Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2022 16:10
Static task
static1
Behavioral task
behavioral1
Sample
15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe
Resource
win10v2004-20220812-en
General
-
Target
15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe
-
Size
2.4MB
-
MD5
b493001ef6bf98292b0b89900f66f489
-
SHA1
a11333fc3d44993631089092cbc2a9cfb015bb20
-
SHA256
15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc
-
SHA512
64b9423246dc01761bea88dd381773cab864c6dabd7c2c17b7b7ffe0c066c78ecbc6eed892f83a5b1efd30cd1036c4cc9b0f5950beef2887d6443688141fb23f
-
SSDEEP
49152:mcMdEeQrxPGoSMoeYirnUfm8X67MDfL/EV5V4:mU94o3Lng5XKMDDy5V
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
-
type
loader
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 17 2072 rundll32.exe 23 2072 rundll32.exe 89 2072 rundll32.exe 91 2072 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\review_browser.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 2072 rundll32.exe 4920 svchost.exe 4920 svchost.exe 4524 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2072 set thread context of 4648 2072 rundll32.exe rundll32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\MSBuild\Microsoft\main-cef-ui-theme.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\nppdf32.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\manifest.json rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\review_browser.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\BIBUtils.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\FillSign.aapp rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\aic_file_icons_hiContrast_bow.png rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\index.html rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\s_filetype_psd.svg rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\stop_collection_data.gif rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\ReadOutLoud.api rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\AXE8SharedExpat.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\duplicate.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Checkers.api rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\aic_file_icons_retina_thumb_highContrast_wob.png rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\export.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\create_form.gif rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\review_browser.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\ExtendScript.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.sfx rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3196 2540 WerFault.exe 15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DCC5575346E7BA409DD688CA9A00FF5BE5A1EDC9 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DCC5575346E7BA409DD688CA9A00FF5BE5A1EDC9\Blob = 030000000100000014000000dcc5575346e7ba409dd688ca9a00ff5be5a1edc92000000001000000230200003082021f30820188a003020102020868003c4315a5798d300d06092a864886f70d01010b0500302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361747020417574686f72697479301e170d3230313231383137313233335a170d3234313231373137313233335a302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361747020417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100d3150e92760f3d76bfe37cedf5889f5c8ef3b8f7c0416e0734a7294ea2176b9efda8e1c03c1a5f50ff57c295f8d0c40a780d25490805ea82c2934503a66fb801336dd53c18d8ec98540dcda4c73379cdc2c821061e27891807c11f573372de55735b80c3696984ad7e0a0e108d29f11ca67ed4da1e521c9895dca95aabc5e5090203010001a3443042300f0603551d130101ff040530030101ff302f0603551d110428302682244d6963726f736f667420526f6f7420436572746966696361747020417574686f72697479300d06092a864886f70d01010b05000381810080e1bd93939a4fe1fcc22ac93044ad4a3e378ac8a336c87daf11402d4036e4bae9bb23200e708fa99aca71167d73c2f245e579957d12450266a81822d72df7a482f2bfd5a3120ece692e336ae523f234cd639cdfef1c1c278690c3f816845cbd933cb6cfc72ffd2ea9fc52fee3829b51cf87529e71a666bda2f57c450353c808 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
