danabot | ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe
Size

3.6MB
MD5

2d5452372ed89a637202f5c4311d6b83
SHA1

70f812ddb79efec13fb89c30d29ac9abbc17d623
SHA256

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549
SHA512

4ad38958af05f101fa07c90a78857af24f641e299315d039596af0c4669095ba68838b0f5a2ba78bf070e143ada84b2a82e25ba004791ee696d9491470bbaba7
SSDEEP

49152:zjvWrU4VyUHA3iRYoySMbSsigAh14tKS2lw4I0LGAEJxQGV3O:3wU4VyUHpRYoESsigAlyG

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
7525E61580576E908856FBD4614C2F5E
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

9 2504 rundll32.exe
90 2504 rundll32.exe
91 2504 rundll32.exe

flow	pid	process
9	2504	rundll32.exe
90	2504	rundll32.exe
91	2504	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Combine_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\Combine_R_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Combine_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2504 rundll32.exe
2504 rundll32.exe
1428 svchost.exe
1428 svchost.exe
3488 rundll32.exe
3488 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2504	rundll32.exe
2504	rundll32.exe
1428	svchost.exe
1428	svchost.exe
3488	rundll32.exe
3488	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2504 set thread context of 5112 2504 rundll32.exe rundll32.exe

description	pid	process	target process
PID 2504 set thread context of 5112	2504	rundll32.exe	rundll32.exe

Drops file in Program Files directory 42 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\reviews_super.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\snapshot_blob.bin	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Checkers.api	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Acrofx32.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\license.html	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\RTC.der	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\remove.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\organize.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\EPDF_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\index.html	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Eula.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3912 4900 WerFault.exe ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

pid	pid_target	process	target process
3912	4900	WerFault.exe	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\464BE6F8F2B54B6CFC524B5AD00C5323B1D021D9	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\464BE6F8F2B54B6CFC524B5AD00C5323B1D021D9\Blob = 030000000100000014000000464be6f8f2b54b6cfc524b5ad00c5323b1d021d92000000001000000b0020000308202ac30820215a003020102020878b3cbd96a613e4d300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f7420436572746968696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232303135333330345a170d3234313231393135333330345a30733132303006035504030c294d6963726f736f667420526f6f7420436572746968696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100c03c76ccc762becc71e060c2913b5e12e24c8d1a701ec79953814bb20ff4435321f9cd8bb91dcaed47f27bdd59eae4140a405475049c89d8afd2be9a0f72385ee17bb765dafc5464ae8aded25dcadad84ec735428f2085b56f4aa0a111b287c5d3284078392afb0deb5a6894e26a8428bfc5443cc1c44793b84e869e000d30090203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f667420526f6f7420436572746968696361746520417574686f726974792032303131300d06092a864886f70d01010b05000381810054bce66504841440c60d08dbf593da5f5a0850897d19b709093892dcf413b483235f5d1735c8bed36e5374fe0a8ff375d10ca4a53d5d485462e5a320eee3c0443e4e3dc9b212e70b373d8faec6ec76337538354e64861c4338ef4a141e7a4c8767fff3936b895095cde27591a6dd69269b628e13eb8316d4941d92906ecdbc8b	rundll32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

svchost.exerundll32.exe

pid	process
1428	svchost.exe
1428	svchost.exe
2504	rundll32.exe
2504	rundll32.exe
2504	rundll32.exe
2504	rundll32.exe
2504	rundll32.exe
2504	rundll32.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
2504	rundll32.exe
2504	rundll32.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2504 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

