Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
16-03-2020 17:07
Static task
static1
Behavioral task
behavioral1
Sample
5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe
Resource
win7v200217
General
-
Target
5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe
-
Size
586KB
-
MD5
84199f05e4ed67e1e80b1249aff5dbd8
-
SHA1
0958acfba862f8c7e9a7057d9bd098ffca49b1c1
-
SHA256
5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8
-
SHA512
9bf5d946a7a6b91c8aafe85054a0f304fcd09e84bbe75408575f0cdebcb64c080765aeb98a3a165087dda1b594b6d0aa6828697cf6db23490156f57a6444a917
Malware Config
Extracted
danabot
5.61.56.192
5.61.58.130
2.56.212.4
37.149.137.207
160.201.198.109
61.8.211.106
12.37.246.239
93.24.204.214
194.27.196.221
2.56.213.39
Signatures
-
Danabot x86 payload 19 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\5AD49D~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\5AD49D~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\5AD49D~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\5AD49D~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\5AD49D~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\5AD49D~1.DLL family_danabot C:\ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot \ProgramData\F3536BCD\1CA94A22.dll family_danabot -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 1 1884 rundll32.exe 4 1884 rundll32.exe 5 1884 rundll32.exe 8 1884 rundll32.exe 11 1884 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 412 winlogon.exe -
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 36 IoCs
Processes:
regsvr32.exerundll32.exerundll32.exerundll32.exerundll32.exeRUNDLL32.EXEsvchost.exerundll32.exeRUNDLL32.EXEservices.exerundll32.exeExplorer.EXEpid process 1864 regsvr32.exe 1884 rundll32.exe 1884 rundll32.exe 1884 rundll32.exe 1884 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 1084 rundll32.exe 1084 rundll32.exe 1084 rundll32.exe 1084 rundll32.exe 1352 rundll32.exe 1352 rundll32.exe 1352 rundll32.exe 1352 rundll32.exe 1500 RUNDLL32.EXE 1500 RUNDLL32.EXE 1500 RUNDLL32.EXE 1500 RUNDLL32.EXE 328 svchost.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1452 RUNDLL32.EXE 1452 RUNDLL32.EXE 1452 RUNDLL32.EXE 1452 RUNDLL32.EXE 472 services.exe 1056 rundll32.exe 1056 rundll32.exe 1056 rundll32.exe 1056 rundll32.exe 1264 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Z: svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXErundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates rundll32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\root rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080" RUNDLL32.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs RUNDLL32.EXE Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1" RUNDLL32.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 RUNDLL32.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080" RUNDLL32.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates RUNDLL32.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs RUNDLL32.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1" RUNDLL32.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080" RUNDLL32.EXE Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1" RUNDLL32.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\root RUNDLL32.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" RUNDLL32.EXE -
Modifies registry class 8 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Software\Microsoft\Windows RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1" RUNDLL32.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080" RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Software RUNDLL32.EXE Key created \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Software\Microsoft RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\255E31A29B8A17E9092A1C14B55CC0F271B0471C RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\255E31A29B8A17E9092A1C14B55CC0F271B0471C\Blob = 