svchost.exerundll32.exepid process 4920 svchost.exe 4920 svchost.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2072 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4648 rundll32.exe 2072 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exerundll32.exesvchost.exedescription pid process target process PID 2540 wrote to memory of 2072 2540 15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe rundll32.exe PID 2540 wrote to memory of 2072 2540 15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe rundll32.exe PID 2540 wrote to memory of 2072 2540 15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe rundll32.exe PID 2072 wrote to memory of 4648 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 4648 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 4648 2072 rundll32.exe rundll32.exe PID 4920 wrote to memory of 4524 4920 svchost.exe rundll32.exe PID 4920 wrote to memory of 4524 4920 svchost.exe rundll32.exe PID 4920 wrote to memory of 4524 4920 svchost.exe rundll32.exe PID 2072 wrote to memory of 4412 2072 rundll32.exe schtasks.exe PID 2072 wrote to memory of 4412 2072 rundll32.exe schtasks.exe PID 2072 wrote to memory of 4412 2072 rundll32.exe schtasks.exe PID 2072 wrote to memory of 4832 2072 rundll32.exe schtasks.exe PID 2072 wrote to memory of 4832 2072 rundll32.exe schtasks.exe PID 2072 wrote to memory of 4832 2072 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe"C:\Users\Admin\AppData\Local\Temp\15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2072 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 201883⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4648 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4412
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 5082⤵
- Program crash
PID:3196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2540 -ip 25401⤵PID:4644
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2552
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\review_browser.dll",KCgAak1rM3RX2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\MSBuild\Microsoft\review_browser.dllFilesize
2.4MB
MD533b51d9e1b31fe451fea753a85f9a16c
SHA180b0eeb933ae089cc3e88ae9413f9fef66633bad
SHA256af091d7c04379a3a932da2e84f619753dd9be6900b5c9ac75761f1798b1f00a3
SHA5124c1100fbb5b5ce85d2280941598b06150b1b6897cd6b88a0afca7511cd3d2bfa8837e199577ee5fe266a0c4c64911f3bf94ca4e11604c8784c3cf42df053299f
-
C:\Program Files (x86)\MSBuild\Microsoft\review_browser.dllFilesize
2.4MB
MD533b51d9e1b31fe451fea753a85f9a16c
SHA180b0eeb933ae089cc3e88ae9413f9fef66633bad
SHA256af091d7c04379a3a932da2e84f619753dd9be6900b5c9ac75761f1798b1f00a3
SHA5124c1100fbb5b5ce85d2280941598b06150b1b6897cd6b88a0afca7511cd3d2bfa8837e199577ee5fe266a0c4c64911f3bf94ca4e11604c8784c3cf42df053299f
-
C:\Program Files (x86)\MSBuild\Microsoft\review_browser.dllFilesize
2.4MB
MD533b51d9e1b31fe451fea753a85f9a16c
SHA180b0eeb933ae089cc3e88ae9413f9fef66633bad
SHA256af091d7c04379a3a932da2e84f619753dd9be6900b5c9ac75761f1798b1f00a3