5112 rundll32.exe
2504 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2504	rundll32.exe

pid	process
5112	rundll32.exe
2504	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4900 wrote to memory of 2504	4900	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 4900 wrote to memory of 2504	4900	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 4900 wrote to memory of 2504	4900	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 2504 wrote to memory of 5112	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 5112	2504	rundll32.exe	rundll32.exe
PID 2504 wrote to memory of 5112	2504	rundll32.exe	rundll32.exe
PID 1428 wrote to memory of 3488	1428	svchost.exe	rundll32.exe
PID 1428 wrote to memory of 3488	1428	svchost.exe	rundll32.exe
PID 1428 wrote to memory of 3488	1428	svchost.exe	rundll32.exe
PID 2504 wrote to memory of 3028	2504	rundll32.exe	schtasks.exe
PID 2504 wrote to memory of 3028	2504	rundll32.exe	schtasks.exe
PID 2504 wrote to memory of 3028	2504	rundll32.exe	schtasks.exe
PID 2504 wrote to memory of 4712	2504	rundll32.exe	schtasks.exe
PID 2504 wrote to memory of 4712	2504	rundll32.exe	schtasks.exe
PID 2504 wrote to memory of 4712	2504	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe
"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2504

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20223
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5112

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 472
2⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4900 -ip 4900
1⤵
PID:4796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\combine_r_rhp..dll",VANRUDI=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll

Filesize
2.4MB

MD5
bb65ba561504883298f8f046ab1f3fd2

SHA1
7ebdba39f6717b3165d79d7c5fe825c69543a217

SHA256
74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792

SHA512
c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll

Filesize
2.4MB

MD5
bb65ba561504883298f8f046ab1f3fd2

SHA1
7ebdba39f6717b3165d79d7c5fe825c69543a217

SHA256
74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792

SHA512
c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll

Filesize
2.4MB

MD5
bb65ba561504883298f8f046ab1f3fd2

SHA1
7ebdba39f6717b3165d79d7c5fe825c69543a217

SHA256
74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792

SHA512
c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll

Filesize
2.4MB

MD5
bb65ba561504883298f8f046ab1f3fd2

SHA1
7ebdba39f6717b3165d79d7c5fe825c69543a217

SHA256
74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792

SHA512
c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\CiST0000.001

Filesize
64KB

MD5
2a1801484fed207d6469068f57a62214

SHA1
c12999e2fa101c6b6bb3a5f0e66f4e0c5b938d4e

SHA256
30c7988571781563e5e697f564b616750e354bcd69e9bf7a39e3854e4b7bec28

SHA512
a7e12254278e83710077d5cb3b8162cd74c4211147a6823afa8aa3c67cc3041e066b34e63bcf0cae9087177543c52871e67bac373db1b8ab3d5058ba9f3f41b4

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\CiST0000.002

Filesize
64KB

MD5
2a1801484fed207d6469068f57a62214

SHA1
c12999e2fa101c6b6bb3a5f0e66f4e0c5b938d4e

SHA256
30c7988571781563e5e697f564b616750e354bcd69e9bf7a39e3854e4b7bec28

SHA512
a7e12254278e83710077d5cb3b8162cd74c4211147a6823afa8aa3c67cc3041e066b34e63bcf0cae9087177543c52871e67bac373db1b8ab3d5058ba9f3f41b4

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

Filesize
2.3MB

MD5
45af97fa42bd933c57342a0efcc56fa8

SHA1
55b8fba0a9de2dfa54ea2a79435906cbb6f077bd

SHA256
f98d2b04a97c4e111f9928df2a7dab31ba3cbbeb493ad1f6503c93eb74209d6b

SHA512
8bda6ff82a7d6117052ddd8e4964d8fd7833bd5d53f39179839e5f63799a5e144efde32b15e395b260666c0f984f802b24fd43c3136700bfe9e05be4713bccde

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

Filesize
2.3MB

MD5
45af97fa42bd933c57342a0efcc56fa8

SHA1
55b8fba0a9de2dfa54ea2a79435906cbb6f077bd

SHA256
f98d2b04a97c4e111f9928df2a7dab31ba3cbbeb493ad1f6503c93eb74209d6b

SHA512
8bda6ff82a7d6117052ddd8e4964d8fd7833bd5d53f39179839e5f63799a5e144efde32b15e395b260666c0f984f802b24fd43c3136700bfe9e05be4713bccde