030000000100000014000000255e31a29b8a17e9092a1c14b55cc0f271b0471c02000000010000003c0000001c00000000000000010000002000000000000000000000000100000074006800610077007400650020003800340020002d002000370041000000000020000000010000000703000030820303308201eba00302010202101f540e3ff66382b34e4ea749d09683b1300d06092a864886f70d01010505003033311730150603550403130e746861777465203834202d203741310b3009060355040a13024e54310b3009060355040b1302454e301e170d3135303331363138303932355a170d3235303331363138303932355a3033311730150603550403130e746861777465203834202d203741310b3009060355040a13024e54310b3009060355040b1302454e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d1bcc90aae675ad58b0a8070d2238b9a3ce67fc312474edf00cb2a79246a2a1216c3d5f7a7ffae8f44dee3ab45adb5a52e9e565372c6de36be9710907d13f2342a66a8ad8724eaf8379b2786ddd6756fc09c1d0f578748d5f71a725d5a407e72b5cc0facbfa418ff62eadcf998c2734606b16d20c0c07e79563efd80a4c445c658291a1bb70091bea150cd69085fc3875becfcbf0b538ee8eb36a278449e49a3a923318d6317e8ed8a736b85bcc0ff19e4ec31b1476c77bcc01aad92b0dee4669d3fc0a1df53c2cbf6b17d12d5888d97975ea3682fd08b77c2d6aa8d5c5e10c66a1e9ac8cb6402b3f7fa8701edcf0d2dfc57524d1f8688e84402e84acf411b390203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100721ae2b566fa03207a2f831af078b312bdf1e7fdc8932aee02b1d6c5292bac49f337f77be5743d5835fba9cccd4fe3a2b2b2b8641a1d8b68a35cc5b17bb97dcbfa639ac84bb9d9e10653922ddb47a0e0af8128d8b72f22c0ca4c4bb5108d4c34531cd78ec0f7ed9cd358cec18f6b9bbb8c890beacb67ef9fca4a3e75154320eeddeb1eb07aaef93a6e9641da61ceb326d105211315d7b2c92cd7176399d860734541c2ad27947244d05bacf12b9751f385127580e0e17ace3a479c96c3a57f74d23ff953af41ba1e3a59ec6d17b915ca331b48724777c87a9badec1828618b514e4c19f46d73f354e066023ef2fb026168129b700753470740539278b9d9b8d4 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepid process 328 svchost.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 328 svchost.exe 1452 RUNDLL32.EXE 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1500 RUNDLL32.EXE 1500 RUNDLL32.EXE 328 svchost.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 328 svchost.exe 1056 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
RUNDLL32.EXErundll32.exedescription pid process Token: SeDebugPrivilege 1500 RUNDLL32.EXE Token: SeDebugPrivilege 1352 rundll32.exe Token: SeAuditPrivilege 988 Token: SeAuditPrivilege 988 Token: SeAuditPrivilege 988 -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exeregsvr32.exerundll32.exerundll32.exerundll32.exesvchost.exeservices.exedescription pid process target process PID 1832 wrote to memory of 1864 1832 5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe regsvr32.exe PID 1832 wrote to memory of 1864 1832 5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe regsvr32.exe PID 1832 wrote to memory of 1864 1832 5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe regsvr32.exe PID 1832 wrote to memory of 1864 1832 5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe regsvr32.exe PID 1832 wrote to memory of 1864 1832 5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe regsvr32.exe PID 1832 wrote to memory of 1864 1832 5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe regsvr32.exe PID 1832 wrote to memory of 1864 1832 5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe regsvr32.exe PID 1864 wrote to memory of 1884 1864 regsvr32.exe rundll32.exe PID 1864 wrote to memory of 1884 1864 regsvr32.exe rundll32.exe PID 1864 wrote to memory of 1884 1864 regsvr32.exe rundll32.exe PID 1864 wrote to memory of 1884 1864 regsvr32.exe rundll32.exe PID 1864 wrote to memory of 1884 1864 regsvr32.exe rundll32.exe PID 1864 wrote to memory of 1884 1864 regsvr32.exe rundll32.exe PID 1864 wrote to memory of 1884 1864 regsvr32.exe rundll32.exe PID 1884 wrote to memory of 2032 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2032 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2032 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2032 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2032 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2032 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2032 1884 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1084 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1084 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1084 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1084 2032 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1352 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1352 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1352 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1352 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1352 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1352 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1352 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1500 1084 rundll32.exe RUNDLL32.EXE PID 1084 wrote to memory of 1500 1084 rundll32.exe RUNDLL32.EXE PID 1084 wrote to memory of 1500 1084 rundll32.exe RUNDLL32.EXE PID 328 wrote to memory of 412 328 svchost.exe winlogon.exe PID 328 wrote to memory of 1612 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1612 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1612 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1612 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1612 