Analysis
-
max time kernel
149s -
max time network
136s -
resource
win7v191014 -
submitted
03-02-2020 11:30
Task
task1
Sample
AXO23516563548321.vbs
Resource
win7v191014
Task
task2
Sample
AXO23516563548321.vbs
Resource
win10v191014
Static task
static1
General
-
Target
AXO23516563548321.vbs
-
Size
4.6MB
-
MD5
9c2592eb51ea3339ee113d151b623d55
-
SHA1
da4af1db47dfe8b257ac53f754975598bc8b1a1c
-
SHA256
eb7289b966dadc5ea1f99ca35cde7fc4f2380426f632a2bedb98e26fea9d44f4
-
SHA512
b5d3367429f1cd538b59dbeb75ed3b49f43f8a4419d6ffcd34ffb6541e2163e6470bba084e0ba8ed8c07df52a717a28125e29603c9ad168b7d91bca9fd0aca57
Malware Config
Extracted
danabot
199.247.16.30
64.188.22.153
64.188.23.155
64.188.22.33
64.188.22.154
64.188.22.122
64.188.22.155
64.188.22.156
64.188.23.31
209.250.243.55
Signatures
-
Danabot x86 payload 13 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot \ProgramData\BF8C7CA9\71578D58.dll family_danabot -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 1100 regsvr32.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 748 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 412 winlogon.exe -
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 31 IoCs
Processes:
regsvr32.exerundll32.exerundll32.exerundll32.exerundll32.exeRUNDLL32.EXEsvchost.exerundll32.exeRUNDLL32.EXErundll32.exepid process 1620 regsvr32.exe 748 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 1828 rundll32.exe 1828 rundll32.exe 1828 rundll32.exe 1828 rundll32.exe 112 rundll32.exe 112 rundll32.exe 112 rundll32.exe 112 rundll32.exe 1408 RUNDLL32.EXE 1408 RUNDLL32.EXE 1408 RUNDLL32.EXE 1408 RUNDLL32.EXE 464 svchost.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1576 RUNDLL32.EXE 1576 RUNDLL32.EXE 1576 RUNDLL32.EXE 1576 RUNDLL32.EXE 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\R: svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXErundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
RUNDLL32.EXErundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs RUNDLL32.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 RUNDLL32.EXE Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080" RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs RUNDLL32.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" RUNDLL32.EXE Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1" RUNDLL32.EXE Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080" RUNDLL32.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\root rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1" RUNDLL32.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080" RUNDLL32.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\root RUNDLL32.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1" RUNDLL32.EXE -
Modifies registry class 8 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080" RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1" RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6BADC80AF67C46BD4385A36CBAEF603623F09471 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6BADC80AF67C46BD4385A36CBAEF603623F09471\Blob = 0300000001000000140000006badc80af67c46bd4385a36cbaef603623f0947102000000010000003c0000001c00000000000000010000002000000000000000000000000100000074006800610077007400650020003600460020002d002000340031000000000020000000010000000703000030820303308201eba003020102021029d24696ee68c2b243f6fc2cd9dc0678300d06092a864886f70d01010505003033311730150603550403130e746861777465203646202d203431310b3009060355040a13024e54310b3009060355040b1302454e301e170d3230303230333132333331345a170d3235303230333132333331345a3033311730150603550403130e746861777465203646202d203431310b3009060355040a13024e54310b3009060355040b1302454e30820122300d06092a864886f70d01010105000382010f003082010a02820101009ea50b5c07dd88431670538a8665d20d62d5124bbf3363cfaa57eccb74b14e9b08ff1e6a0cf82aec145fbd5f6214cadd63a20154f5de5f25cf1836930717bb4b3edd71d6427be141e11773b42aa5185a92e39abecf43c137ec4e467c4e30e03f21a8b90c4a794a0c83ea5e0e16d85d9c0e3460bd3f01cc20b1dcdd0d9fee25005e87f99b216762e53f66c0ca712c2a955dd9e2f1932983b2e010aedc69ea0d5c02db856838e583e354d540ae1d1ab754108c428f1e66dc39f52fbdfc8c6feb19dac63426b9db8a5f395a833d0cd62ca63382413cbcaaeb9d4bd9409bbcec38cdb967c224102161c472a0cb237a8c597c59e70f10f44be0db846397db4b2210bd0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101006c681581a8d6066712b092caff36a73a80e1394fdbb311c7914b5f29a98396ba4c8cf8ec7796d2e2aa15ea102c196bae7e012649b7b530e89d9223a87662960897a5a588d657a3df71b3fd42ffc5577a535bb8c9d7d378d0238251fb4ed1e433f6cca1997e53bc581e2c2cdc639d6637ac83f2258a2c6e9dcff95ae700c8cbe22bbee84e8bb9e554aa3480fce0e176409413489f555a4aa94ffe405d5976ae6346c83a07721e9b6cc164883b12c6b8bb0a8ac596fc9d84af73bc2a1e493bc25b5578dbae1f70efb40080bea84c0f20c464b46fd9e35bbf17111ea39086446e1df679a14fdf892b8c5d5b6c1c1a24fe0bf538b9d33342181f561bb652fa94eccd RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RUNDLL32.EXEsvchost.exerundll32.exeRUNDLL32.EXErundll32.exepid process 1408 RUNDLL32.EXE 1408 RUNDLL32.EXE 464 svchost.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 464 svchost.exe 1576 RUNDLL32.EXE 2012 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 112 rundll32.exe Token: SeDebugPrivilege 1408 RUNDLL32.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 612 WScript.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