SHA5124c1100fbb5b5ce85d2280941598b06150b1b6897cd6b88a0afca7511cd3d2bfa8837e199577ee5fe266a0c4c64911f3bf94ca4e11604c8784c3cf42df053299f
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.dcfmui.msi.16.en-us.xmlFilesize
9KB
MD52693cb4d0d47298d60c5b4210d567e56
SHA120b67bce8310a93c5756d83d13febdcaff5f3b39
SHA256d98dec16b13c3e4a23823be0bcd45f685c6dc690ae28954c0c18075e77898f20
SHA512034cb9620ea7f9aa793ad8e0c8e30b11244e7952d871d1f8cbb1ff6daa765fd9afc2a54f221f0a323511f4aa7b985ff61c2f0b983668c7e390f3f99699dc89c9
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.shared.Office.x-none.msi.16.x-none.xmlFilesize
719KB
MD5e9f03f8b71cac83b7d16ef685cabd0d0
SHA1c5057520e0a65340360219618632037e7c0c474a
SHA256fff80dc60d751bc2ff8c3085b5c338bc3f149a0e71976c3d82f30a0d43d284db
SHA5121703ea88d9e8cd768308c246812cdd0d2a733a28e0beb039d019c1efd190ee05f9d045e280de7a75578d4282c161e768a48aebf8d97e58bfc7357cadbd5f208a
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmpFilesize
2.3MB
MD579be1992fb39e729c8d6c15b21efd6a0
SHA1e3bd7e7d4c7d2a8594e30aa744f3ec6f267ab242
SHA256efe79daf25c849c5a539f2c04c8fc3287a479653ab918672aa1fd7fe075fc2cb
SHA51289ce9f510153e3ce7f4f8aba7d860c2a916043761389dd0de2a8159460e81585f9379651e49fe8132e7e021176cefc4d67edb34b398a18a5f59d3e82ac4f913a
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\DeploymentConfiguration.xmlFilesize
614B
MD554cec4437128f703c259efb3dc734386
SHA19b15ebe33a771a7e12cd966fd8b583da06914015
SHA256d44d8ffc6e0261e32c4b5c77573a0daa0b4066d4e160c2cd5b5728199f63dfb4
SHA512c1793acc8f6dc9997fd0261d501ffed200f3c039c9b77e554a031262925878b56727bd84cf5fbeeccb481c1d4511f37e940a8f8436054c8f08adb8e5f46773ea
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xmlFilesize
2KB
MD5db0acdbf49f80d3f3b0fb65a71b39341
SHA112c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae
SHA256f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f
SHA5123d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xmlFilesize
2KB
MD5c8d6f0d26db52746e243b785c269cacd
SHA1b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1
SHA256d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21
SHA512c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
28KB
MD5b8c1eec848c415eea04839ad0af75950
SHA1652ccb0f39fcb73b3fe31a231e490bbdb2a1d0bc
SHA256694699e06fa830a2fb3b79d472b9d2560686e5ebd752022fd902ff2d1e82c162
SHA51224f5629b1947690ee9fa911f1620a311db6f9433e77f8db67b468fb8624c3adcbfb21138c591a51d4e2e5f595ce9a5684203543890165fd2e88092cf303fe563
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
827B
MD5cf7d0dd53bde6261338a343a4a92c3f5
SHA1f5326546a46c8a7d2400d743fca320a166331757
SHA256df0af4b8242dcab107aab8d00add27b9797c00002669ff953667869abb6c77c6
SHA5129cf52da12c7e703fefff7a5295b7475d95a568d050b210a7b53470dad257793257a4242c89fb00fa22c7319c8be96144b193ec1e51c4d3a751af6765a6935148
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
26KB
MD526b4cb86e7313855e188214dfee0abe4
SHA1c4488e4c3c91bb6bd49cc3e68d9fce83c59f8422
SHA256d182821a1030c629318d6e379cba49ac00db7a2b6aab70a3d245f7418ef490bc
SHA51278dd7247c0fd372bc146562f46dd453aaa9fc3e4a49fb669240f76bd90249534bf6ca660058bf854eb4c05170a2e2ddabc0813223b61f09f0673fb3939f6f2b1
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xmlFilesize
15KB
MD52f71d0396b93381c1fd86bf822612868
SHA1d0801700dd00a51276f32c6ed19f5b713b5db825
SHA2560543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026
SHA51267022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
27KB
MD51cef1a17af19cd221b168384320770e5
SHA11b694f2e2c2f87becfd9d4d1b271843c928dbfc4
SHA256cf103015c20fbe6aebd3b83104eb034f2ff6e40187296a5a7e71a9f77013294b
