danabot | eb7289b966dadc5ea1f99ca35cde7fc4f2380426f632a2bedb98e26fea9d44f4

Analysis

max time kernel
149s
max time network
136s
resource
win7v191014
submitted
03-02-2020 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AXO23516563548321.vbs
Size

4.6MB
MD5

9c2592eb51ea3339ee113d151b623d55
SHA1

da4af1db47dfe8b257ac53f754975598bc8b1a1c
SHA256

eb7289b966dadc5ea1f99ca35cde7fc4f2380426f632a2bedb98e26fea9d44f4
SHA512

b5d3367429f1cd538b59dbeb75ed3b49f43f8a4419d6ffcd34ffb6541e2163e6470bba084e0ba8ed8c07df52a717a28125e29603c9ad168b7d91bca9fd0aca57

Score

10^/10

danabot banker botnet discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

199.247.16.30

64.188.22.153

64.188.23.155

64.188.22.33

64.188.22.154

64.188.22.122

64.188.22.155

64.188.22.156

64.188.23.31

209.250.243.55

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 13 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot
\ProgramData\BF8C7CA9\71578D58.dll	family_danabot

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 1100 regsvr32.exe
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 748 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

412 winlogon.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1100	regsvr32.exe

flow	pid	process
7	748	rundll32.exe

pid	process
412	winlogon.exe

Loads dropped DLL 31 IoCs

Processes:

regsvr32.exerundll32.exerundll32.exerundll32.exerundll32.exeRUNDLL32.EXEsvchost.exerundll32.exeRUNDLL32.EXErundll32.exe

pid	process
1620	regsvr32.exe
748	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
1828	rundll32.exe
1828	rundll32.exe
1828	rundll32.exe
1828	rundll32.exe
112	rundll32.exe
112	rundll32.exe
112	rundll32.exe
112	rundll32.exe
1408	RUNDLL32.EXE
1408	RUNDLL32.EXE
1408	RUNDLL32.EXE
1408	RUNDLL32.EXE
464	svchost.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1576	RUNDLL32.EXE
1576	RUNDLL32.EXE
1576	RUNDLL32.EXE
1576	RUNDLL32.EXE
2012	rundll32.exe
2012	rundll32.exe
2012	rundll32.exe
2012	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXErundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

RUNDLL32.EXErundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	RUNDLL32.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080"	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	RUNDLL32.EXE
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1"	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080"	RUNDLL32.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\root	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1"	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080"	RUNDLL32.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\root	RUNDLL32.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1"	RUNDLL32.EXE

Modifies registry class 8 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080"	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1"	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6BADC80AF67C46BD4385A36CBAEF603623F09471	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6BADC80AF67C46BD4385A36CBAEF603623F09471\Blob = 0300000001000000140000006badc80af67c46bd4385a36cbaef603623f0947102000000010000003c0000001c00000000000000010000002000000000000000000000000100000074006800610077007400650020003600460020002d002000340031000000000020000000010000000703000030820303308201eba003020102021029d24696ee68c2b243f6fc2cd9dc0678300d06092a864886f70d01010505003033311730150603550403130e746861777465203646202d203431310b3009060355040a13024e54310b3009060355040b1302454e301e170d3230303230333132333331345a170d3235303230333132333331345a3033311730150603550403130e746861777465203646202d203431310b3009060355040a13024e54310b3009060355040b1302454e30820122300d06092a864886f70d01010105000382010f003082010a02820101009ea50b5c07dd88431670538a8665d20d62d5124bbf3363cfaa57eccb74b14e9b08ff1e6a0cf82aec145fbd5f6214cadd63a20154f5de5f25cf1836930717bb4b3edd71d6427be141e11773b42aa5185a92e39abecf43c137ec4e467c4e30e03f21a8b90c4a794a0c83ea5e0e16d85d9c0e3460bd3f01cc20b1dcdd0d9fee25005e87f99b216762e53f66c0ca712c2a955dd9e2f1932983b2e010aedc69ea0d5c02db856838e583e354d540ae1d1ab754108c428f1e66dc39f52fbdfc8c6feb19dac63426b9db8a5f395a833d0cd62ca63382413cbcaaeb9d4bd9409bbcec38cdb967c224102161c472a0cb237a8c597c59e70f10f44be0db846397db4b2210bd0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101006c681581a8d6066712b092caff36a73a80e1394fdbb311c7914b5f29a98396ba4c8cf8ec7796d2e2aa15ea102c196bae7e012649b7b530e89d9223a87662960897a5a588d657a3df71b3fd42ffc5577a535bb8c9d7d378d0238251fb4ed1e433f6cca1997e53bc581e2c2cdc639d6637ac83f2258a2c6e9dcff95ae700c8cbe22bbee84e8bb9e554aa3480fce0e176409413489f555a4aa94ffe405d5976ae6346c83a07721e9b6cc164883b12c6b8bb0a8ac596fc9d84af73bc2a1e493bc25b5578dbae1f70efb40080bea84c0f20c464b46fd9e35bbf17111ea39086446e1df679a14fdf892b8c5d5b6c1c1a24fe0bf538b9d33342181f561bb652fa94eccd	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RUNDLL32.EXEsvchost.exerundll32.exeRUNDLL32.EXErundll32.exe