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1612 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1612 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1452 328 svchost.exe RUNDLL32.EXE PID 328 wrote to memory of 1452 328 svchost.exe RUNDLL32.EXE PID 328 wrote to memory of 1452 328 svchost.exe RUNDLL32.EXE PID 328 wrote to memory of 472 328 svchost.exe services.exe PID 472 wrote to memory of 740 472 services.exe svchost.exe PID 472 wrote to memory of 740 472 services.exe svchost.exe PID 472 wrote to memory of 740 472 services.exe svchost.exe PID 328 wrote to memory of 1056 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1056 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1056 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1056 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1056 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1056 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1056 328 svchost.exe rundll32.exe PID 328 wrote to memory of 1264 328 svchost.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\rundll32.exeC:\Windows\syswow64\rundll32.exe C:\ProgramData\F3536BCD\1CA94A22.dll,f33⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F3536BCD\7B117381.dll,f73⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\rundll32.exeC:\Windows\syswow64\rundll32.exe C:\ProgramData\F3536BCD\1CA94A22.dll,f2 E48E292D52AA1264BCBA6B30A9CB21133⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe"C:\Users\Admin\AppData\Local\Temp\5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\5AD49D~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\5AD49D~1.EXE@18323⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\5AD49D~1.DLL,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\\rundll32.exe C:\PROGRA~3\F3536BCD\7B117381.dll,f1 C:\Users\Admin\AppData\Local\Temp\5AD49D~1.DLL@18845⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\\rundll32.exe C:\PROGRA~3\F3536BCD\7B117381.dll,f1 C:\Users\Admin\AppData\Local\Temp\5AD49D~1.DLL@18846⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\rundll32.exeC:\Windows\syswow64\rundll32.exe C:\ProgramData\F3536BCD\1CA94A22.dll,f2 F7090F619059A3AAB3E71D0ADA4623727⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F3536BCD\7B117381.dll,f2 1FCAAAC36182D72B5B244331A74217017⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
C:\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
C:\ProgramData\F3536BCD\2281DF86MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\F3536BCD\32AD35E4MD5
ef6e86a313430f94e64d7aee47504007
SHA19b81cb1fdf3b541fa35a093b3e2618b8ee68c622
SHA256ed90d10dc71071ee9e07ff42db41a4bcde4608dc3b43b624c69ca91fdfdd32c6
SHA5125bb006aa38c898b7660b4508df5190cb6d8d0537f96cfc503af122b9655259bc6e9ee80f8afe50af6a06529d97fc660f790632dfe622599817a8fb8ae2d18401
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e3a0eaf8ef8f9474a7f42a87856bf4f5_cb3421d8-e2c8-4b12-9d02-76148b2a4ecfMD5
5e5ceff288793ac159b52eca4f1b20f5
SHA1a7223ab883b8491de680a6e37bf34a89aecab89a
SHA2561772fb1ccb0277880df65c270d96f47c1212211d181f7d7950e46c76c283d12a
SHA5128e79857121e41f8bebf7a762eb7d217c2c9a7da08fd5ec083f68d65c9f7b1a96c849a90f423b24e60f9c66f4f497a22e41c132e1dd0974616d3899b8161e893d
-
C:\Users\Admin\AppData\Local\Temp\5AD49D~1.DLLMD5
58494bb8deb6d215d0761df70604b488
SHA1588c4967fa553fd00f6b47762c861d0a13a1c84f
SHA256b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e
SHA512347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\PROGRA~3\F3536BCD\7B117381.dllMD5
8167369f6b81a7007c87520dd2e611fd
SHA19c51c325a3234f41f8b49e1ed4bec545d4d5b222
SHA256113815cb457c0968f7280a231f5f93489e2c99ade47109e74edaabf9564b05f1
SHA51293f7dc969e582bbb23910d20ce4b2eac3b093928098a13039ef64a05810dafa973f078f022773a50ce931b62c4375911f949d5dd6341bdae4659bb680bf74abf
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\ProgramData\F3536BCD\1CA94A22.dllMD5
913d4525b164ed6fb0180e7d359dd3d4
SHA1a8aff014aa3b85d6baae78686869d5a85b2e9168
SHA256c5d927277e2a14fe65b12bfa668c71c216d7afe177a47cf7079650d252f334cc
SHA512ad7645c50891f919e4059961c0b7aee1c297e121ece8f6a25025887f995a62f659c39186adef496e1546c6be1c03b9ac90e310f8cf65fac5640f777285597186
-
\Users\Admin\AppData\Local\Temp\5AD49D~1.DLLMD5
58494bb8deb6d215d0761df70604b488
SHA1588c4967fa553fd00f6b47762c861d0a13a1c84f
SHA256b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e
SHA512347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c
-
\Users\Admin\AppData\Local\Temp\5AD49D~1.DLLMD5
58494bb8deb6d215d0761df70604b488
SHA1588c4967fa553fd00f6b47762c861d0a13a1c84f
SHA256b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e
