Malware Analysis Report

2024-11-15 08:09

Sample ID 220919-cq92yscca9
Target MT1893878746.PDF.IMG.exe
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

Threat Level: Known bad

The file MT1893878746.PDF.IMG.exe was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-19 02:18

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-19 02:18

Reported

2022-09-19 02:20

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 5056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1680 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1680 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1680 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1680 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4652 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4652 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3124 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 3124 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 3124 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 3124 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3124 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3124 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3124 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3124 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3124 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3124 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3124 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4343.tmp"

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DF.tmp"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 52.109.13.62:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 40.125.122.151:443 tcp
US 52.168.112.66:443 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.252.51.254:80 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 imminent.ddns.net udp
NG 105.112.146.2:9003 imminent.ddns.net tcp
NG 105.112.146.2:9003 imminent.ddns.net tcp
NG 105.112.146.2:9003 imminent.ddns.net tcp

Files

memory/5056-132-0x0000000000950000-0x0000000000A7E000-memory.dmp

memory/5056-133-0x0000000005A10000-0x0000000005FB4000-memory.dmp

memory/5056-134-0x0000000005460000-0x00000000054F2000-memory.dmp

memory/5056-135-0x0000000005410000-0x000000000541A000-memory.dmp

memory/5056-136-0x0000000009540000-0x00000000095DC000-memory.dmp

memory/5056-137-0x00000000095E0000-0x0000000009646000-memory.dmp

memory/224-138-0x0000000000000000-mapping.dmp

memory/1592-139-0x0000000000000000-mapping.dmp

memory/224-140-0x00000000046E0000-0x0000000004716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4343.tmp

MD5 b7c3522e7806bcaeee8cf0d3ad042f6b
SHA1 0b32a2c9baf33e88048f80574cb60127d53c6ef5
SHA256 c542a546d2a588eba9e92dcba27adb3aea9ef74662e2c8a7a5e3ff577bc5169f
SHA512 2353cc418ca323663cd5f47fc21274ef069dc2dd6c559f749cea5baeb6f3d7897140066fc36d9fa839a4969d91c1fcdc4c55a712698ee23787654ac967fe8904

memory/224-142-0x0000000004D50000-0x0000000005378000-memory.dmp

memory/3888-143-0x0000000000000000-mapping.dmp

memory/2132-144-0x0000000000000000-mapping.dmp

memory/1680-146-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MT1893878746.PDF.IMG.exe.log

MD5 e08f822522c617a40840c62e4b0fb45e
SHA1 ae516dca4da5234be6676d3f234c19ec55725be7
SHA256 bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512 894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

memory/224-148-0x00000000053F0000-0x0000000005412000-memory.dmp

memory/1680-151-0x0000000000400000-0x0000000000460000-memory.dmp

memory/224-149-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/1680-152-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-153-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-154-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-155-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-156-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-157-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-159-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-161-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-162-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-165-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-167-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-168-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1680-170-0x0000000000400000-0x0000000000460000-memory.dmp

memory/224-171-0x0000000005C70000-0x0000000005C8E000-memory.dmp

memory/3124-172-0x0000000000000000-mapping.dmp

memory/4652-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/3252-176-0x0000000000000000-mapping.dmp

memory/224-177-0x0000000006230000-0x0000000006262000-memory.dmp

memory/224-178-0x0000000070A00000-0x0000000070A4C000-memory.dmp

memory/224-179-0x0000000006200000-0x000000000621E000-memory.dmp

memory/224-180-0x00000000075B0000-0x0000000007C2A000-memory.dmp

memory/224-181-0x0000000006F70000-0x0000000006F8A000-memory.dmp

memory/224-182-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

memory/224-183-0x00000000071F0000-0x0000000007286000-memory.dmp

memory/224-184-0x00000000071B0000-0x00000000071BE000-memory.dmp

memory/224-185-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/224-186-0x00000000072A0000-0x00000000072A8000-memory.dmp

memory/4288-187-0x0000000000000000-mapping.dmp

memory/3544-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Temp\tmp1DF.tmp

MD5 b7c3522e7806bcaeee8cf0d3ad042f6b
SHA1 0b32a2c9baf33e88048f80574cb60127d53c6ef5
SHA256 c542a546d2a588eba9e92dcba27adb3aea9ef74662e2c8a7a5e3ff577bc5169f
SHA512 2353cc418ca323663cd5f47fc21274ef069dc2dd6c559f749cea5baeb6f3d7897140066fc36d9fa839a4969d91c1fcdc4c55a712698ee23787654ac967fe8904