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_8_12_19_6_54.etl

Filesize
256KB

MD5
b5c3f386ba6bf489748767a83ba66310

SHA1
28f9ff04c8a1b35baf3eb1933090f572b12a48fc

SHA256
2fb189580fa637d418545ef5e45f4b84a4fb2f34c8d00e11b0b35524a543bdd4

SHA512
a362c83287399e9c3371ce708be38f83109f0850443a01401941d3cab01e2df71021eca2d0f437b392dc2ac8a582fc9562fa3aacf1027fc332f61876bc0fbe8d

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftOffice2016BackupWin64.xml

Filesize
12KB

MD5
2d995c7aa8d041ffa18821c898bc2cb7

SHA1
f16ef806d79bffeec76f27102bd8e1273a0f3747

SHA256
614e99dbea133397b0b4ee8a222df8502f8f782fbcdd44651793c1c894281948

SHA512
81dcbfa24e216bf2a06379ca7d830bd6e16b58c16cd595704903a636f770eb70ca2146ec682559b48e9ff2518cbf3e1ed693050938a9a2b2e478eba6b86959e6

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftOutlook2013CAWin64.xml

Filesize
1KB

MD5
880227fa1e5c41f3a7ea11e13f156de7

SHA1
042b7a68c2b3c588522edd750209bb4576638991

SHA256
c7f9df2f4c59a9f856761c82d28874f752cad8bdca8102bff4ff41c514f0b9fc

SHA512
caa06d82bb2e828e4e08fcca96c4b789b31611864b827ae9468e9dfbadbe10a48ae366d3d96bf92567f41d0c6792986363a0dfa6564332296fe1c111ffef4f30

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SmsInterceptStore.db

Filesize
192KB

MD5
b85cff0869b27cb9b319c8695ff13ecb

SHA1
20acc437243a95409d7048c3f50cd6605a460c17

SHA256
c645e9de8051cd91b6fd1829a3ff3b39a9b73fcd7da6ec56c4ef0feb7ca6a440

SHA512
1cded0944a62c0e58a5284aaeb4363bfcecdf83f231604e7e15871e195dde506eba8c91f3d01723eb2fd46cb530ef99e7184da44e3a8038d3328b05b02c31e0e

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SmsInterceptStore.jfm

Filesize
16KB

MD5
42503cb1e39818ef9265e178f1c15cb6

SHA1
3a7ae377387bbff92f8f66cf5608a581ae0d7a84

SHA256
7cb882655d38dc1eba3f35810fa95138decf03fc90a828f17994d6bc76acb0d2

SHA512
a39900fdf1f5012992824a470c26d9e0c61e34cca1987d06ee9802d1c81aef4197a9bfe941cd50a3954b485239db906f771953fc0795919f80f7bfdc88aba294

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SystemIndex.1.gthr

Filesize
12KB

MD5
bd3b9cbb0a1784dab0766f8e32697994

SHA1
69800df48894e8feb5e259b86bb0f07f438f6a36

SHA256
514d7c3812fc63a88c447660b03ab84780d902859bb5a57c18c72551ddaa0348

SHA512
3439dd2a4b6b293f51f376d40caf447a285ec147eb4761d5898d5b3b6301b25f5ea5aeaa14d4932010c2ac45854ef7483b8cf3f6fba9ff5ce4374cee29bf6ac5

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\resource.xml

Filesize
1KB

MD5
0e190f6bbc7898c31d4eae77c6abebfe

SHA1
fb6673c8116b650f0536d56be09eb188d7bdc930

SHA256
f7f461d92f4a45d1232e7e5ad76cffbbb7b83abd69df864387c757051494d118

SHA512
faaf0699ddb7e4e152afaf54bed0794c9e816cb762454c277f5d52acf88a44535cc3a44797c73393fc50db8afe2566bcaf9a4f93d945c6b0b3d8458d16ae5312