regsvr32.exeregsvr32.exerundll32.exerundll32.exerundll32.exesvchost.exedescription pid process target process PID 1956 wrote to memory of 1620 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1620 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1620 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1620 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1620 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1620 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1620 1956 regsvr32.exe regsvr32.exe PID 1620 wrote to memory of 748 1620 regsvr32.exe rundll32.exe PID 1620 wrote to memory of 748 1620 regsvr32.exe rundll32.exe PID 1620 wrote to memory of 748 1620 regsvr32.exe rundll32.exe PID 1620 wrote to memory of 748 1620 regsvr32.exe rundll32.exe PID 1620 wrote to memory of 748 1620 regsvr32.exe rundll32.exe PID 1620 wrote to memory of 748 1620 regsvr32.exe rundll32.exe PID 1620 wrote to memory of 748 1620 regsvr32.exe rundll32.exe PID 748 wrote to memory of 2000 748 rundll32.exe rundll32.exe PID 748 wrote to memory of 2000 748 rundll32.exe rundll32.exe PID 748 wrote to memory of 2000 748 rundll32.exe rundll32.exe PID 748 wrote to memory of 2000 748 rundll32.exe rundll32.exe PID 748 wrote to memory of 2000 748 rundll32.exe rundll32.exe PID 748 wrote to memory of 2000 748 rundll32.exe rundll32.exe PID 748 wrote to memory of 2000 748 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1828 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1828 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1828 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1828 2000 rundll32.exe rundll32.exe PID 1828 wrote to memory of 112 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 112 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 112 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 112 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 112 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 112 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 112 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1408 1828 rundll32.exe RUNDLL32.EXE PID 1828 wrote to memory of 1408 1828 rundll32.exe RUNDLL32.EXE PID 1828 wrote to memory of 1408 1828 rundll32.exe RUNDLL32.EXE PID 464 wrote to memory of 1976 464 svchost.exe rundll32.exe PID 464 wrote to memory of 1976 464 svchost.exe rundll32.exe PID 464 wrote to memory of 1976 464 svchost.exe rundll32.exe PID 464 wrote to memory of 1976 464 svchost.exe rundll32.exe PID 464 wrote to memory of 1976 464 svchost.exe rundll32.exe PID 464 wrote to memory of 1976 464 svchost.exe rundll32.exe PID 464 wrote to memory of 1976 464 svchost.exe rundll32.exe PID 464 wrote to memory of 1576 464 svchost.exe RUNDLL32.EXE PID 464 wrote to memory of 1576 464 svchost.exe RUNDLL32.EXE PID 464 wrote to memory of 1576 464 svchost.exe RUNDLL32.EXE PID 464 wrote to memory of 412 464 svchost.exe winlogon.exe PID 464 wrote to memory of 2012 464 svchost.exe rundll32.exe PID 464 wrote to memory of 2012 464 svchost.exe rundll32.exe PID 464 wrote to memory of 2012 464 svchost.exe rundll32.exe PID 464 wrote to memory of 2012 464 svchost.exe rundll32.exe PID 464 wrote to memory of 2012 464 svchost.exe rundll32.exe PID 464 wrote to memory of 2012 464 svchost.exe rundll32.exe PID 464 wrote to memory of 2012 464 svchost.exe rundll32.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Executes dropped EXE
PID:412
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AXO23516563548321.vbs"1⤵
- Suspicious use of FindShellTrayWindow
PID:612
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\PdK.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\PdK.txt2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\PdK.txt,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\\rundll32.exe C:\PROGRA~3\BF8C7CA9\763BDAB7.dll,f1 C:\Users\Admin\AppData\Local\Temp\PdK.txt@7484⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\\rundll32.exe C:\PROGRA~3\BF8C7CA9\763BDAB7.dll,f1 C:\Users\Admin\AppData\Local\Temp\PdK.txt@7485⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\syswow64\rundll32.exeC:\Windows\syswow64\rundll32.exe C:\ProgramData\BF8C7CA9\71578D58.dll,f2 4458A332E9B82FF56A9D22C7A5CF0F746⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:112 -