memory/2680-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a1f712bbb24c0c57040457914e05cce9
SHA1 ce4141b3ef830c38469889b49372eaba7069cf2c
SHA256 5622bc17b65ee10f24f9ec1b00f87f5608c351bfa572af45eede9d59e37629fc
SHA512 211085fd2dbe635cc5c8ad788dc1a48b954712732200f1381a2fa0ded499b3fd06f8cb5219fd3501f434222f7ca1077c6a8b9050085f8272444e180ace69c2bc

memory/4288-216-0x0000000075530000-0x000000007557C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-19 02:18

Reported

2022-09-19 02:20

Platform

win7-20220901-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 2016 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 680 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 680 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 680 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 680 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 680 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1936 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1936 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D1.tmp"

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3B4.tmp"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imminent.ddns.net udp
NG 105.112.146.2:9003 imminent.ddns.net tcp
NG 105.112.146.2:9003 imminent.ddns.net tcp

Files

memory/2016-54-0x0000000000010000-0x000000000013E000-memory.dmp

memory/2016-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

memory/2016-56-0x0000000000570000-0x000000000058A000-memory.dmp

memory/2016-57-0x00000000006F0000-0x00000000006FC000-memory.dmp

memory/2016-58-0x0000000005D30000-0x0000000005DE6000-memory.dmp

memory/764-59-0x0000000000000000-mapping.dmp

memory/1736-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9D1.tmp

MD5 8bec5227172f76c70b397abd47410dda
SHA1 1b1187b952d5cd90c74fa63e5a715ccc1c316327
SHA256 9929544768ba0af441626cda4ab4b7b58013e48ed7c29ae0746216e51fb6d7e8
SHA512 71854ad20e041c008d52fe885d38cedc641c51592fe61106a0283b389cf4755d9c071f1c1b43cecf0b31765f1d5908e7bd88e2dc06b1f823335197a76a1edf27

memory/2016-63-0x0000000008360000-0x00000000083C0000-memory.dmp

memory/680-64-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-65-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-67-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-68-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-69-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-70-0x000000000045A3DE-mapping.dmp

memory/680-72-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-74-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-75-0x0000000000580000-0x00000000005A8000-memory.dmp

memory/680-77-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-78-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-79-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-80-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-83-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-85-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-82-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-81-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-87-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-88-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-91-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-93-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-94-0x0000000000400000-0x0000000000460000-memory.dmp

memory/680-96-0x0000000000400000-0x0000000000460000-memory.dmp

\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/1936-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/1744-103-0x0000000000000000-mapping.dmp

memory/1936-104-0x0000000000CE0000-0x0000000000E0E000-memory.dmp

memory/1016-106-0x0000000000000000-mapping.dmp

memory/764-107-0x000000006EF30000-0x000000006F4DB000-memory.dmp

memory/764-108-0x000000006EF30000-0x000000006F4DB000-memory.dmp

memory/1664-109-0x0000000000000000-mapping.dmp

memory/1596-110-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD3B4.tmp

MD5 8bec5227172f76c70b397abd47410dda
SHA1 1b1187b952d5cd90c74fa63e5a715ccc1c316327
SHA256 9929544768ba0af441626cda4ab4b7b58013e48ed7c29ae0746216e51fb6d7e8
SHA512 71854ad20e041c008d52fe885d38cedc641c51592fe61106a0283b389cf4755d9c071f1c1b43cecf0b31765f1d5908e7bd88e2dc06b1f823335197a76a1edf27

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3adcbb4708004705f585864c704df0c2
SHA1 52ea085b2c2ead19ef278a8bc3d6861a169e72ce
SHA256 6322d60c847f1d9c9809f474de81af43098ec972d0d42bade1bf10518b1f6b7a
SHA512 fe86f192408715232363c9a3465fe0e47cbc297438f3f08ec781e6f14a9f4bddc4de5fa6e0a3266346e83161de616e5c381a793bf31005baafa45f34cc2a2ed2

\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/2004-121-0x000000000045A3DE-mapping.dmp

memory/1664-122-0x0000000070120000-0x00000000706CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/1664-128-0x0000000070120000-0x00000000706CB000-memory.dmp

memory/2004-150-0x00000000003E0000-0x00000000003EE000-memory.dmp

memory/2004-152-0x0000000000470000-0x0000000000486000-memory.dmp