SHA51261a7f84dc4970a564056407549bc3664bf67d18a93f86a2be73ea39d8fb5d7007bb7531d881e516196c5139c1c5f67d7b602d0b26dfd1f13ebba7e90e3b8c377
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftInternetExplorer2013Backup.xmlFilesize
2KB
MD516fa6bd16573d544916a2cb3335a1f13
SHA1479c5b9375b5b351d7dc217deb159fe92da03f75
SHA25637e639679abd36b5b59324eea7aa1d602ff9c287e5c07dfd335ee1a85b68fc50
SHA5129a871284356b2217fc8dbd568c6731def7781cac4550e77824f5c683b29313cd46e444760413ec730e8f70669ff08b62ab9b73c8099115a71eb84d7d728e2873
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftLync2013Win64.xmlFilesize
2KB
MD5e3a68bbd204d36868c6f5570e4576675
SHA1bc5c44144e8e962c62f7febabdb3d0ba20a8162a
SHA25611031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac
SHA5127c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftOffice2013Win64.xmlFilesize
66KB
MD5c08e2d9084398ad29bb453183bb2155d
SHA1285b0d897ff73444a74bf9e253d30f7cb1f4f2be
SHA2569ddc306cee7a71d98fe59c39ce5fb74cc7e36c54a55cc46f2e8136c12e890418
SHA512d032acce3071bb26d688aa4a816d09b6852c3ccb179f66a0001038b94f556a4b04401e02a4dc3b8eb7f4c4aa0fb74aa009a5db786972c56cb08d5dbeeaefad83
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SystemIndex.1.CrwlFilesize
1KB
MD5da957d0d371d2f731d0031bfeaf0568a
SHA1bc1dc9f7072a99df29b899b3ce91cd1641983c01
SHA2565c2d3c152573048917c9f92305dacac9874d54833253692cd43e3fe294c1cc11
SHA512d25ed75c26f7d061f7cae535c39942fc12a7558f227244b2024168c94b9ead6d1202de2b4e1d005fc26a96a8365b415378165e58cafcf119832e9e000b713e8c
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\edbres00001.jrsFilesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\resource.xmlFilesize
1KB
MD593a100713ff56b66e15f984d3100aab7
SHA14ffb9e5c0d7687a38cc9b9f767bd4b9d4a325656
SHA2560c80edf0d6699061728f917d731ea29e7ad3c7f2ea067d4510a01369255cbd26
SHA512df8b5e56e9dcf0c3e4737e8ab878a4182c757d731f8e893c0285fa5e5d89faec75f4f1f0e8fbf2d502a28632410198ae6dfed82ac5a593d23cf5c2bd59c3c4fc
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\sync.icoFilesize
48KB
MD5d1c012ba7049a4525a89b26c846ce0d3
SHA1769fccd1ed39b3b6ce1ec6e44f096107b4375c58
SHA256fce3d2b3ca14bbb41fcb8956ef80af38976f4c32787cc1ac3cc1e465ce0453cc
SHA512538b3c161e3192d3cb8b78f0fb5f863ae84d04a9f236a876e5002a90189cb4b5beea496aefb444de2dd9ea45d1f530359b38d6a45f3260d1d14924bd31918dc9
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\tasks.xmlFilesize
11KB
MD56ab160b8998020e6d4373c003e9879d4
SHA1efa87d3fb95a73a892ed88b08651c44fe03c150f
SHA256faf021b3c06abc41a9fb8e021171fd0ea41684b732a8e77433e447af8e527516
SHA512c923c48b0b5c741777666ca161864879defd50c299ae76d9f093ffb846d144600c99d281d879f9328509061f3ae6784a706f15248e0fed7bfd7a595b389aae1b
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\user-32.pngFilesize
441B
MD5a60e1edd0e806500b9247ebc886d1ecd
SHA1bb96af6a28162ea763117b838534829bf3dc632e
SHA2560e73d224603c23ae46c24341826dc6bdcfc9bda04b2ebd261537f439ed229de9
SHA512fdd37f5da650f99f7657285a5f062f19caa99f969676f1b426f1c0a928eed6fe1698d4ba515ba6245e8a24e3ddf02ee6e5f6a3bade221cfc09444b43839b7070
-
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dllFilesize
2.4MB
MD5733d25a59258bfe67114108835b911cc
SHA129dce79233a81e032fd0d95c4f3895572ef9bd22
SHA2561b876c32b66fbee9831328076d7d7bef88cdd672d2caf70b4e5965db34642d9f
SHA51261ed9c6ef45a52bb840834766fb1d6170a2bc70dd4ae5eb68d816eb37844a6d4702412a4a21b5990dc03e6a90239c1c8da6ad2a28cb3fcd2dc715c69cd6e11d7
-
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dllFilesize
2.4MB
MD5733d25a59258bfe67114108835b911cc
SHA129dce79233a81e032fd0d95c4f3895572ef9bd22