C:\Windows\system32\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\ProgramData\BF8C7CA9\763BDAB7.dll,f2 72D316C1CAD6D793C258DF23A1B240906⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\syswow64\rundll32.exeC:\Windows\syswow64\rundll32.exe C:\ProgramData\BF8C7CA9\71578D58.dll,f32⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1976 -
C:\Windows\system32\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\ProgramData\BF8C7CA9\763BDAB7.dll,f72⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1576 -
C:\Windows\syswow64\rundll32.exeC:\Windows\syswow64\rundll32.exe C:\ProgramData\BF8C7CA9\71578D58.dll,f2 B003C6D5EF304D6EC18B5FD767831E492⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
C:\ProgramData\BF8C7CA9\4E5E05FFMD5
4ab2dfd1ca5c870a725b208ecfa07d07
SHA175b0af7d6e6ed87128ad82257ec1108f200dd534
SHA256b2ca45e5b008ef727450102a8bf458c32202dd1e04b871f80a98d5eed8596dde
SHA512fb4f5d0c6408ae35133bfdd483058d55e76c1d493da46a78f7093f6d6a39fa33cec1531b252b6f90b91138a2b2fbce7780b00f151f7c293c8ec4e394c14d591e
-
C:\ProgramData\BF8C7CA9\5DD99254\A8998757E513BC17B05D9A82E12D1CE2MD5
431f97215b48852e291bd12f297510aa
SHA13ca6da6d29ba7f21b2ac0793d70abc9210cd9872
SHA256790f32145497a6f20bf909eb2f40b9f49e82443f578162abf9e1ab1d214f69c8
SHA5123063764d085daea544be56af648ae17c44230fd8bfe4424ee1a0abccc563e078d02aa5d8b9cce57ed8d52a635fb3bb257ca34e5b9f40c4949e7d0ed4fb03dbfb
-
C:\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
C:\ProgramData\BF8C7CA9\BD4FCA41MD5
c4f48dda1d0a8e912bf0effcd9316e3a
SHA178e79d15b55f5679c178034948986c454e87651b
SHA2562a6ea38f2e03482ef86790b29fd019d3faf3a6e54bbdb28ad70edda12f692f7c
SHA512d618d0a2edc5ba2e5792a6876cbbd6cdd6ab5dda1da2c778b3d262410f644c1ed7ed255137585ff04caa9f48ef194ac5e2fa55ea456e898d565b364467b5a8e1
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9a7a94ec9bbfa1ba4321b106ec03c95a_18654976-c7db-4a1a-8859-070035d242d5MD5
fa406361e7635f0d9fc4a9077b84ebc1
SHA10acdea6322009945cf06f335525781cfbdcd5596
SHA256ca077d21d2b45649c58b2954e1fcd09a9abcdd77a14049575b6202497fffb313
SHA512d1fa037adb7574d07c5b132b0fef381599379d37359a1d94c6928025b6b3b9e2ad0a5b21746d547d7dbc940a6ac4c8b1599e3f18d21d8a5028627302ece7631a
-
C:\Users\Admin\AppData\Local\Temp\PdK.txtMD5
9c870486e7592af4b027388049a9050d
SHA1074359027ecb25d15bb5f688704fc352b27b52ac
SHA2560888ca1d333365d2df3afd54339a221d191c5a1065b22607c6c912d8a55c7558
SHA5122e8b0e933293b1322b3117bd644fa16afad9a47e7eaeadd43ca8a4020b2fb6266b21b7344fe09bb0a2d10d085941e2cf7054f1ecab32cc2cc57c8fa504b25587
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\PROGRA~3\BF8C7CA9\763BDAB7.dllMD5
b664adb78399ef4ea3bb7a4a35610182
SHA1f7e47681a642f72dda150be70e166c7cde439441
SHA256629b3207f0619ac1e8666798910217bfa6ece289678957168ace25dea52b4d55
SHA51234b09b109146410729a5f8bbe73056d51147c57ad98e8be79fc5165368cb8a915df678962b10a67e7ea828482c480fa935e5bbdefd9466f18804ac187a3dcee6
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\ProgramData\BF8C7CA9\71578D58.dllMD5
8a78975c6245ed76a735dc6e56589b7d
SHA173d70a3d1f2e25eec53da080a6e1056663703095
SHA2565772c93b7ba662abb6a5e6b0b9302c19ec59ee6cc8ec03245d1acb8604d2a047
SHA5129fd717d2895471a9b980c5ede374419eee13216d0783297c343a1c2b0ac91989f56e5793a76dfd04f0e6bbef2223521c2e195a688440c538ac8ad8528ce00578
-
\Users\Admin\AppData\Local\Temp\PdK.txtMD5
9c870486e7592af4b027388049a9050d
SHA1074359027ecb25d15bb5f688704fc352b27b52ac
SHA2560888ca1d333365d2df3afd54339a221d191c5a1065b22607c6c912d8a55c7558
SHA5122e8b0e933293b1322b3117bd644fa16afad9a47e7eaeadd43ca8a4020b2fb6266b21b7344fe09bb0a2d10d085941e2cf7054f1ecab32cc2cc57c8fa504b25587
-
\Users\Admin\AppData\Local\Temp\PdK.txtMD5
9c870486e7592af4b027388049a9050d
SHA1074359027ecb25d15bb5f688704fc352b27b52ac
SHA2560888ca1d333365d2df3afd54339a221d191c5a1065b22607c6c912d8a55c7558
SHA5122e8b0e933293b1322b3117bd644fa16afad9a47e7eaeadd43ca8a4020b2fb6266b21b7344fe09bb0a2d10d085941e2cf7054f1ecab32cc2cc57c8fa504b25587
-
memory/112-20-0x0000000002450000-0x00000000025DC000-memory.dmpFilesize
1.5MB
-
memory/112-26-0x0000000002860000-0x0000000002A79000-memory.dmpFilesize
2.1MB
-
memory/412-52-0x0000000003680000-0x00000000037C0000-memory.dmpFilesize
1.2MB
-
memory/412-41-0x0000000003400000-0x0000000003676000-memory.dmpFilesize
2.5MB
-
memory/412-39-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/412-53-0x0000000003680000-0x00000000037C0000-memory.dmpFilesize
1.2MB
-
memory/464-29-0x0000000002670000-0x00000000028E6000-memory.dmpFilesize
2.5MB
-
memory/464-37-0x0000000002F20000-0x0000000002F31000-memory.dmpFilesize
68KB
-
memory/464-36-0x0000000003330000-0x0000000003341000-memory.dmpFilesize
68KB
-
memory/464-35-0x0000000002F20000-0x0000000002F31000-memory.dmpFilesize
68KB
-
memory/464-57-0x0000000003460000-0x0000000003471000-memory.dmpFilesize
68KB
-
memory/464-58-0x0000000003870000-0x0000000003881000-memory.dmpFilesize
68KB
-
memory/464-59-0x0000000003460000-0x0000000003471000-memory.dmpFilesize
68KB
-
memory/612-0-0x0000000003730000-0x0000000003734000-memory.dmpFilesize