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\stream.x64.x-none.hash

Filesize
128B

MD5
2b4d6d3b95916f9810449019372fbbde

SHA1
2c9f59c51fc6b290f758aed25a899dba37459fc6

SHA256
cea19b915390806a9677165794194c66b19e3198a342d51e5a880e7b55768ac7

SHA512
5cbb012b89989d53a7814dcb9f0391a761ebea6a7c9d1dcaae0efb476e61b30ce678387c4ff6fcebea0643f96d2f3bf126cff9511a75c1780ec89b51ba79c8db

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\tasks.xml

Filesize
11KB

MD5
6ab160b8998020e6d4373c003e9879d4

SHA1
efa87d3fb95a73a892ed88b08651c44fe03c150f

SHA256
faf021b3c06abc41a9fb8e021171fd0ea41684b732a8e77433e447af8e527516

SHA512
c923c48b0b5c741777666ca161864879defd50c299ae76d9f093ffb846d144600c99d281d879f9328509061f3ae6784a706f15248e0fed7bfd7a595b389aae1b

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json

Filesize
121B

MD5
289935a24fcaf93d1d41b4842414bdb0

SHA1
5e83951c0aeaefa25b0f918e9b3ceddb7d23d949

SHA256
12493caa467a364b7cc88d930fb41372ae8960605b12547f0283577b1564c58c

SHA512
e8dfa0c926def3a80aef8ace3edd8da408cf3e286a3bd5769db29c0d99be7febf166131b750898f48aa6932de6b4b8598f076b90aa9666696de9d7cc29063aa8

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

Filesize
121B

MD5
656d587b76da4f43efb839ef9a83026e

SHA1
daf648eb7f98cfcec644be29d92c1990c1e56b2c

SHA256
e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d

SHA512
19251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\user-48.png

Filesize
617B

MD5
e738274439f0bcf555425a00af9a2f75

SHA1
cf0d5425bda34e865bc73601ac299d425d9064ef

SHA256
191e237f5a862cdbafa4562bebf080680a051d2c07b4f256c9b856f10d63d010

SHA512
2c2c1ccb38d14150dcb89249c3a2ee995e9467fb99ea20cc4819c4a683b50be0753b04264048084ae2611399b56736ca50d7a94dd98bd3dd055f430471188c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
db2c90b448fb54d7e74dee29f58d0a64

SHA1
79977831931ad48aa32d80298b754a26bbd4a9d3

SHA256
59a59284c8115307a3931ccec90c78faf5cfd96794c4b4f7d702b8a7ee4d83b4

SHA512
514c880223c801ca6fe338b99ee5b5256e359686376d698e6a6ff5afc62f6908da285541cb432c817195fd01134e86a1ce6adc337708dd2087eebb56f59ddbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
db2c90b448fb54d7e74dee29f58d0a64

SHA1
79977831931ad48aa32d80298b754a26bbd4a9d3

SHA256
59a59284c8115307a3931ccec90c78faf5cfd96794c4b4f7d702b8a7ee4d83b4

SHA512
514c880223c801ca6fe338b99ee5b5256e359686376d698e6a6ff5afc62f6908da285541cb432c817195fd01134e86a1ce6adc337708dd2087eebb56f59ddbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
db2c90b448fb54d7e74dee29f58d0a64

SHA1
79977831931ad48aa32d80298b754a26bbd4a9d3

SHA256
59a59284c8115307a3931ccec90c78faf5cfd96794c4b4f7d702b8a7ee4d83b4

SHA512
514c880223c801ca6fe338b99ee5b5256e359686376d698e6a6ff5afc62f6908da285541cb432c817195fd01134e86a1ce6adc337708dd2087eebb56f59ddbfd