SHA2561b876c32b66fbee9831328076d7d7bef88cdd672d2caf70b4e5965db34642d9f
SHA51261ed9c6ef45a52bb840834766fb1d6170a2bc70dd4ae5eb68d816eb37844a6d4702412a4a21b5990dc03e6a90239c1c8da6ad2a28cb3fcd2dc715c69cd6e11d7
-
\??\c:\program files (x86)\msbuild\microsoft\review_browser.dllFilesize
2.4MB
MD533b51d9e1b31fe451fea753a85f9a16c
SHA180b0eeb933ae089cc3e88ae9413f9fef66633bad
SHA256af091d7c04379a3a932da2e84f619753dd9be6900b5c9ac75761f1798b1f00a3
SHA5124c1100fbb5b5ce85d2280941598b06150b1b6897cd6b88a0afca7511cd3d2bfa8837e199577ee5fe266a0c4c64911f3bf94ca4e11604c8784c3cf42df053299f
-
memory/2072-143-0x00000000036B0000-0x0000000003DD5000-memory.dmpFilesize
7.1MB
-
memory/2072-141-0x00000000036B0000-0x0000000003DD5000-memory.dmpFilesize
7.1MB
-
memory/2072-151-0x0000000003F19000-0x0000000003F1B000-memory.dmpFilesize
8KB
-
memory/2072-134-0x0000000000000000-mapping.dmp
-
memory/2072-148-0x0000000003EA0000-0x0000000003FE0000-memory.dmpFilesize
1.2MB
-
memory/2072-149-0x0000000003EA0000-0x0000000003FE0000-memory.dmpFilesize
1.2MB
-
memory/2072-147-0x0000000003EA0000-0x0000000003FE0000-memory.dmpFilesize
1.2MB
-
memory/2072-156-0x00000000036B0000-0x0000000003DD5000-memory.dmpFilesize
7.1MB
-
memory/2072-146-0x0000000003EA0000-0x0000000003FE0000-memory.dmpFilesize
1.2MB
-
memory/2072-145-0x0000000003EA0000-0x0000000003FE0000-memory.dmpFilesize
1.2MB
-
memory/2072-144-0x0000000003EA0000-0x0000000003FE0000-memory.dmpFilesize
1.2MB
-
memory/2072-138-0x0000000000400000-0x0000000000671000-memory.dmpFilesize
2.4MB
-
memory/2072-142-0x00000000036B0000-0x0000000003DD5000-memory.dmpFilesize
7.1MB
-
memory/2072-140-0x0000000000400000-0x0000000000671000-memory.dmpFilesize
2.4MB
-
memory/2540-132-0x00000000009E3000-0x0000000000C2E000-memory.dmpFilesize
2.3MB
-
memory/2540-136-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/2540-133-0x0000000002610000-0x0000000002995000-memory.dmpFilesize
3.5MB
-
memory/2540-139-0x0000000002610000-0x0000000002995000-memory.dmpFilesize
3.5MB
-
memory/4412-197-0x0000000000000000-mapping.dmp
-
memory/4524-190-0x00000000033F0000-0x0000000003B15000-memory.dmpFilesize
7.1MB
-
memory/4524-195-0x0000000000400000-0x0000000000671000-memory.dmpFilesize
2.4MB
-
memory/4524-184-0x0000000000000000-mapping.dmp
-
memory/4524-196-0x00000000033F0000-0x0000000003B15000-memory.dmpFilesize
7.1MB
-
memory/4524-188-0x0000000000400000-0x0000000000671000-memory.dmpFilesize
2.4MB
-
memory/4524-189-0x00000000033F0000-0x0000000003B15000-memory.dmpFilesize
7.1MB
-
memory/4648-157-0x0000015D0C6D0000-0x0000015D0C8FA000-memory.dmpFilesize
2.2MB
-
memory/4648-155-0x0000015D0C6D0000-0x0000015D0C8FA000-memory.dmpFilesize
2.2MB
-
memory/4648-152-0x0000015D0E0A0000-0x0000015D0E1E0000-memory.dmpFilesize
1.2MB
-
memory/4648-154-0x0000015D0E0A0000-0x0000015D0E1E0000-memory.dmpFilesize
1.2MB
-
memory/4648-153-0x0000000000370000-0x0000000000589000-memory.dmpFilesize
2.1MB
-
memory/4648-150-0x00007FF6E7566890-mapping.dmp
-
memory/4832-198-0x0000000000000000-mapping.dmp
-
memory/4920-162-0x0000000001140000-0x00000000013B1000-memory.dmpFilesize
2.4MB
-
memory/4920-173-0x0000000001AE0000-0x0000000002205000-memory.dmpFilesize
7.1MB
-
memory/4920-172-0x0000000001AE0000-0x0000000002205000-memory.dmpFilesize
7.1MB
-
memory/4920-171-0x0000000001AE0000-0x0000000002205000-memory.dmpFilesize
7.1MB
-
memory/4920-161-0x0000000001140000-0x00000000013B1000-memory.dmpFilesize
2.4MB
-
memory/4920-199-0x0000000001140000-0x00000000013B1000-memory.dmpFilesize
2.4MB
-
memory/4920-200-0x0000000001AE0000-0x0000000002205000-memory.dmpFilesize
7.1MB