16KB
-
memory/1408-27-0x0000000002AE0000-0x0000000002E4D000-memory.dmpFilesize
3.4MB
-
memory/1408-25-0x00000000024F0000-0x0000000002766000-memory.dmpFilesize
2.5MB
-
memory/1828-14-0x0000000002470000-0x00000000026E6000-memory.dmpFilesize
2.5MB
-
memory/1976-38-0x0000000000D50000-0x0000000000EDC000-memory.dmpFilesize
1.5MB
-
memory/2012-151-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-179-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-64-0x0000000003890000-0x00000000038A1000-memory.dmpFilesize
68KB
-
memory/2012-65-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-66-0x0000000003480000-0x0000000003491000-memory.dmpFilesize
68KB
-
memory/2012-147-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-148-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-149-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-150-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-61-0x00000000027B0000-0x0000000003056000-memory.dmpFilesize
8.6MB
-
memory/2012-152-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-153-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-154-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-155-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-156-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-157-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-158-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-159-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-160-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-161-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-162-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-163-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-164-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-165-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-166-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-167-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-168-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-169-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-170-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-171-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-172-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-173-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-174-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-175-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-176-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-177-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-178-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-63-0x0000000003480000-0x0000000003491000-memory.dmpFilesize
68KB
-
memory/2012-180-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-181-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-182-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-183-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-184-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-185-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-186-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-187-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-188-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-189-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-190-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-191-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-192-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-193-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-194-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-195-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-196-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-197-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-198-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-199-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-200-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-201-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-202-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-203-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-204-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-205-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-206-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-207-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-208-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-209-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-210-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-211-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-212-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/2012-213-0x0000000003480000-0x0000000003491000-memory.dmpFilesize
68KB
-
memory/2012-214-0x0000000003890000-0x00000000038A1000-memory.dmpFilesize
68KB
-
memory/2012-215-0x0000000003480000-0x0000000003491000-memory.dmpFilesize
68KB
-
memory/2012-55-0x0000000000DA0000-0x0000000000F2C000-memory.dmpFilesize
1.5MB