danabot | 8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3

Resubmissions

09-01-2022 20:57

220109-zryfwadfg8 10

09-01-2022 15:48

220109-s8xgksdhfn 10

Analysis

max time kernel
299s
max time network
216s
platform
windows10_x64
resource
win10-en-20211208
submitted
09-01-2022 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

warrant.exe
Size

1.1MB
MD5

63d9b309582fbf651840182519c04f18
SHA1

742539d685093f276242b1ca3fae82c0d20cad6a
SHA256

8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
SHA512

c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385

Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

Botnet

192.119.110.4:443

103.175.16.113:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\warrant.exe.dll	DanabotLoader2021

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

26 3096 rundll32.exe
28 3096 rundll32.exe
29 416 RUNDLL32.EXE
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 8 IoCs

Processes:

rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

3096 rundll32.exe
588 svchost.exe
416 RUNDLL32.EXE
632 RUNDLL32.EXE
2780 RUNDLL32.EXE
3948 RUNDLL32.EXE
3624 RUNDLL32.EXE
3624 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
26	3096	rundll32.exe
28	3096	rundll32.exe
29	416	RUNDLL32.EXE

pid	process
3096	rundll32.exe
588	svchost.exe
416	RUNDLL32.EXE
632	RUNDLL32.EXE
2780	RUNDLL32.EXE
3948	RUNDLL32.EXE
3624	RUNDLL32.EXE
3624	RUNDLL32.EXE

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exeRUNDLL32.EXE

description	ioc	process
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\J:	RUNDLL32.EXE
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\P:	RUNDLL32.EXE
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\Y:	RUNDLL32.EXE
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\A:	RUNDLL32.EXE
File opened (read-only)	\??\B:	RUNDLL32.EXE
File opened (read-only)	\??\G:	RUNDLL32.EXE
File opened (read-only)	\??\I:	RUNDLL32.EXE
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\N:	RUNDLL32.EXE
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\V:	RUNDLL32.EXE
File opened (read-only)	\??\Z:	RUNDLL32.EXE
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\T:	RUNDLL32.EXE
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\E:	RUNDLL32.EXE
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\M:	RUNDLL32.EXE
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\R:	RUNDLL32.EXE
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\O:	RUNDLL32.EXE
File opened (read-only)	\??\U:	RUNDLL32.EXE
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\H:	RUNDLL32.EXE
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\Q:	RUNDLL32.EXE
File opened (read-only)	\??\X:	RUNDLL32.EXE
File opened (read-only)	\??\F:	RUNDLL32.EXE
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\K:	RUNDLL32.EXE
File opened (read-only)	\??\L:	RUNDLL32.EXE
File opened (read-only)	\??\S:	RUNDLL32.EXE
File opened (read-only)	\??\W:	RUNDLL32.EXE

Drops file in System32 directory 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	RUNDLL32.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

RUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

description	pid	process	target process
PID 632 set thread context of 1152	632	RUNDLL32.EXE	rundll32.exe
PID 2780 set thread context of 1788	2780	RUNDLL32.EXE	rundll32.exe
PID 3948 set thread context of 2252	3948	RUNDLL32.EXE	rundll32.exe
PID 3624 set thread context of 3532	3624	RUNDLL32.EXE	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXErundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEsvchost.exeRUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E8A3F5EC93D08B16E1425179F886486784F300CE	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E8A3F5EC93D08B16E1425179F886486784F300CE\Blob = 030000000100000014000000e8a3f5ec93d08b16e1425179f886486784f300ce2000000001000000c0020000308202bc30820225a00302010202080d88073b09c39392300d06092a864886f70d01010b050030783138303606035504030c2f566572695369676e20556e6976657273616c20526f67742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3230303131303231303132325a170d3234303130393231303132325a30783138303606035504030c2f566572695369676e20556e6976657273616c20526f67742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b1956e8e694bbe488540b1ba629c8858cc196bf0efdd57ae7b400e6733722f31c7791707ea978a909cb199b169cef5e19e09be8c08135c46a44c4efd28473d8b6c1b307ee1ee8156273d38a9ef7372a638ee5b5fd396a61dc82bb7174c6c1a4b4fb286713dee23314a6fdf6fce3b70c5c2728d0430b526f1323bf8c5b33b06590203010001a34f304d300f0603551d130101ff040530030101ff303a0603551d1104333031822f566572695369676e20556e6976657273616c20526f67742043657274696669636174696f6e20417574686f72697479300d06092a864886f70d01010b05000381810043f6bac25d694ac5ff84d1e5d1a36e7d279944a883b8433e97420d9fe69f7f2506eb64181a1876f1d05cc1951d18bbc975f2f3820d014e2a2302a9ec6b038fe25390bdd4c7e3da029cb56e294e459ac7d1906f48ec9244af8e9f9c4c19c4603d8bb8fede5c0432cbb46a3a1f1c2f8410a513397bc758e4d30da58f0e38e50dae	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\47AFC8C8F97C03CBC55EFACFB631EA3DE50F24F8	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\47AFC8C8F97C03CBC55EFACFB631EA3DE50F24F8\Blob = 03000000010000001400000047afc8c8f97c03cbc55efacfb631ea3de50f24f820000000010000009602000030820292308201fba00302010202084067dd6241446922300d06092a864886f70d01010b050030643136303406035504030c2d53796d616e74656320456e7465726b72697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b3009060355040613025553301e170d3230303131303231303132325a170d3234303130393231303132325a30643136303406035504030c2d53796d616e74656320456e7465726b72697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d003081890281810095177f1283a339464db7e8225092b901a7325a8d524d13d9678c682065b68f5209b47ddab9d9da59476c00d84d3a6090ee155cddfdc4e5858f978f3c216d3036312085202d410f6191515f92797f31439483e067aa2c62809951b4c912dc1f345a6305a69edba8c0dc339f2d8809ef5bdd3f274cc2abda5b6eb0e82d226f35550203010001a34d304b300f0603551d130101ff040530030101ff30380603551d110431302f822d53796d616e74656320456e7465726b72697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674300d06092a864886f70d01010b05000381810089242e426d3242261c7922dbfc2230885191ceaf1a03d818f996ac69ae6c575f63101654d75862608fcf5e61dde234998b50d08460730436c9c5ceb5eb9ae081aa6f4ef0fc3c5d576210f66a38a74f3a838be61eeedb578a012d7e13991314db56d94e015c38a19e00e534c2c03dcf0c4814431b8724554722473e7e5509fa3e	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

svchost.exerundll32.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid	process
588	svchost.exe
588	svchost.exe
3096	rundll32.exe
3096	rundll32.exe
416	RUNDLL32.EXE
416	RUNDLL32.EXE
416	RUNDLL32.EXE
416	RUNDLL32.EXE
3096	rundll32.exe
3096	rundll32.exe
416	RUNDLL32.EXE
416	RUNDLL32.EXE
3096	rundll32.exe
3096	rundll32.exe
2848	powershell.exe
2848	powershell.exe
2848	powershell.exe
632	RUNDLL32.EXE
632	RUNDLL32.EXE
2780	RUNDLL32.EXE
2780	RUNDLL32.EXE
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
3948	RUNDLL32.EXE
3948	RUNDLL32.EXE
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
3624	RUNDLL32.EXE
3624	RUNDLL32.EXE
588	svchost.exe
588	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exerundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 2848 powershell.exe
Token: SeDebugPrivilege 3096 rundll32.exe
Token: SeDebugPrivilege 416 RUNDLL32.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

1152 rundll32.exe
1788 rundll32.exe
2252 rundll32.exe
3532 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	3096	rundll32.exe
Token: SeDebugPrivilege	416	RUNDLL32.EXE

pid	process
1152	rundll32.exe
1788	rundll32.exe
2252	rundll32.exe
3532	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

