danabot | 8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3

Resubmissions

09-01-2022 20:57

220109-zryfwadfg8 10

09-01-2022 15:48

220109-s8xgksdhfn 10

Analysis

max time kernel
299s
max time network
233s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-01-2022 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

warrant.exe
Size

1.1MB
MD5

63d9b309582fbf651840182519c04f18
SHA1

742539d685093f276242b1ca3fae82c0d20cad6a
SHA256

8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
SHA512

c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385

Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

Botnet

192.119.110.4:443

103.175.16.113:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 32 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
behavioral1/memory/1668-65-0x0000000001EB0000-0x0000000001FFE000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
behavioral1/memory/2040-69-0x0000000001DA0000-0x0000000001EEE000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
behavioral1/memory/1912-80-0x00000000009A0000-0x0000000000AEE000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
behavioral1/memory/2024-92-0x0000000000820000-0x000000000096E000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
behavioral1/memory/1220-143-0x0000000001ED0000-0x000000000201E000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
behavioral1/memory/1568-168-0x00000000007A0000-0x00000000008EE000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

2 1668 rundll32.exe
4 1668 rundll32.exe
5 1912 RUNDLL32.EXE
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
2	1668	rundll32.exe
4	1668	rundll32.exe
5	1912	RUNDLL32.EXE

Loads dropped DLL 25 IoCs

Processes:

rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid	process
1668	rundll32.exe
1668	rundll32.exe
1668	rundll32.exe
1668	rundll32.exe
2040	svchost.exe
1912	RUNDLL32.EXE
1912	RUNDLL32.EXE
1912	RUNDLL32.EXE
1912	RUNDLL32.EXE
2024	RUNDLL32.EXE
2024	RUNDLL32.EXE
2024	RUNDLL32.EXE
2024	RUNDLL32.EXE
912	RUNDLL32.EXE
912	RUNDLL32.EXE
912	RUNDLL32.EXE
912	RUNDLL32.EXE
1220	RUNDLL32.EXE
1220	RUNDLL32.EXE
1220	RUNDLL32.EXE
1220	RUNDLL32.EXE
1568	RUNDLL32.EXE
1568	RUNDLL32.EXE
1568	RUNDLL32.EXE
1568	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RUNDLL32.EXErundll32.exe

description	ioc	process
File opened (read-only)	\??\B:	RUNDLL32.EXE
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\A:	RUNDLL32.EXE

Drops file in System32 directory 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	RUNDLL32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

RUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

description	pid	process	target process
PID 2024 set thread context of 1524	2024	RUNDLL32.EXE	rundll32.exe
PID 912 set thread context of 828	912	RUNDLL32.EXE	rundll32.exe
PID 1220 set thread context of 584	1220	RUNDLL32.EXE	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXErundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exeRUNDLL32.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\ED1F6E31872ADF3C7B89F170418C3CB5E579E532\Blob = 030000000100000014000000ed1f6e31872adf3c7b89f170418c3cb5e579e53220000000010000006e0200003082026a308201d3a00302010202087e391c881412ed76300d06092a864886f70d01010b0500305a3122302006035504030c1942686c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230303131303232303133365a170d3234303130393232303133365a305a3122302006035504030c1942686c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100ca628d6af3ddcf4c05413ee4fb638cf988db806861dad87c1defc95385966d255578b354b626b214268c78f942430d723e0ff2419ca4ed6e51afb82b06a59ef2027c7ff0f4bcfa7ebb60ff97edb01f6b80f39c104ccdf517831b4b3c95aabf1155ece77ed52dae9f4a8e56ebe714d51df96e9a5df7b5d39fb51301091e562b390203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942686c74696d6f7265204379626572547275737420526f6f74300d06092a864886f70d01010b0500038181005adde8caa26ee74c05b278672d12a306388a43851180eba1aaa0c8773ad9d433c5c137689666f4b433c20d92922c62e7552c1eaf4ddcf4b7925679ab98c629e74f86785bdd0a28c8eca7bdf93b02de72dd86e02c9a597a0247479b9406b2cf746a90aff1a36763370f4bf78481af72b3eb8b8e9b820641ba28e5eb456c4f446a	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D25240A1A8A23920C33430250B087E9DD2F7F7BE	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D25240A1A8A23920C33430250B087E9DD2F7F7BE\Blob = 030000000100000014000000d25240a1a8a23920c33430250b087e9dd2f7f7be20000000010000006e0200003082026a308201d3a003020102020807da319c00986622300d06092a864886f70d01010b0500305a3122302006035504030c1942726c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230303131303232303133375a170d3234303130393232303133375a305a3122302006035504030c1942726c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d00308189028181009a689fb04633802ff9c6790964b883a35849e692bc96ac6c5cb8b49574f30f4eeee68238225317a33e41a0f610dc5c7676b8b665e59e719e243e3c5b209ff684e1a401f5b572af1bdd4d040a81b81ed8f57626bf7a32934f1551c9c093c0c692a4ae82fc3b619b12060d39b2bcd23d62be7393b65a9f6ee0d3dfe593847950910203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942726c74696d6f7265204379626572547275737420526f6f74300d06092a864886f70d01010b05000381810032ef8ac3af7770d918b612236f461a43abebac2bd5bd6c77cfd3a082030457dce46472bd585b6f30f589ba78089cb019c3790807d09a7ce846be4690d9b027460fafcd034196c75e12583b50882833535401abd1fd9dec8e2664f9384788adea84512dcc0b778d8a0b996d50c3ab5507059b2364926fa9981dabf070fdab5e06	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\ED1F6E31872ADF3C7B89F170418C3CB5E579E532	rundll32.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

svchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid	process
2040	svchost.exe
1668	rundll32.exe
1912	RUNDLL32.EXE
1668	rundll32.exe
1668	rundll32.exe
1912	RUNDLL32.EXE
1912	RUNDLL32.EXE
2024	RUNDLL32.EXE
912	RUNDLL32.EXE
2040	svchost.exe
2040	svchost.exe
1220	RUNDLL32.EXE
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 1668 rundll32.exe
Token: SeDebugPrivilege 1912 RUNDLL32.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

828 rundll32.exe
1524 rundll32.exe
584 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1668	rundll32.exe
Token: SeDebugPrivilege	1912	RUNDLL32.EXE

pid	process
828	rundll32.exe
1524	rundll32.exe
584	rundll32.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

warrant.exesvchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXErundll32.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 1572 wrote to memory of 1668	1572	warrant.exe	rundll32.exe
PID 1572 wrote to memory of 1668	1572	warrant.exe	rundll32.exe
PID 1572 wrote to memory of 1668	1572	warrant.exe	rundll32.exe
PID 1572 wrote to memory of 1668	1572	warrant.exe	rundll32.exe
PID 1572 wrote to memory of 1668	1572	warrant.exe	rundll32.exe
PID 1572 wrote to memory of 1668	1572	warrant.exe	rundll32.exe
PID 1572 wrote to memory of 1668	1572	warrant.exe	rundll32.exe
PID 2040 wrote to memory of 1912	2040	svchost.exe	RUNDLL32.EXE
PID 2040 wrote to memory of 1912	2040	svchost.exe	RUNDLL32.EXE
PID 2040 wrote to memory of 1912	2040	svchost.exe	RUNDLL32.EXE
PID 2040 wrote to memory of 1912	2040	svchost.exe	RUNDLL32.EXE
PID 2040 wrote to memory of 1912	2040	svchost.exe	RUNDLL32.EXE
PID 2040 wrote to memory of 1912	2040	svchost.exe	RUNDLL32.EXE
PID 2040 wrote to memory of 1912	2040	svchost.exe	RUNDLL32.EXE
PID 1668 wrote to memory of 2024	1668	rundll32.exe	RUNDLL32.EXE
PID 1668 wrote to memory of 2024	1668	rundll32.exe	RUNDLL32.EXE
PID 1668 wrote to memory of 2024	1668	rundll32.exe	RUNDLL32.EXE
PID 1668 wrote to memory of 2024	1668	rundll32.exe	RUNDLL32.EXE
PID 1668 wrote to memory of 2024	1668	rundll32.exe	RUNDLL32.EXE
PID 1668 wrote to memory of 2024	1668	rundll32.exe	RUNDLL32.EXE
PID 1668 wrote to memory of 2024	1668	rundll32.exe	RUNDLL32.EXE
PID 1912 wrote to memory of 912	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 912	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 912	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 912	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 912	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 912	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 912	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 2024 wrote to memory of 1524	2024	RUNDLL32.EXE	rundll32.exe
PID 2024 wrote to memory of 1524	2024	RUNDLL32.EXE	rundll32.exe
PID 2024 wrote to memory of 1524	2024	RUNDLL32.EXE	rundll32.exe
PID 2024 wrote to memory of 1524	2024	RUNDLL32.EXE	rundll32.exe
PID 2024 wrote to memory of 1524	2024	RUNDLL32.EXE	rundll32.exe
PID 912 wrote to memory of 828	912	RUNDLL32.EXE	rundll32.exe
PID 912 wrote to memory of 828	912	RUNDLL32.EXE	rundll32.exe
PID 912 wrote to memory of 828	912	RUNDLL32.EXE	rundll32.exe
PID 912 wrote to memory of 828	912	RUNDLL32.EXE	rundll32.exe
PID 912 wrote to memory of 828	912	RUNDLL32.EXE	rundll32.exe
PID 828 wrote to memory of 296	828	rundll32.exe	ctfmon.exe
PID 828 wrote to memory of 296	828	rundll32.exe	ctfmon.exe
PID 828 wrote to memory of 296	828	rundll32.exe	ctfmon.exe
PID 1524 wrote to memory of 1648	1524	rundll32.exe	ctfmon.exe
PID 1524 wrote to memory of 1648	1524	rundll32.exe	ctfmon.exe
PID 1524 wrote to memory of 1648	1524	rundll32.exe	ctfmon.exe
PID 1912 wrote to memory of 1220	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1220	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1220	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1220	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1220	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1220	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1220	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1220 wrote to memory of 584	1220	RUNDLL32.EXE	rundll32.exe
PID 1220 wrote to memory of 584	1220	RUNDLL32.EXE	rundll32.exe
PID 1220 wrote to memory of 584	1220	RUNDLL32.EXE	rundll32.exe
PID 1220 wrote to memory of 584	1220	RUNDLL32.EXE	rundll32.exe
PID 1220 wrote to memory of 584	1220	RUNDLL32.EXE	rundll32.exe
PID 1912 wrote to memory of 1568	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1568	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1568	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1568	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1568	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1568	1912	RUNDLL32.EXE	RUNDLL32.EXE
PID 1912 wrote to memory of 1568	1912	RUNDLL32.EXE	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\warrant.exe
"C:\Users\Admin\AppData\Local\Temp\warrant.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,z C:\Users\Admin\AppData\Local\Temp\warrant.exe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,ijJXbHdTUlgy
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6398
4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\ctfmon.exe
ctfmon.exe
5⤵
PID:1648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,jklF
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,HQsRVkk2N2M0
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6398
4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\ctfmon.exe
ctfmon.exe
5⤵
PID:296

