Analysis
-
max time kernel
299s -
max time network
233s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-01-2022 20:57
Static task
static1
Behavioral task
behavioral1
Sample
warrant.exe
Resource
win7-en-20211208
General
-
Target
warrant.exe
-
Size
1.1MB
-
MD5
63d9b309582fbf651840182519c04f18
-
SHA1
742539d685093f276242b1ca3fae82c0d20cad6a
-
SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
-
SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385
Malware Config
Extracted
danabot
4
192.119.110.4:443
103.175.16.113:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Signatures
-
Danabot Loader Component 32 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 behavioral1/memory/1668-65-0x0000000001EB0000-0x0000000001FFE000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 behavioral1/memory/2040-69-0x0000000001DA0000-0x0000000001EEE000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 behavioral1/memory/1912-80-0x00000000009A0000-0x0000000000AEE000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 behavioral1/memory/2024-92-0x0000000000820000-0x000000000096E000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 behavioral1/memory/1220-143-0x0000000001ED0000-0x000000000201E000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 behavioral1/memory/1568-168-0x00000000007A0000-0x00000000008EE000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 2 1668 rundll32.exe 4 1668 rundll32.exe 5 1912 RUNDLL32.EXE -
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 25 IoCs
Processes:
rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 1668 rundll32.exe 1668 rundll32.exe 1668 rundll32.exe 1668 rundll32.exe 2040 svchost.exe 1912 RUNDLL32.EXE 1912 RUNDLL32.EXE 1912 RUNDLL32.EXE 1912 RUNDLL32.EXE 2024 RUNDLL32.EXE 2024 RUNDLL32.EXE 2024 RUNDLL32.EXE 2024 RUNDLL32.EXE 912 RUNDLL32.EXE 912 RUNDLL32.EXE 912 RUNDLL32.EXE 912 RUNDLL32.EXE 1220 RUNDLL32.EXE 1220 RUNDLL32.EXE 1220 RUNDLL32.EXE 1220 RUNDLL32.EXE 1568 RUNDLL32.EXE 1568 RUNDLL32.EXE 1568 RUNDLL32.EXE 1568 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RUNDLL32.EXErundll32.exedescription ioc process File opened (read-only) \??\B: RUNDLL32.EXE File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\A: RUNDLL32.EXE -
Drops file in System32 directory 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat RUNDLL32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEdescription pid process target process PID 2024 set thread context of 1524 2024 RUNDLL32.EXE rundll32.exe PID 912 set thread context of 828 912 RUNDLL32.EXE rundll32.exe PID 1220 set thread context of 584 1220 RUNDLL32.EXE rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXErundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE -
Processes:
rundll32.exeRUNDLL32.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\ED1F6E31872ADF3C7B89F170418C3CB5E579E532\Blob = 030000000100000014000000ed1f6e31872adf3c7b89f170418c3cb5e579e53220000000010000006e0200003082026a308201d3a00302010202087e391c881412ed76300d06092a864886f70d01010b0500305a3122302006035504030c1942686c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230303131303232303133365a170d3234303130393232303133365a305a3122302006035504030c1942686c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100ca628d6af3ddcf4c05413ee4fb638cf988db806861dad87c1defc95385966d255578b354b626b214268c78f942430d723e0ff2419ca4ed6e51afb82b06a59ef2027c7ff0f4bcfa7ebb60ff97edb01f6b80f39c104ccdf517831b4b3c95aabf1155ece77ed52dae9f4a8e56ebe714d51df96e9a5df7b5d39fb51301091e562b390203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942686c74696d6f7265204379626572547275737420526f6f74300d06092a864886f70d01010b0500038181005adde8caa26ee74c05b278672d12a306388a43851180eba1aaa0c8773ad9d433c5c137689666f4b433c20d92922c62e7552c1eaf4ddcf4b7925679ab98c629e74f86785bdd0a28c8eca7bdf93b02de72dd86e02c9a597a0247479b9406b2cf746a90aff1a36763370f4bf78481af72b3eb8b8e9b820641ba28e5eb456c4f446a rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D25240A1A8A23920C33430250B087E9DD2F7F7BE RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D25240A1A8A23920C33430250B087E9DD2F7F7BE\Blob = 030000000100000014000000d25240a1a8a23920c33430250b087e9dd2f7f7be20000000010000006e0200003082026a308201d3a003020102020807da319c00986622300d06092a864886f70d01010b0500305a3122302006035504030c1942726c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230303131303232303133375a170d3234303130393232303133375a305a3122302006035504030c1942726c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d00308189028181009a689fb04633802ff9c6790964b883a35849e692bc96ac6c5cb8b49574f30f4eeee68238225317a33e41a0f610dc5c7676b8b665e59e719e243e3c5b209ff684e1a401f5b572af1bdd4d040a81b81ed8f57626bf7a32934f1551c9c093c0c692a4ae82fc3b619b12060d39b2bcd23d62be7393b65a9f6ee0d3dfe593847950910203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942726c74696d6f7265204379626572547275737420526f6f74300d06092a864886f70d01010b05000381810032ef8ac3af7770d918b612236f461a43abebac2bd5bd6c77cfd3a082030457dce46472bd585b6f30f589ba78089cb019c3790807d09a7ce846be4690d9b027460fafcd034196c75e12583b50882833535401abd1fd9dec8e2664f9384788adea84512dcc0b778d8a0b996d50c3ab5507059b2364926fa9981dabf070fdab5e06 RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\ED1F6E31872ADF3C7B89F170418C3CB5E579E532 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
svchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 2040 svchost.exe 1668 rundll32.exe 1912 RUNDLL32.EXE 1668 rundll32.exe 1668 rundll32.exe 1912 RUNDLL32.EXE 1912 RUNDLL32.EXE 2024 RUNDLL32.EXE 912 RUNDLL32.EXE 2040 svchost.exe 2040 svchost.exe 1220 RUNDLL32.EXE 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1668 rundll32.exe Token: SeDebugPrivilege 1912 RUNDLL32.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 828 rundll32.exe 1524 rundll32.exe 584 rundll32.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
warrant.exesvchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXErundll32.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 1572 wrote to memory of 1668 1572 warrant.exe rundll32.exe PID 1572 wrote to memory of 1668 1572 warrant.exe rundll32.exe PID 1572 wrote to memory of 1668 1572 warrant.exe rundll32.exe PID 1572 wrote to memory of 1668 1572 warrant.exe rundll32.exe PID 1572 wrote to memory of 1668 1572 warrant.exe rundll32.exe PID 1572 wrote to memory of 1668 1572 warrant.exe rundll32.exe PID 1572 wrote to memory of 1668 1572 warrant.exe rundll32.exe PID 2040 wrote to memory of 1912 2040 svchost.exe RUNDLL32.EXE PID 2040 wrote to memory of 1912 2040 svchost.exe RUNDLL32.EXE PID 2040 wrote to memory of 1912 2040 svchost.exe RUNDLL32.EXE PID 2040 wrote to memory of 1912 2040 svchost.exe RUNDLL32.EXE PID 2040 wrote to memory of 1912 2040 svchost.exe RUNDLL32.EXE PID 2040 wrote to memory of 1912 2040 svchost.exe RUNDLL32.EXE PID 2040 wrote to memory of 1912 2040 svchost.exe RUNDLL32.EXE PID 1668 wrote to memory of 2024 1668 rundll32.exe RUNDLL32.EXE PID 1668 wrote to memory of 2024 1668 rundll32.exe RUNDLL32.EXE PID 1668 wrote to memory of 2024 1668 rundll32.exe RUNDLL32.EXE PID 1668 wrote to memory of 2024 1668 rundll32.exe RUNDLL32.EXE PID 1668 wrote to memory of 2024 1668 rundll32.exe RUNDLL32.EXE PID 1668 wrote to memory of 2024 1668 rundll32.exe RUNDLL32.EXE PID 1668 wrote to memory of 2024 1668 rundll32.exe RUNDLL32.EXE PID 1912 wrote to memory of 912 