warrant.exesvchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

description	pid	process	target process
PID 2608 wrote to memory of 3096	2608	warrant.exe	rundll32.exe
PID 2608 wrote to memory of 3096	2608	warrant.exe	rundll32.exe
PID 2608 wrote to memory of 3096	2608	warrant.exe	rundll32.exe
PID 588 wrote to memory of 416	588	svchost.exe	RUNDLL32.EXE
PID 588 wrote to memory of 416	588	svchost.exe	RUNDLL32.EXE
PID 588 wrote to memory of 416	588	svchost.exe	RUNDLL32.EXE
PID 3096 wrote to memory of 2848	3096	rundll32.exe	powershell.exe
PID 3096 wrote to memory of 2848	3096	rundll32.exe	powershell.exe
PID 3096 wrote to memory of 2848	3096	rundll32.exe	powershell.exe
PID 3096 wrote to memory of 632	3096	rundll32.exe	RUNDLL32.EXE
PID 3096 wrote to memory of 632	3096	rundll32.exe	RUNDLL32.EXE
PID 3096 wrote to memory of 632	3096	rundll32.exe	RUNDLL32.EXE
PID 416 wrote to memory of 2780	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 416 wrote to memory of 2780	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 416 wrote to memory of 2780	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 632 wrote to memory of 1152	632	RUNDLL32.EXE	rundll32.exe
PID 632 wrote to memory of 1152	632	RUNDLL32.EXE	rundll32.exe
PID 632 wrote to memory of 1152	632	RUNDLL32.EXE	rundll32.exe
PID 1152 wrote to memory of 1608	1152	rundll32.exe	ctfmon.exe
PID 1152 wrote to memory of 1608	1152	rundll32.exe	ctfmon.exe
PID 2780 wrote to memory of 1788	2780	RUNDLL32.EXE	rundll32.exe
PID 2780 wrote to memory of 1788	2780	RUNDLL32.EXE	rundll32.exe
PID 2780 wrote to memory of 1788	2780	RUNDLL32.EXE	rundll32.exe
PID 416 wrote to memory of 3948	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 416 wrote to memory of 3948	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 416 wrote to memory of 3948	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 3948 wrote to memory of 2252	3948	RUNDLL32.EXE	rundll32.exe
PID 3948 wrote to memory of 2252	3948	RUNDLL32.EXE	rundll32.exe
PID 3948 wrote to memory of 2252	3948	RUNDLL32.EXE	rundll32.exe
PID 416 wrote to memory of 3624	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 416 wrote to memory of 3624	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 416 wrote to memory of 3624	416	RUNDLL32.EXE	RUNDLL32.EXE
PID 3624 wrote to memory of 3532	3624	RUNDLL32.EXE	rundll32.exe
PID 3624 wrote to memory of 3532	3624	RUNDLL32.EXE	rundll32.exe
PID 3624 wrote to memory of 3532	3624	RUNDLL32.EXE	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\warrant.exe
"C:\Users\Admin\AppData\Local\Temp\warrant.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,z C:\Users\Admin\AppData\Local\Temp\warrant.exe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,aglgd0Q=
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6030
4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\system32\ctfmon.exe
ctfmon.exe
5⤵
PID:1608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,lDhcNHE=
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,kEZJMkI=
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6030
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1788

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,nk5PbHk1dE1Q
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6030
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2252

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,YTomQkVXTFc=
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6030
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:3532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\utpgu.tmp
MD5
b75787c624c39566bf70d9e8d4b112b8

SHA1
d78609b67077eb665fb27a4afa93ec44d18bf97b

SHA256
44ccb723aa17b23efd1f7ea5d426475d372a014627ed3142afbb22e65f1d30fb

SHA512
8dd61fb615624fb6291a0a54c23378bf751bd3db8ff41daef2c3eb15a9ed726740ddbf1b010119edaec7c6e87868fdae10200119ec25fdef8f4495d1c75bdfba

Download Submit
C:\ProgramData\utpgu.tmp
MD5
798fb476020239874b47ad9040585f95

SHA1
703bf5763b41b46eb508ef7f218d0ed3e28a5144

SHA256
0755ae426ff4225c7e112acad81c1dc7175245839cbc6659db4ae4bf5a1b3847

SHA512
4709ac75225ccca01d24cffcb6584038cac8686ff679822bbdf4aa36f9edccabae56f81759cf5b26b737c5a13bd45d598a61219f9a9b0ddeef1d78baeefb5c7c