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,fzNLaQ==
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6398
4⤵
- Suspicious use of FindShellTrayWindow
PID:584

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,WkUUSzNTcTJQ
3⤵
- Loads dropped DLL
PID:1568

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6398
4⤵
PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\utpgu.tmp
MD5
adbfd2f2f2deee461ed562254ea50719

SHA1
2fe203b8c51c911c121e4c0a658c6dd79e009ecd

SHA256
ecda5a216ce579172ce22d97e00cb3baa88fd6d4a191a9a1251931172ba51ef4

SHA512
f3568e58ea3d51e83ce861a5758bd08c155d359a9cc4b4e4e5db5aaf0c52d0374bdecedecc91a8c34f7df3fb65a412a4038f2914cd37b814c8ebb216572fae33

Download Submit
C:\ProgramData\utpgu.tmp
MD5
c8984e49a00323df913d63c6000a435e

SHA1
80e8677ff823cec8bc4dc39ba330f002c106f1c4

SHA256
d5bd3fe890110e18fdf5c38239e9d4bbf6e3cea8c7a3d2babf5b54ddbe205aa7

SHA512
fa71a099fe54fa8dced81b1e48fe64adebf79942783fa7cc7448fa5117cf32e4ea3f7fbbc52bf8c7adc8df4009a10447456d3372c86df27a144d910ca94a512e

Download Submit
C:\ProgramData\utpgu.tmp
MD5
580f13a2bf1f5cf29d48233ca8473167

SHA1
482261c7113c6e60f778d54e79c2311f9c73d3b5

SHA256
493f553f1b656f87ca1e691f9b9bb51cf5262a8e81655434e9e613b5eddb2431

SHA512
60077f77a4e949de6c7b065d98a43e3b467963a723d52789d9af37b0dfc1c271b08dcb6d765bf9fc19dddf532ef63f82ad1a4bb5b70a6ea538561ac83ba37fe0

Download Submit
C:\ProgramData\utpgu.tmp
MD5
580f13a2bf1f5cf29d48233ca8473167

SHA1
482261c7113c6e60f778d54e79c2311f9c73d3b5

SHA256
493f553f1b656f87ca1e691f9b9bb51cf5262a8e81655434e9e613b5eddb2431

SHA512
60077f77a4e949de6c7b065d98a43e3b467963a723d52789d9af37b0dfc1c271b08dcb6d765bf9fc19dddf532ef63f82ad1a4bb5b70a6ea538561ac83ba37fe0