pid	process
1408	RUNDLL32.EXE
1408	RUNDLL32.EXE
464	svchost.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
464	svchost.exe
1576	RUNDLL32.EXE
2012	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 112 rundll32.exe
Token: SeDebugPrivilege 1408 RUNDLL32.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

612 WScript.exe

description	pid	process
Token: SeDebugPrivilege	112	rundll32.exe
Token: SeDebugPrivilege	1408	RUNDLL32.EXE

pid	process
612	WScript.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

regsvr32.exeregsvr32.exerundll32.exerundll32.exerundll32.exesvchost.exe

description	pid	process	target process
PID 1956 wrote to memory of 1620	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 1620	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 1620	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 1620	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 1620	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 1620	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 1620	1956	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 748	1620	regsvr32.exe	rundll32.exe
PID 1620 wrote to memory of 748	1620	regsvr32.exe	rundll32.exe
PID 1620 wrote to memory of 748	1620	regsvr32.exe	rundll32.exe
PID 1620 wrote to memory of 748	1620	regsvr32.exe	rundll32.exe
PID 1620 wrote to memory of 748	1620	regsvr32.exe	rundll32.exe
PID 1620 wrote to memory of 748	1620	regsvr32.exe	rundll32.exe
PID 1620 wrote to memory of 748	1620	regsvr32.exe	rundll32.exe
PID 748 wrote to memory of 2000	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 2000	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 2000	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 2000	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 2000	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 2000	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 2000	748	rundll32.exe	rundll32.exe
PID 2000 wrote to memory of 1828	2000	rundll32.exe	rundll32.exe
PID 2000 wrote to memory of 1828	2000	rundll32.exe	rundll32.exe
PID 2000 wrote to memory of 1828	2000	rundll32.exe	rundll32.exe
PID 2000 wrote to memory of 1828	2000	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 112	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 112	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 112	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 112	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 112	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 112	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 112	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1408	1828	rundll32.exe	RUNDLL32.EXE
PID 1828 wrote to memory of 1408	1828	rundll32.exe	RUNDLL32.EXE
PID 1828 wrote to memory of 1408	1828	rundll32.exe	RUNDLL32.EXE
PID 464 wrote to memory of 1976	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 1976	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 1976	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 1976	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 1976	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 1976	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 1976	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 1576	464	svchost.exe	RUNDLL32.EXE
PID 464 wrote to memory of 1576	464	svchost.exe	RUNDLL32.EXE
PID 464 wrote to memory of 1576	464	svchost.exe	RUNDLL32.EXE
PID 464 wrote to memory of 412	464	svchost.exe	winlogon.exe
PID 464 wrote to memory of 2012	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 2012	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 2012	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 2012	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 2012	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 2012	464	svchost.exe	rundll32.exe
PID 464 wrote to memory of 2012	464	svchost.exe	rundll32.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:412

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AXO23516563548321.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:612