Download Submit
C:\ProgramData\utpgu.tmp
MD5
4c2a09f76a4b515f9d8593ff80f2b321

SHA1
233470f4e837ce05d03d3f849d12c1db8f75cc15

SHA256
29c02423ab03379ec030e7b33be97ea466479a5bb4dac24196e1acc7cfdc5671

SHA512
19cb56227afcb6d76ca29db1b6eaad96827068dd9d670e5ff6b50142ccf4d416ebe644edf86bffb03f2ac0164dbb03adf57556cb1dbdabe7e8acfe6f8bca3dde

Download Submit
C:\ProgramData\utpgu.tmp
MD5
9f9f304dd537db3f3e26ef8d4b48dc18

SHA1
1e9d23723e4b668409cf9db33bbc3286ec74e392

SHA256
5ef1699d259c280697ae3ea1a372a247d1690788da7785dd0bf629cb6ea94cb4

SHA512
1cbaa74b858eef8c7b2a3dccd916a811f0678881a21370779ac89059e78358fe68a6f10cde90ce2b8269a38bdb2acdeaf1e8b5eee71c683486b2de1c4587910d

Download Submit
C:\ProgramData\utpgu.tmp
MD5
9f9f304dd537db3f3e26ef8d4b48dc18

SHA1
1e9d23723e4b668409cf9db33bbc3286ec74e392

SHA256
5ef1699d259c280697ae3ea1a372a247d1690788da7785dd0bf629cb6ea94cb4

SHA512
1cbaa74b858eef8c7b2a3dccd916a811f0678881a21370779ac89059e78358fe68a6f10cde90ce2b8269a38bdb2acdeaf1e8b5eee71c683486b2de1c4587910d

Download Submit
C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
\Users\Admin\AppData\Local\Temp\warrant.exe.dll
MD5
50b6f4057987242251898d8748afd51e

SHA1
171f85794faae4a0808a620a0424d077ecfc5252

SHA256
913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a

SHA512
1bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d

Download Submit
memory/416-127-0x0000000000000000-mapping.dmp

Download
memory/416-129-0x0000000004A51000-0x0000000005A51000-memory.dmp

Filesize
16.0MB

Download
memory/416-130-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/588-125-0x0000000003D71000-0x0000000004D71000-memory.dmp

Filesize
16.0MB

Download
memory/588-126-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/632-218-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/632-215-0x0000000005CC0000-0x0000000005E00000-memory.dmp

Filesize
1.2MB

Download
memory/632-184-0x0000000004BF1000-0x0000000005BF1000-memory.dmp

Filesize
16.0MB

Download
memory/632-194-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/632-162-0x0000000000000000-mapping.dmp

Download
memory/632-203-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/632-205-0x0000000005CC0000-0x0000000005E00000-memory.dmp

Filesize
1.2MB

Download
memory/632-207-0x0000000005CC0000-0x0000000005E00000-memory.dmp

Filesize
1.2MB

Download
memory/632-212-0x0000000005CC0000-0x0000000005E00000-memory.dmp

Filesize
1.2MB

Download
memory/632-219-0x0000000005CC0000-0x0000000005E00000-memory.dmp

Filesize
1.2MB

Download
memory/1152-230-0x0000015522150000-0x0000015522312000-memory.dmp

Filesize
1.8MB

Download
memory/1152-228-0x0000000000D50000-0x0000000000F01000-memory.dmp

Filesize
1.7MB

Download
memory/1152-223-0x00007FF747375FD0-mapping.dmp

Download
memory/1608-235-0x0000000000000000-mapping.dmp

Download
memory/1788-273-0x00007FF747375FD0-mapping.dmp

Download
memory/1788-278-0x000002AD28870000-0x000002AD28A32000-memory.dmp

Filesize
1.8MB

Download
memory/2252-445-0x00000184FD2F0000-0x00000184FD4B2000-memory.dmp

Filesize
1.8MB

Download
memory/2252-440-0x00007FF747375FD0-mapping.dmp

Download
memory/2608-117-0x0000000000400000-0x0000000002C59000-memory.dmp

Filesize
40.3MB

Download
memory/2608-115-0x0000000004AE0000-0x0000000004BC3000-memory.dmp

Filesize
908KB

Download
memory/2608-116-0x0000000004BD0000-0x0000000004CCA000-memory.dmp

Filesize
1000KB

Download
memory/2780-279-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download
memory/2780-193-0x0000000000000000-mapping.dmp