Download Submit
C:\ProgramData\utpgu.tmp
MD5
1194f7f9a755a3ab76668c07b3f8cc69

SHA1
6d21382c3c7612b2dd5a80755d5d5aeeb7693a8f

SHA256
385f3cb14b2bdaf8ae5063a9a8da090fb764bb2a019caae3c675a78f789b5190

SHA512
8cba3290c0d921cb0b93defd6d126f44354f6a6c3391c7452f8d4d486d388798ef7e86b76b55fcc6bbd2eeadbefd72dab568fef1474979839e0778eef07b50fd

Download Submit
C:\ProgramData\utpgu.tmp
MD5
b75787c624c39566bf70d9e8d4b112b8

SHA1
d78609b67077eb665fb27a4afa93ec44d18bf97b

SHA256
44ccb723aa17b23efd1f7ea5d426475d372a014627ed3142afbb22e65f1d30fb

SHA512
8dd61fb615624fb6291a0a54c23378bf751bd3db8ff41daef2c3eb15a9ed726740ddbf1b010119edaec7c6e87868fdae10200119ec25fdef8f4495d1c75bdfba

Download Submit
C:\ProgramData\utpgu.tmp
MD5
c0f25078404d55fd7a0e44d2367e490f

SHA1
35b082b736f1774ca5c1d49e85d2fe2049a56072

SHA256
0e4b5e7ef6815c527be84af2ad7a22a86edf607f230b7ced69eb8b59b2b976f5

SHA512
4aaa3d4bbd9b6f04b94d76ee65723850a27f52fb209252240e446f60fc7afb4ce9c737750850e7d7fd36220cb0e66349ba7c2b6a276e7ebd951ed6d35075f190

Download Submit
C:\ProgramData\utpgu.tmp
MD5
adbfd2f2f2deee461ed562254ea50719

SHA1
2fe203b8c51c911c121e4c0a658c6dd79e009ecd

SHA256
ecda5a216ce579172ce22d97e00cb3baa88fd6d4a191a9a1251931172ba51ef4

SHA512
f3568e58ea3d51e83ce861a5758bd08c155d359a9cc4b4e4e5db5aaf0c52d0374bdecedecc91a8c34f7df3fb65a412a4038f2914cd37b814c8ebb216572fae33

Download Submit
C:\ProgramData\utpgu.tmp
MD5
adbfd2f2f2deee461ed562254ea50719

SHA1
2fe203b8c51c911c121e4c0a658c6dd79e009ecd

SHA256
ecda5a216ce579172ce22d97e00cb3baa88fd6d4a191a9a1251931172ba51ef4

SHA512
f3568e58ea3d51e83ce861a5758bd08c155d359a9cc4b4e4e5db5aaf0c52d0374bdecedecc91a8c34f7df3fb65a412a4038f2914cd37b814c8ebb216572fae33

Download Submit
C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
b31db2d86c5fa21132a2e0ffc64e1fe1

SHA1
8f6323d3bea231b74b2fe64ad3193608e5bd92a3

SHA256
81443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b

SHA512
8f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71

Download Submit
memory/296-134-0x0000000000000000-mapping.dmp

Download
memory/584-157-0x00000000FFB03CEC-mapping.dmp

Download
memory/584-160-0x0000000001E50000-0x0000000002012000-memory.dmp

Filesize
1.8MB

Download
memory/828-127-0x00000000FFB03CEC-mapping.dmp

Download
memory/828-133-0x0000000001E70000-0x0000000002032000-memory.dmp

Filesize
1.8MB

Download
memory/828-130-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/912-103-0x0000000002391000-0x0000000003391000-memory.dmp

Filesize
16.0MB

Download
memory/912-113-0x00000000034B0000-0x00000000035F0000-memory.dmp

Filesize
1.2MB

Download
memory/912-93-0x0000000000000000-mapping.dmp

Download
memory/912-126-0x00000000034B0000-0x00000000035F0000-memory.dmp

Filesize
1.2MB

Download
memory/912-125-0x00000000034B0000-0x00000000035F0000-memory.dmp

Filesize
1.2MB

Download
memory/912-124-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/912-107-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/912-122-0x00000000034B0000-0x00000000035F0000-memory.dmp