SHA512347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c
-
\Users\Admin\AppData\Local\Temp\5AD49D~1.DLLMD5
58494bb8deb6d215d0761df70604b488
SHA1588c4967fa553fd00f6b47762c861d0a13a1c84f
SHA256b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e
SHA512347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c
-
\Users\Admin\AppData\Local\Temp\5AD49D~1.DLLMD5
58494bb8deb6d215d0761df70604b488
SHA1588c4967fa553fd00f6b47762c861d0a13a1c84f
SHA256b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e
SHA512347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c
-
\Users\Admin\AppData\Local\Temp\5AD49D~1.DLLMD5
58494bb8deb6d215d0761df70604b488
SHA1588c4967fa553fd00f6b47762c861d0a13a1c84f
SHA256b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e
SHA512347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c
-
memory/328-362-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-60-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-361-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-357-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-333-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-241-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-40-0x0000000002C00000-0x0000000002C11000-memory.dmpFilesize
68KB
-
memory/328-369-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-39-0x0000000003010000-0x0000000003021000-memory.dmpFilesize
68KB
-
memory/328-38-0x0000000002C00000-0x0000000002C11000-memory.dmpFilesize
68KB
-
memory/328-239-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-58-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-59-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-42-0x0000000002C00000-0x0000000002C11000-memory.dmpFilesize
68KB
-
memory/328-35-0x00000000023B0000-0x0000000002628000-memory.dmpFilesize
2.5MB
-
memory/328-129-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-128-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-85-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-364-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-366-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-367-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-368-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-74-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-84-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/328-76-0x0000000003520000-0x0000000003531000-memory.dmpFilesize
68KB
-
memory/328-77-0x0000000002F10000-0x0000000002F21000-memory.dmpFilesize
68KB
-
memory/412-51-0x0000000003080000-0x00000000031C0000-memory.dmpFilesize
1.2MB
-
memory/412-41-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/412-44-0x0000000002E00000-0x0000000003078000-memory.dmpFilesize
2.5MB
-
memory/412-52-0x0000000003080000-0x00000000031C0000-memory.dmpFilesize
1.2MB
-
memory/472-67-0x0000000001D90000-0x0000000001ED0000-memory.dmpFilesize
1.2MB
-
memory/472-64-0x0000000001B10000-0x0000000001D88000-memory.dmpFilesize
2.5MB
-
memory/472-68-0x0000000001D90000-0x0000000001ED0000-memory.dmpFilesize
1.2MB
-
memory/1056-86-0x00000000033F0000-0x0000000003401000-memory.dmpFilesize
68KB
-
memory/1056-81-0x00000000029C0000-0x0000000003266000-memory.dmpFilesize
8.6MB
-
memory/1056-88-0x00000000033F0000-0x0000000003401000-memory.dmpFilesize
68KB
-
memory/1056-87-0x0000000003800000-0x0000000003811000-memory.dmpFilesize
68KB
-
memory/1056-75-0x0000000002220000-0x00000000023AD000-memory.dmpFilesize
1.6MB
-
memory/1056-171-0x00000000033F0000-0x0000000003401000-memory.dmpFilesize
68KB
-
memory/1056-172-0x0000000003800000-0x0000000003811000-memory.dmpFilesize
68KB
-
memory/1056-173-0x00000000033F0000-0x0000000003401000-memory.dmpFilesize
68KB
-
memory/1084-18-0x00000000022D0000-0x0000000002548000-memory.dmpFilesize
2.5MB
-
memory/1264-83-0x0000000004E70000-0x0000000004FB0000-memory.dmpFilesize
1.2MB
-
memory/1264-82-0x0000000004E70000-0x0000000004FB0000-memory.dmpFilesize
1.2MB
-
memory/1264-80-0x0000000006CA0000-0x0000000006F18000-memory.dmpFilesize
2.5MB
-
memory/1352-36-0x0000000002980000-0x0000000002E37000-memory.dmpFilesize
4.7MB
-
memory/1352-32-0x0000000000CE0000-0x0000000000E6D000-memory.dmpFilesize
1.6MB
-
memory/1452-57-0x0000000002360000-0x00000000025D8000-memory.dmpFilesize
2.5MB
-
memory/1500-34-0x0000000002950000-0x0000000002CBD000-memory.dmpFilesize
3.4MB
-
memory/1500-31-0x0000000002350000-0x00000000025C8000-memory.dmpFilesize
2.5MB
-
memory/1612-50-0x00000000023A0000-0x000000000252D000-memory.dmpFilesize
1.6MB
-
memory/1832-0-0x0000000002F3A000-0x0000000002F3B000-memory.dmpFilesize
4KB
-
memory/1832-1-0x0000000003020000-0x0000000003031000-memory.dmpFilesize
68KB