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 912 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 912 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 912 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 912 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 912 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 912 1912 RUNDLL32.EXE RUNDLL32.EXE PID 2024 wrote to memory of 1524 2024 RUNDLL32.EXE rundll32.exe PID 2024 wrote to memory of 1524 2024 RUNDLL32.EXE rundll32.exe PID 2024 wrote to memory of 1524 2024 RUNDLL32.EXE rundll32.exe PID 2024 wrote to memory of 1524 2024 RUNDLL32.EXE rundll32.exe PID 2024 wrote to memory of 1524 2024 RUNDLL32.EXE rundll32.exe PID 912 wrote to memory of 828 912 RUNDLL32.EXE rundll32.exe PID 912 wrote to memory of 828 912 RUNDLL32.EXE rundll32.exe PID 912 wrote to memory of 828 912 RUNDLL32.EXE rundll32.exe PID 912 wrote to memory of 828 912 RUNDLL32.EXE rundll32.exe PID 912 wrote to memory of 828 912 RUNDLL32.EXE rundll32.exe PID 828 wrote to memory of 296 828 rundll32.exe ctfmon.exe PID 828 wrote to memory of 296 828 rundll32.exe ctfmon.exe PID 828 wrote to memory of 296 828 rundll32.exe ctfmon.exe PID 1524 wrote to memory of 1648 1524 rundll32.exe ctfmon.exe PID 1524 wrote to memory of 1648 1524 rundll32.exe ctfmon.exe PID 1524 wrote to memory of 1648 1524 rundll32.exe ctfmon.exe PID 1912 wrote to memory of 1220 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1220 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1220 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1220 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1220 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1220 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1220 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1220 wrote to memory of 584 1220 RUNDLL32.EXE rundll32.exe PID 1220 wrote to memory of 584 1220 RUNDLL32.EXE rundll32.exe PID 1220 wrote to memory of 584 1220 RUNDLL32.EXE rundll32.exe PID 1220 wrote to memory of 584 1220 RUNDLL32.EXE rundll32.exe PID 1220 wrote to memory of 584 1220 RUNDLL32.EXE rundll32.exe PID 1912 wrote to memory of 1568 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1568 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1568 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1568 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1568 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1568 1912 RUNDLL32.EXE RUNDLL32.EXE PID 1912 wrote to memory of 1568 1912 RUNDLL32.EXE RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\warrant.exe"C:\Users\Admin\AppData\Local\Temp\warrant.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,z C:\Users\Admin\AppData\Local\Temp\warrant.exe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,ijJXbHdTUlgy3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 63984⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,jklF2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,HQsRVkk2N2M03⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 63984⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,fzNLaQ==3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 63984⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,WkUUSzNTcTJQ3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 63984⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\utpgu.tmpMD5
adbfd2f2f2deee461ed562254ea50719
SHA12fe203b8c51c911c121e4c0a658c6dd79e009ecd
SHA256ecda5a216ce579172ce22d97e00cb3baa88fd6d4a191a9a1251931172ba51ef4
SHA512f3568e58ea3d51e83ce861a5758bd08c155d359a9cc4b4e4e5db5aaf0c52d0374bdecedecc91a8c34f7df3fb65a412a4038f2914cd37b814c8ebb216572fae33
-
C:\ProgramData\utpgu.tmpMD5
c8984e49a00323df913d63c6000a435e