Download
memory/2780-277-0x0000000005351000-0x0000000006351000-memory.dmp

Filesize
16.0MB

Download
memory/2848-136-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/2848-138-0x0000000007810000-0x0000000007832000-memory.dmp

Filesize
136KB

Download
memory/2848-171-0x0000000009DB0000-0x0000000009E44000-memory.dmp

Filesize
592KB

Download
memory/2848-172-0x0000000007383000-0x0000000007384000-memory.dmp

Filesize
4KB

Download
memory/2848-168-0x000000007F3E0000-0x000000007F3E1000-memory.dmp

Filesize
4KB

Download
memory/2848-163-0x0000000009850000-0x000000000986E000-memory.dmp

Filesize
120KB

Download
memory/2848-161-0x00000000089B0000-0x0000000008A26000-memory.dmp

Filesize
472KB

Download
memory/2848-160-0x0000000008BD0000-0x0000000008C1B000-memory.dmp

Filesize
300KB

Download
memory/2848-159-0x0000000008160000-0x00000000081C6000-memory.dmp

Filesize
408KB

Download
memory/2848-158-0x00000000080F0000-0x0000000008156000-memory.dmp

Filesize
408KB

Download
memory/2848-157-0x0000000007810000-0x0000000007832000-memory.dmp

Filesize
136KB

Download
memory/2848-156-0x0000000009870000-0x00000000098A3000-memory.dmp

Filesize
204KB

Download
memory/2848-155-0x0000000009870000-0x00000000098A3000-memory.dmp

Filesize
204KB

Download
memory/2848-154-0x00000000079C0000-0x0000000007FE8000-memory.dmp

Filesize
6.2MB

Download
memory/2848-146-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2848-145-0x00000000089B0000-0x0000000008A26000-memory.dmp

Filesize
472KB

Download
memory/2848-143-0x0000000008BD0000-0x0000000008C1B000-memory.dmp

Filesize
300KB

Download
memory/2848-142-0x0000000008590000-0x00000000085AC000-memory.dmp

Filesize
112KB

Download
memory/2848-141-0x00000000081E0000-0x0000000008530000-memory.dmp

Filesize
3.3MB

Download
memory/2848-140-0x0000000008160000-0x00000000081C6000-memory.dmp

Filesize
408KB

Download
memory/2848-139-0x00000000080F0000-0x0000000008156000-memory.dmp

Filesize
408KB

Download
memory/2848-170-0x0000000009BE0000-0x0000000009C85000-memory.dmp

Filesize
660KB

Download
memory/2848-137-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/2848-135-0x00000000079C0000-0x0000000007FE8000-memory.dmp

Filesize
6.2MB

Download
memory/2848-404-0x0000000009CB0000-0x0000000009CCA000-memory.dmp

Filesize
104KB

Download
memory/2848-409-0x0000000009CB0000-0x0000000009CCA000-memory.dmp

Filesize
104KB

Download
memory/2848-410-0x0000000009CA0000-0x0000000009CA8000-memory.dmp

Filesize
32KB

Download
memory/2848-415-0x0000000009CA0000-0x0000000009CA8000-memory.dmp

Filesize
32KB

Download
memory/2848-131-0x0000000000000000-mapping.dmp

Download
memory/2848-134-0x00000000071E0000-0x0000000007216000-memory.dmp

Filesize
216KB

Download
memory/2848-133-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2848-132-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3096-122-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/3096-121-0x0000000004B11000-0x0000000005B11000-memory.dmp

Filesize
16.0MB

Download
memory/3096-118-0x0000000000000000-mapping.dmp

Download
memory/3532-463-0x00007FF747375FD0-mapping.dmp

Download
memory/3532-468-0x000002E67B370000-0x000002E67B532000-memory.dmp

Filesize
1.8MB

Download
memory/3624-446-0x0000000000000000-mapping.dmp

Download
memory/3624-453-0x0000000004801000-0x0000000005801000-memory.dmp

Filesize
16.0MB

Download
memory/3624-466-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3948-436-0x0000000005341000-0x0000000006341000-memory.dmp

Filesize
16.0MB

Download
memory/3948-444-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3948-425-0x0000000000000000-mapping.dmp

Download