\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\64BitMAPIBroker.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\64BitMAPIBroker\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5080 set thread context of 4160 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\64BitMAPIBroker.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\drvDX9.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\AppCenter_R.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\64BitMAPIBroker.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\main-cef-win8.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\duplicate.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\EPDF_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\ScCore.dll C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 960 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 960 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 4160 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5080 wrote to memory of 4160 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5080 wrote to memory of 4160 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20229

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\64bitmapibroker.dll",PyQbeTJXNWs=

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:20229 tcp
N/A 127.0.0.1:1312 tcp
N/A 20.189.173.12:443 tcp
N/A 23.236.181.126:443 tcp
N/A 65.165.22.102:443 tcp
N/A 127.0.0.1:20229 tcp
N/A 224.0.0.251:5353 udp

Files

memory/5080-132-0x0000000000000000-mapping.dmp

memory/5080-133-0x0000000002410000-0x0000000002681000-memory.dmp

memory/5080-134-0x0000000002410000-0x0000000002681000-memory.dmp

memory/5080-135-0x0000000002410000-0x0000000002681000-memory.dmp

memory/5080-136-0x0000000003500000-0x0000000003C25000-memory.dmp

memory/5080-137-0x0000000003500000-0x0000000003C25000-memory.dmp

memory/5080-138-0x0000000003500000-0x0000000003C25000-memory.dmp

memory/5080-140-0x0000000003CF0000-0x0000000003E30000-memory.dmp

memory/5080-139-0x0000000003CF0000-0x0000000003E30000-memory.dmp

memory/5080-141-0x0000000003CF0000-0x0000000003E30000-memory.dmp

memory/5080-143-0x0000000003CF0000-0x0000000003E30000-memory.dmp

memory/5080-142-0x0000000003CF0000-0x0000000003E30000-memory.dmp

memory/5080-144-0x0000000003CF0000-0x0000000003E30000-memory.dmp

memory/4160-146-0x000002DA7AA20000-0x000002DA7AB60000-memory.dmp

memory/4160-147-0x000002DA7AA20000-0x000002DA7AB60000-memory.dmp

memory/4160-145-0x00007FF70AF46890-mapping.dmp

memory/4160-148-0x0000000000D00000-0x0000000000F19000-memory.dmp

memory/4160-149-0x000002DA79050000-0x000002DA7927A000-memory.dmp

memory/5080-150-0x0000000003500000-0x0000000003C25000-memory.dmp

\??\c:\program files (x86)\msbuild\microsoft\64bitmapibroker.dll

MD5 7ffb83c8928acd22a1438b000875f303
SHA1 efc88722e356776628004f5d31ab60bf13f761fa
SHA256 19f8c12bda4c14fd92b6344769acb00649abde2643d974d3f974195acbd54eb2
SHA512 413054d65095e35ddf537e4e9ee6c7498356414d624b9bae5997156602fa3d7990615c141e3ef653cd1251b9b44bdee4f0acff4b51073ea4653e53aa6d95e742

C:\Program Files (x86)\MSBuild\Microsoft\64BitMAPIBroker.dll

MD5 7ffb83c8928acd22a1438b000875f303
SHA1 efc88722e356776628004f5d31ab60bf13f761fa
SHA256 19f8c12bda4c14fd92b6344769acb00649abde2643d974d3f974195acbd54eb2
SHA512 413054d65095e35ddf537e4e9ee6c7498356414d624b9bae5997156602fa3d7990615c141e3ef653cd1251b9b44bdee4f0acff4b51073ea4653e53aa6d95e742

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

MD5 eb30d9fd8ce1e776d7247c252edafe5b
SHA1 5ae2b4d53c89287dbbf3850089241683b170b277
SHA256 268c2ebc133d6d755b83bf2809ea49ef6b01c208d01954a0e8a5f1d6bcaee93f
SHA512 0135c840f2f74b2dd4f0b6f1c679b54363598f92e1dd5c6b19307b7a0e0fcd8a20867b9fd686c3974ab8400e5ac75d258c8e1f2b3a798058f690fb73d937b595

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe.xml

MD5 b290178a94a0bd93830d5714c11f9681
SHA1 9dd5d3337117568b6423a32dff9baf14fb11e73c
SHA256 5876d6a887dd7db15a3bea28e71c0aa044023eafb1eed8ca9356035f5943249c
SHA512 ef5af5bc01510ea6e865e11a94bcf67966a01930fcdd9ab10bcb854a06976f59c909bd10e9ff3ef0aea53bad9a4af510401c05ada4c017e45ff512a127dea9fb

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SmsInterceptStore.db

MD5 5fa49c1c863990caa01994342272b2c9
SHA1 c52d1577b2907b462141e4ce74dc8563e52f00c8
SHA256 bd19746ccaba594171cffbd9c31e144d1c29746fbfe484f787aaed83e5723b93
SHA512 3e1b1ec930ede363e2517fa33cf892295f2836af9843ac0216295624720fccbef643728b1998ce314d63e5409c4df95832933baca9d0b048ed8979c4fc4e20d7