SHA180e8677ff823cec8bc4dc39ba330f002c106f1c4
SHA256d5bd3fe890110e18fdf5c38239e9d4bbf6e3cea8c7a3d2babf5b54ddbe205aa7
SHA512fa71a099fe54fa8dced81b1e48fe64adebf79942783fa7cc7448fa5117cf32e4ea3f7fbbc52bf8c7adc8df4009a10447456d3372c86df27a144d910ca94a512e
-
C:\ProgramData\utpgu.tmpMD5
580f13a2bf1f5cf29d48233ca8473167
SHA1482261c7113c6e60f778d54e79c2311f9c73d3b5
SHA256493f553f1b656f87ca1e691f9b9bb51cf5262a8e81655434e9e613b5eddb2431
SHA51260077f77a4e949de6c7b065d98a43e3b467963a723d52789d9af37b0dfc1c271b08dcb6d765bf9fc19dddf532ef63f82ad1a4bb5b70a6ea538561ac83ba37fe0
-
C:\ProgramData\utpgu.tmpMD5
580f13a2bf1f5cf29d48233ca8473167
SHA1482261c7113c6e60f778d54e79c2311f9c73d3b5
SHA256493f553f1b656f87ca1e691f9b9bb51cf5262a8e81655434e9e613b5eddb2431
SHA51260077f77a4e949de6c7b065d98a43e3b467963a723d52789d9af37b0dfc1c271b08dcb6d765bf9fc19dddf532ef63f82ad1a4bb5b70a6ea538561ac83ba37fe0
-
C:\ProgramData\utpgu.tmpMD5
1194f7f9a755a3ab76668c07b3f8cc69
SHA16d21382c3c7612b2dd5a80755d5d5aeeb7693a8f
SHA256385f3cb14b2bdaf8ae5063a9a8da090fb764bb2a019caae3c675a78f789b5190
SHA5128cba3290c0d921cb0b93defd6d126f44354f6a6c3391c7452f8d4d486d388798ef7e86b76b55fcc6bbd2eeadbefd72dab568fef1474979839e0778eef07b50fd
-
C:\ProgramData\utpgu.tmpMD5
b75787c624c39566bf70d9e8d4b112b8
SHA1d78609b67077eb665fb27a4afa93ec44d18bf97b
SHA25644ccb723aa17b23efd1f7ea5d426475d372a014627ed3142afbb22e65f1d30fb
SHA5128dd61fb615624fb6291a0a54c23378bf751bd3db8ff41daef2c3eb15a9ed726740ddbf1b010119edaec7c6e87868fdae10200119ec25fdef8f4495d1c75bdfba
-
C:\ProgramData\utpgu.tmpMD5
c0f25078404d55fd7a0e44d2367e490f
SHA135b082b736f1774ca5c1d49e85d2fe2049a56072
SHA2560e4b5e7ef6815c527be84af2ad7a22a86edf607f230b7ced69eb8b59b2b976f5
SHA5124aaa3d4bbd9b6f04b94d76ee65723850a27f52fb209252240e446f60fc7afb4ce9c737750850e7d7fd36220cb0e66349ba7c2b6a276e7ebd951ed6d35075f190
-
C:\ProgramData\utpgu.tmpMD5
adbfd2f2f2deee461ed562254ea50719
SHA12fe203b8c51c911c121e4c0a658c6dd79e009ecd
SHA256ecda5a216ce579172ce22d97e00cb3baa88fd6d4a191a9a1251931172ba51ef4
SHA512f3568e58ea3d51e83ce861a5758bd08c155d359a9cc4b4e4e5db5aaf0c52d0374bdecedecc91a8c34f7df3fb65a412a4038f2914cd37b814c8ebb216572fae33
-
C:\ProgramData\utpgu.tmpMD5
adbfd2f2f2deee461ed562254ea50719
SHA12fe203b8c51c911c121e4c0a658c6dd79e009ecd
SHA256ecda5a216ce579172ce22d97e00cb3baa88fd6d4a191a9a1251931172ba51ef4
SHA512f3568e58ea3d51e83ce861a5758bd08c155d359a9cc4b4e4e5db5aaf0c52d0374bdecedecc91a8c34f7df3fb65a412a4038f2914cd37b814c8ebb216572fae33
-
C:\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
b31db2d86c5fa21132a2e0ffc64e1fe1
SHA18f6323d3bea231b74b2fe64ad3193608e5bd92a3
SHA25681443e2a6965111a538ef6a153042712a253d1612a8536e89e3699adae0c166b
SHA5128f09d8f6e78042dba834214562985efeac8dd6e6c42e3229752ebf1b8fa0579de8183dfc4e84069948880b99f5eb4aeaf047c06676e7f39d5aafd7b4f9db4b71
-
memory/296-134-0x0000000000000000-mapping.dmp
-
memory/584-157-0x00000000FFB03CEC-mapping.dmp
-
memory/584-160-0x0000000001E50000-0x0000000002012000-memory.dmpFilesize
1.8MB
-
memory/828-127-0x00000000FFB03CEC-mapping.dmp
-
memory/828-133-0x0000000001E70000-0x0000000002032000-memory.dmpFilesize
1.8MB
-
memory/828-130-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmpFilesize
8KB
-
memory/912-103-0x0000000002391000-0x0000000003391000-memory.dmpFilesize
16.0MB
-
memory/912-113-0x00000000034B0000-0x00000000035F0000-memory.dmpFilesize
1.2MB
-
memory/912-93-0x0000000000000000-mapping.dmp
-
memory/912-126-0x00000000034B0000-0x00000000035F0000-memory.dmpFilesize
1.2MB
-
memory/912-125-0x00000000034B0000-0x00000000035F0000-memory.dmpFilesize
1.2MB
-
memory/912-124-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/912-107-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/912-122-0x00000000034B0000-0x00000000035F0000-memory.dmpFilesize