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\PdK.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\PdK.txt
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\PdK.txt,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\\rundll32.exe C:\PROGRA~3\BF8C7CA9\763BDAB7.dll,f1 C:\Users\Admin\AppData\Local\Temp\PdK.txt@748
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\rundll32.exe
C:\Windows\system32\\rundll32.exe C:\PROGRA~3\BF8C7CA9\763BDAB7.dll,f1 C:\Users\Admin\AppData\Local\Temp\PdK.txt@748
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\rundll32.exe C:\ProgramData\BF8C7CA9\71578D58.dll,f2 4458A332E9B82FF56A9D22C7A5CF0F74
6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\BF8C7CA9\763BDAB7.dll,f2 72D316C1CAD6D793C258DF23A1B24090
6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\rundll32.exe C:\ProgramData\BF8C7CA9\71578D58.dll,f3
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Windows\system32\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\BF8C7CA9\763BDAB7.dll,f7
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\rundll32.exe C:\ProgramData\BF8C7CA9\71578D58.dll,f2 B003C6D5EF304D6EC18B5FD767831E49
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
C:\ProgramData\BF8C7CA9\4E5E05FF
MD5
4ab2dfd1ca5c870a725b208ecfa07d07

SHA1
75b0af7d6e6ed87128ad82257ec1108f200dd534

SHA256
b2ca45e5b008ef727450102a8bf458c32202dd1e04b871f80a98d5eed8596dde

SHA512
fb4f5d0c6408ae35133bfdd483058d55e76c1d493da46a78f7093f6d6a39fa33cec1531b252b6f90b91138a2b2fbce7780b00f151f7c293c8ec4e394c14d591e

Download Submit
C:\ProgramData\BF8C7CA9\5DD99254\A8998757E513BC17B05D9A82E12D1CE2
MD5
431f97215b48852e291bd12f297510aa

SHA1
3ca6da6d29ba7f21b2ac0793d70abc9210cd9872

SHA256
790f32145497a6f20bf909eb2f40b9f49e82443f578162abf9e1ab1d214f69c8

SHA512
3063764d085daea544be56af648ae17c44230fd8bfe4424ee1a0abccc563e078d02aa5d8b9cce57ed8d52a635fb3bb257ca34e5b9f40c4949e7d0ed4fb03dbfb

Download Submit
C:\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
C:\ProgramData\BF8C7CA9\BD4FCA41
MD5
c4f48dda1d0a8e912bf0effcd9316e3a

SHA1
78e79d15b55f5679c178034948986c454e87651b

SHA256
2a6ea38f2e03482ef86790b29fd019d3faf3a6e54bbdb28ad70edda12f692f7c

SHA512
d618d0a2edc5ba2e5792a6876cbbd6cdd6ab5dda1da2c778b3d262410f644c1ed7ed255137585ff04caa9f48ef194ac5e2fa55ea456e898d565b364467b5a8e1

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9a7a94ec9bbfa1ba4321b106ec03c95a_18654976-c7db-4a1a-8859-070035d242d5
MD5
fa406361e7635f0d9fc4a9077b84ebc1

SHA1
0acdea6322009945cf06f335525781cfbdcd5596

SHA256
ca077d21d2b45649c58b2954e1fcd09a9abcdd77a14049575b6202497fffb313

SHA512
d1fa037adb7574d07c5b132b0fef381599379d37359a1d94c6928025b6b3b9e2ad0a5b21746d547d7dbc940a6ac4c8b1599e3f18d21d8a5028627302ece7631a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdK.txt
MD5
9c870486e7592af4b027388049a9050d

SHA1
074359027ecb25d15bb5f688704fc352b27b52ac

SHA256
0888ca1d333365d2df3afd54339a221d191c5a1065b22607c6c912d8a55c7558

SHA512
2e8b0e933293b1322b3117bd644fa16afad9a47e7eaeadd43ca8a4020b2fb6266b21b7344fe09bb0a2d10d085941e2cf7054f1ecab32cc2cc57c8fa504b25587

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\PROGRA~3\BF8C7CA9\763BDAB7.dll
MD5
b664adb78399ef4ea3bb7a4a35610182

SHA1
f7e47681a642f72dda150be70e166c7cde439441

SHA256
629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55

SHA512
34b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\ProgramData\BF8C7CA9\71578D58.dll
MD5
8a78975c6245ed76a735dc6e56589b7d

SHA1
73d70a3d1f2e25eec53da080a6e1056663703095

SHA256
5772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047

SHA512
9fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578

Download Submit
\Users\Admin\AppData\Local\Temp\PdK.txt
MD5
9c870486e7592af4b027388049a9050d

SHA1
074359027ecb25d15bb5f688704fc352b27b52ac

SHA256
0888ca1d333365d2df3afd54339a221d191c5a1065b22607c6c912d8a55c7558

SHA512
2e8b0e933293b1322b3117bd644fa16afad9a47e7eaeadd43ca8a4020b2fb6266b21b7344fe09bb0a2d10d085941e2cf7054f1ecab32cc2cc57c8fa504b25587