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

MD5 1a3168a15983b890b16390a23a89a02e
SHA1 d56ce16d88d79159a27c2d1cd3770dc56d897ebe
SHA256 334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946
SHA512 f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\edb.jcp

MD5 47f72135861cdde114ff79287e6006b6
SHA1 22b81b4310df90e5e32f1016bb574f49d21da132
SHA256 5c181fcf614064eb54823e6e4c43eee7412e6bd3d7901b4f816c39be45dcd12e
SHA512 d900e3d9e9f0cfdc47a5ba534642938e96d666f1f5cbb93ec20e3f7a2ec96780fc919566bc61501d2c665212b7118d264342d124e6665e98b09ddccc733983e1

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\edb00002.log

MD5 ec3d0a4df5f4aa1e3ee117d0357f73bc
SHA1 054cbdffe6d2f7d26acb41f95c7e56d90f9b2ad3
SHA256 fccf5697101241b32bcf5fc3ef0469ce8eefc1a91518640d973f2cc859fb7589
SHA512 cc1060099a17ae7b6bdbbb58a207d081020eb0b5fc0be537e42ee55bd4921b4039a50014af46fbca8374cb0d1cf6a0fc1e892d82947d76a79e84038287802580

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe.xml

MD5 cff245d69fe04eec05ce3601d77467b6
SHA1 d09b1d953eea98ef0b0fcec5936fc806940f7717
SHA256 40d6a0b80770bf41ddc0a3b3607ac53eb82d0f90675e5a595a18cd3f8bdf3d94
SHA512 4615affbbc7163076cbc82a8e65cd5d168d1411a028b47bddd0ec5219e08037304de1d14ae1fa659909760150edf5401e698c9f6252674eb4e84dec341aa3666

memory/2844-161-0x0000000000400000-0x0000000000671000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml

MD5 cc78ff3a9bbf1967185797f3eac2090a
SHA1 80204fdfac8110dddc7e5c59ada69feef33a0614
SHA256 7afbc0905a69b223e8098f1a9b34fcf454ba79535873933df9c12dc8660174c3
SHA512 5ecf695a9be7c5521d1429fe696cb7d1d4d361b43f819b77e76828d5314e444ad61bd3c66f1cd7b7fea9c6138808a1194bc556cd5195658132121444d5a3636d

memory/2844-162-0x00000000022F0000-0x0000000002A15000-memory.dmp

memory/2844-163-0x00000000022F0000-0x0000000002A15000-memory.dmp

memory/4884-164-0x0000000000000000-mapping.dmp

memory/4884-167-0x0000000000B70000-0x0000000000DE1000-memory.dmp

C:\Program Files (x86)\MSBuild\Microsoft\64BitMAPIBroker.dll

MD5 7ffb83c8928acd22a1438b000875f303
SHA1 efc88722e356776628004f5d31ab60bf13f761fa
SHA256 19f8c12bda4c14fd92b6344769acb00649abde2643d974d3f974195acbd54eb2
SHA512 413054d65095e35ddf537e4e9ee6c7498356414d624b9bae5997156602fa3d7990615c141e3ef653cd1251b9b44bdee4f0acff4b51073ea4653e53aa6d95e742

C:\Program Files (x86)\MSBuild\Microsoft\64BitMAPIBroker.dll

MD5 7ffb83c8928acd22a1438b000875f303
SHA1 efc88722e356776628004f5d31ab60bf13f761fa
SHA256 19f8c12bda4c14fd92b6344769acb00649abde2643d974d3f974195acbd54eb2
SHA512 413054d65095e35ddf537e4e9ee6c7498356414d624b9bae5997156602fa3d7990615c141e3ef653cd1251b9b44bdee4f0acff4b51073ea4653e53aa6d95e742

memory/2844-168-0x00000000022F0000-0x0000000002A15000-memory.dmp

memory/4884-169-0x0000000000B70000-0x0000000000DE1000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\utc.app.json.bk

MD5 f98f89ae9f3b3417b2b0f05bb4c870c7
SHA1 7004300e9f11fef74473f99ade3ed71d8c34dd22
SHA256 2a31397b5d41194cbe8cb86b19cf7ea4d82e5a43bdabe68d4cda297592701a22
SHA512 9532f2b1037734bfd9857e5939d0699071fd645486eb2de6a550b72e60df7fe79664ff1f091a3e8ee39ac913aae044f1526365580e0805dda038137ef5ea7899

memory/4884-171-0x0000000002AD0000-0x00000000031F5000-memory.dmp

memory/4884-172-0x0000000002AD0000-0x00000000031F5000-memory.dmp

memory/4884-173-0x0000000000B70000-0x0000000000DE1000-memory.dmp

memory/4884-174-0x0000000002AD0000-0x00000000031F5000-memory.dmp

memory/3732-175-0x0000000000000000-mapping.dmp

memory/1040-176-0x0000000000000000-mapping.dmp

memory/2844-177-0x0000000000400000-0x0000000000671000-memory.dmp

memory/2844-178-0x00000000022F0000-0x0000000002A15000-memory.dmp