1.2MB
-
memory/912-115-0x00000000034B0000-0x00000000035F0000-memory.dmpFilesize
1.2MB
-
memory/912-118-0x00000000034B0000-0x00000000035F0000-memory.dmpFilesize
1.2MB
-
memory/912-111-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1220-151-0x0000000003570000-0x00000000036B0000-memory.dmpFilesize
1.2MB
-
memory/1220-145-0x0000000002431000-0x0000000003431000-memory.dmpFilesize
16.0MB
-
memory/1220-137-0x0000000000000000-mapping.dmp
-
memory/1220-153-0x0000000003570000-0x00000000036B0000-memory.dmpFilesize
1.2MB
-
memory/1220-149-0x0000000003570000-0x00000000036B0000-memory.dmpFilesize
1.2MB
-
memory/1220-156-0x0000000003570000-0x00000000036B0000-memory.dmpFilesize
1.2MB
-
memory/1220-148-0x0000000003570000-0x00000000036B0000-memory.dmpFilesize
1.2MB
-
memory/1220-147-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1220-155-0x0000000003570000-0x00000000036B0000-memory.dmpFilesize
1.2MB
-
memory/1220-146-0x0000000003450000-0x0000000003451000-memory.dmpFilesize
4KB
-
memory/1220-143-0x0000000001ED0000-0x000000000201E000-memory.dmpFilesize
1.3MB
-
memory/1524-110-0x0000000000190000-0x0000000000341000-memory.dmpFilesize
1.7MB
-
memory/1524-129-0x0000000000190000-0x0000000000341000-memory.dmpFilesize
1.7MB
-
memory/1524-131-0x0000000001ED0000-0x0000000002092000-memory.dmpFilesize
1.8MB
-
memory/1524-121-0x00000000FFB03CEC-mapping.dmp
-
memory/1568-170-0x00000000023B1000-0x00000000033B1000-memory.dmpFilesize
16.0MB
-
memory/1568-168-0x00000000007A0000-0x00000000008EE000-memory.dmpFilesize
1.3MB
-
memory/1568-162-0x0000000000000000-mapping.dmp
-
memory/1572-55-0x0000000002DD0000-0x0000000002EB3000-memory.dmpFilesize
908KB
-
memory/1572-56-0x0000000004670000-0x000000000476A000-memory.dmpFilesize
1000KB
-
memory/1572-57-0x0000000000400000-0x0000000002C59000-memory.dmpFilesize
40.3MB
-
memory/1572-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/1648-135-0x0000000000000000-mapping.dmp
-
memory/1668-67-0x0000000002140000-0x0000000002141000-memory.dmpFilesize
4KB
-
memory/1668-58-0x0000000000000000-mapping.dmp
-
memory/1668-65-0x0000000001EB0000-0x0000000001FFE000-memory.dmpFilesize
1.3MB
-
memory/1668-66-0x0000000002831000-0x0000000003831000-memory.dmpFilesize
16.0MB
-
memory/1912-80-0x00000000009A0000-0x0000000000AEE000-memory.dmpFilesize
1.3MB
-
memory/1912-74-0x0000000000000000-mapping.dmp
-
memory/1912-82-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/1912-81-0x0000000002351000-0x0000000003351000-memory.dmpFilesize
16.0MB
-
memory/2024-109-0x0000000003400000-0x0000000003540000-memory.dmpFilesize
1.2MB
-
memory/2024-102-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/2024-120-0x0000000003400000-0x0000000003540000-memory.dmpFilesize
1.2MB
-
memory/2024-116-0x0000000003400000-0x0000000003540000-memory.dmpFilesize
1.2MB
-
memory/2024-114-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2024-105-0x0000000003400000-0x0000000003540000-memory.dmpFilesize
1.2MB
-
memory/2024-92-0x0000000000820000-0x000000000096E000-memory.dmpFilesize
1.3MB
-
memory/2024-106-0x0000000003400000-0x0000000003540000-memory.dmpFilesize
1.2MB
-
memory/2024-104-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2024-101-0x0000000002331000-0x0000000003331000-memory.dmpFilesize
16.0MB
-
memory/2024-86-0x0000000000000000-mapping.dmp
-
memory/2024-112-0x0000000003400000-0x0000000003540000-memory.dmpFilesize
1.2MB
-
memory/2040-69-0x0000000001DA0000-0x0000000001EEE000-memory.dmpFilesize
1.3MB
-
memory/2040-72-0x0000000002341000-0x0000000003341000-memory.dmpFilesize
16.0MB
-
memory/2040-73-0x0000000003560000-0x0000000003561000-memory.dmpFilesize
4KB