Download Submit
\Users\Admin\AppData\Local\Temp\PdK.txt
MD5
9c870486e7592af4b027388049a9050d

SHA1
074359027ecb25d15bb5f688704fc352b27b52ac

SHA256
0888ca1d333365d2df3afd54339a221d191c5a1065b22607c6c912d8a55c7558

SHA512
2e8b0e933293b1322b3117bd644fa16afad9a47e7eaeadd43ca8a4020b2fb6266b21b7344fe09bb0a2d10d085941e2cf7054f1ecab32cc2cc57c8fa504b25587

Download Submit
memory/112-20-0x0000000002450000-0x00000000025DC000-memory.dmp

Filesize
1.5MB

Download
memory/112-26-0x0000000002860000-0x0000000002A79000-memory.dmp

Filesize
2.1MB

Download
memory/412-52-0x0000000003680000-0x00000000037C0000-memory.dmp

Filesize
1.2MB

Download
memory/412-41-0x0000000003400000-0x0000000003676000-memory.dmp

Filesize
2.5MB

Download
memory/412-39-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/412-53-0x0000000003680000-0x00000000037C0000-memory.dmp

Filesize
1.2MB

Download
memory/464-29-0x0000000002670000-0x00000000028E6000-memory.dmp

Filesize
2.5MB

Download
memory/464-37-0x0000000002F20000-0x0000000002F31000-memory.dmp

Filesize
68KB

Download
memory/464-36-0x0000000003330000-0x0000000003341000-memory.dmp

Filesize
68KB

Download
memory/464-35-0x0000000002F20000-0x0000000002F31000-memory.dmp

Filesize
68KB

Download
memory/464-57-0x0000000003460000-0x0000000003471000-memory.dmp

Filesize
68KB

Download
memory/464-58-0x0000000003870000-0x0000000003881000-memory.dmp

Filesize
68KB

Download
memory/464-59-0x0000000003460000-0x0000000003471000-memory.dmp

Filesize
68KB

Download
memory/612-0-0x0000000003730000-0x0000000003734000-memory.dmp

Filesize
16KB

Download
memory/1408-27-0x0000000002AE0000-0x0000000002E4D000-memory.dmp

Filesize
3.4MB

Download
memory/1408-25-0x00000000024F0000-0x0000000002766000-memory.dmp

Filesize
2.5MB

Download
memory/1828-14-0x0000000002470000-0x00000000026E6000-memory.dmp

Filesize
2.5MB

Download
memory/1976-38-0x0000000000D50000-0x0000000000EDC000-memory.dmp

Filesize
1.5MB

Download
memory/2012-151-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-179-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-64-0x0000000003890000-0x00000000038A1000-memory.dmp

Filesize
68KB

Download
memory/2012-65-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-66-0x0000000003480000-0x0000000003491000-memory.dmp

Filesize
68KB

Download
memory/2012-147-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-148-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-149-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-150-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-61-0x00000000027B0000-0x0000000003056000-memory.dmp

Filesize
8.6MB

Download
memory/2012-152-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-153-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-154-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-155-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-156-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-157-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-158-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-159-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-160-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-161-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-162-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-163-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-164-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-165-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-166-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-167-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-168-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-169-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-170-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-171-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-172-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-173-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-174-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-175-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-176-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-177-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-178-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-63-0x0000000003480000-0x0000000003491000-memory.dmp

Filesize
68KB

Download
memory/2012-180-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-181-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-182-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-183-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-184-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-185-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-186-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-187-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-188-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-189-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-190-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-191-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-192-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-193-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-194-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-195-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-196-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-197-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-198-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-199-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-200-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-201-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-202-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-203-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-204-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-205-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-206-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-207-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-208-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-209-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-210-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-211-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-212-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2012-213-0x0000000003480000-0x0000000003491000-memory.dmp

Filesize
68KB

Download
memory/2012-214-0x0000000003890000-0x00000000038A1000-memory.dmp

Filesize
68KB

Download
memory/2012-215-0x0000000003480000-0x0000000003491000-memory.dmp

Filesize
68KB

Download
memory/2012-55-0x0000000000DA0000-0x0000000000F2C000-memory.dmp

Filesize
1.5MB

Download