Filesize
1.2MB

Download
memory/912-115-0x00000000034B0000-0x00000000035F0000-memory.dmp

Filesize
1.2MB

Download
memory/912-118-0x00000000034B0000-0x00000000035F0000-memory.dmp

Filesize
1.2MB

Download
memory/912-111-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1220-151-0x0000000003570000-0x00000000036B0000-memory.dmp

Filesize
1.2MB

Download
memory/1220-145-0x0000000002431000-0x0000000003431000-memory.dmp

Filesize
16.0MB

Download
memory/1220-137-0x0000000000000000-mapping.dmp

Download
memory/1220-153-0x0000000003570000-0x00000000036B0000-memory.dmp

Filesize
1.2MB

Download
memory/1220-149-0x0000000003570000-0x00000000036B0000-memory.dmp

Filesize
1.2MB

Download
memory/1220-156-0x0000000003570000-0x00000000036B0000-memory.dmp

Filesize
1.2MB

Download
memory/1220-148-0x0000000003570000-0x00000000036B0000-memory.dmp

Filesize
1.2MB

Download
memory/1220-147-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1220-155-0x0000000003570000-0x00000000036B0000-memory.dmp

Filesize
1.2MB

Download
memory/1220-146-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1220-143-0x0000000001ED0000-0x000000000201E000-memory.dmp

Filesize
1.3MB

Download
memory/1524-110-0x0000000000190000-0x0000000000341000-memory.dmp

Filesize
1.7MB

Download
memory/1524-129-0x0000000000190000-0x0000000000341000-memory.dmp

Filesize
1.7MB

Download
memory/1524-131-0x0000000001ED0000-0x0000000002092000-memory.dmp

Filesize
1.8MB

Download
memory/1524-121-0x00000000FFB03CEC-mapping.dmp

Download
memory/1568-170-0x00000000023B1000-0x00000000033B1000-memory.dmp

Filesize
16.0MB

Download
memory/1568-168-0x00000000007A0000-0x00000000008EE000-memory.dmp

Filesize
1.3MB

Download
memory/1568-162-0x0000000000000000-mapping.dmp

Download
memory/1572-55-0x0000000002DD0000-0x0000000002EB3000-memory.dmp

Filesize
908KB

Download
memory/1572-56-0x0000000004670000-0x000000000476A000-memory.dmp

Filesize
1000KB

Download
memory/1572-57-0x0000000000400000-0x0000000002C59000-memory.dmp

Filesize
40.3MB

Download
memory/1572-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1648-135-0x0000000000000000-mapping.dmp

Download
memory/1668-67-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1668-58-0x0000000000000000-mapping.dmp

Download
memory/1668-65-0x0000000001EB0000-0x0000000001FFE000-memory.dmp

Filesize
1.3MB

Download
memory/1668-66-0x0000000002831000-0x0000000003831000-memory.dmp

Filesize
16.0MB

Download
memory/1912-80-0x00000000009A0000-0x0000000000AEE000-memory.dmp

Filesize
1.3MB

Download
memory/1912-74-0x0000000000000000-mapping.dmp

Download
memory/1912-82-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1912-81-0x0000000002351000-0x0000000003351000-memory.dmp

Filesize
16.0MB

Download
memory/2024-109-0x0000000003400000-0x0000000003540000-memory.dmp

Filesize
1.2MB

Download
memory/2024-102-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2024-120-0x0000000003400000-0x0000000003540000-memory.dmp

Filesize
1.2MB

Download
memory/2024-116-0x0000000003400000-0x0000000003540000-memory.dmp

Filesize
1.2MB

Download
memory/2024-114-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2024-105-0x0000000003400000-0x0000000003540000-memory.dmp

Filesize
1.2MB

Download
memory/2024-92-0x0000000000820000-0x000000000096E000-memory.dmp

Filesize
1.3MB

Download
memory/2024-106-0x0000000003400000-0x0000000003540000-memory.dmp

Filesize
1.2MB

Download
memory/2024-104-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2024-101-0x0000000002331000-0x0000000003331000-memory.dmp

Filesize
16.0MB

Download
memory/2024-86-0x0000000000000000-mapping.dmp

Download
memory/2024-112-0x0000000003400000-0x0000000003540000-memory.dmp

Filesize
1.2MB

Download
memory/2040-69-0x0000000001DA0000-0x0000000001EEE000-memory.dmp

Filesize
1.3MB

Download
memory/2040-72-0x0000000002341000-0x0000000003341000-memory.dmp

Filesize
16.0MB

Download
memory/2040-73-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download