Download Submit
\??\c:\program files (x86)\msbuild\microsoft\combine_r_rhp..dll

Filesize
2.4MB

MD5
bb65ba561504883298f8f046ab1f3fd2

SHA1
7ebdba39f6717b3165d79d7c5fe825c69543a217

SHA256
74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792

SHA512
c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

Download Submit
memory/1428-195-0x0000000001E60000-0x0000000002585000-memory.dmp

Filesize
7.1MB

Download
memory/1428-194-0x0000000001500000-0x0000000001771000-memory.dmp

Filesize
2.4MB

Download
memory/1428-158-0x0000000001500000-0x0000000001771000-memory.dmp

Filesize
2.4MB

Download
memory/1428-177-0x0000000001E60000-0x0000000002585000-memory.dmp

Filesize
7.1MB

Download
memory/1428-159-0x0000000001500000-0x0000000001771000-memory.dmp

Filesize
2.4MB

Download
memory/1428-174-0x0000000001E60000-0x0000000002585000-memory.dmp

Filesize
7.1MB

Download
memory/1428-173-0x0000000001E60000-0x0000000002585000-memory.dmp

Filesize
7.1MB

Download
memory/2504-137-0x00000000024C0000-0x0000000002731000-memory.dmp

Filesize
2.4MB

Download
memory/2504-138-0x00000000024C0000-0x0000000002731000-memory.dmp

Filesize
2.4MB

Download
memory/2504-143-0x0000000003CD0000-0x0000000003E10000-memory.dmp

Filesize
1.2MB

Download
memory/2504-142-0x0000000003CD0000-0x0000000003E10000-memory.dmp

Filesize
1.2MB

Download
memory/2504-141-0x00000000034A0000-0x0000000003BC5000-memory.dmp

Filesize
7.1MB

Download
memory/2504-140-0x00000000034A0000-0x0000000003BC5000-memory.dmp

Filesize
7.1MB

Download
memory/2504-139-0x00000000034A0000-0x0000000003BC5000-memory.dmp

Filesize
7.1MB

Download
memory/2504-136-0x00000000024C0000-0x0000000002731000-memory.dmp

Filesize
2.4MB

Download
memory/2504-151-0x0000000003D49000-0x0000000003D4B000-memory.dmp

Filesize
8KB

Download
memory/2504-145-0x0000000003CD0000-0x0000000003E10000-memory.dmp

Filesize
1.2MB

Download
memory/2504-146-0x0000000003CD0000-0x0000000003E10000-memory.dmp

Filesize
1.2MB

Download
memory/2504-147-0x0000000003CD0000-0x0000000003E10000-memory.dmp

Filesize
1.2MB

Download
memory/2504-144-0x0000000003CD0000-0x0000000003E10000-memory.dmp

Filesize
1.2MB

Download
memory/2504-154-0x00000000034A0000-0x0000000003BC5000-memory.dmp

Filesize
7.1MB

Download
memory/2504-132-0x0000000000000000-mapping.dmp

Download
memory/3028-192-0x0000000000000000-mapping.dmp

Download
memory/3488-178-0x0000000000000000-mapping.dmp

Download
memory/3488-181-0x0000000002B80000-0x0000000002DF1000-memory.dmp

Filesize
2.4MB

Download
memory/3488-183-0x0000000002B80000-0x0000000002DF1000-memory.dmp

Filesize
2.4MB

Download
memory/3488-184-0x0000000003640000-0x0000000003D65000-memory.dmp

Filesize
7.1MB

Download
memory/3488-185-0x0000000003640000-0x0000000003D65000-memory.dmp

Filesize
7.1MB

Download
memory/3488-190-0x0000000002B80000-0x0000000002DF1000-memory.dmp

Filesize
2.4MB

Download
memory/3488-191-0x0000000003640000-0x0000000003D65000-memory.dmp

Filesize
7.1MB

Download
memory/4712-193-0x0000000000000000-mapping.dmp

Download
memory/5112-150-0x000001D5356E0000-0x000001D535820000-memory.dmp

Filesize
1.2MB

Download
memory/5112-149-0x000001D5356E0000-0x000001D535820000-memory.dmp

Filesize
1.2MB

Download
memory/5112-148-0x00007FF6A0756890-mapping.dmp

Download
memory/5112-153-0x000001D533D10000-0x000001D533F3A000-memory.dmp

Filesize
2.2MB

Download
memory/5112-152-0x00000000009C0000-0x0000000000BD9000-memory.dmp

Filesize
2.1MB

Download