Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 21:53

General

  • Target

    9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe

  • Size

    3.5MB

  • MD5

    bc32de8d97215421a34fd734b10bbd50

  • SHA1

    a8bf5f12a9da2e4c8fb229d84e180e95530071ab

  • SHA256

    9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb

  • SHA512

    4c30330fd3bbb5c36d962985727eb7ce04dfabd847fe5db4bb1790142dc70c127b1b4f5813b2e5ade064e4cf4291956d931e6b208d02df226f38bbdf1caed91f

  • SSDEEP

    49152:iynXD6tVLVbhqRm3toeSbmYgt2AN20+q6eaAszjigcKtg5hJh:6jdqRm3+eSwN20X6CszjiDvh

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

cryptbot

C2

http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734

Extracted

Family

lumma

C2

https://tacitglibbr.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Cryptbot family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Netsupport family
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
  • XMRig Miner payload 1 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 34 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 18 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2804
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2140
    • C:\Users\Admin\AppData\Local\Temp\9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe
      "C:\Users\Admin\AppData\Local\Temp\9b7da5b916b5b4ad6c14f79d11bc431d7e52262f25ae05fd91ec1698890b4dcb.exe"
      1⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1T31J4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1T31J4.exe
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Users\Admin\AppData\Local\Temp\1017082001\Dh5yvWY.exe
            "C:\Users\Admin\AppData\Local\Temp\1017082001\Dh5yvWY.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4084
            • C:\Users\Admin\AppData\Local\Temp\FutureApp\Sibuia.exe
              C:\Users\Admin\AppData\Local\Temp\FutureApp\Sibuia.exe TRUE 111 0
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2188
              • C:\Users\Admin\AppData\Local\Temp\FutureApp\sibjs.exe
                "C:\Users\Admin\AppData\Local\Temp\FutureApp\sibjs.exe" TRUE 000 False cond_pkg
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:3848
              • C:\Users\Admin\AppData\Local\Temp\FutureApp\0\Setup.exe
                "C:\Users\Admin\AppData\Local\Temp\FutureApp\0\Setup.exe" -s
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:3984
              • C:\Users\Admin\AppData\Local\Temp\FutureApp\1\11.exe
                "C:\Users\Admin\AppData\Local\Temp\FutureApp\1\11.exe" -s
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5100
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\FutureApp\1.bat" "
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1248
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\ProgramData\FutureApp\FutureApp.exe"
                    8⤵
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:3172
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\ProgramData\FutureApp\FutureApp.exe"
                    8⤵
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:732
              • C:\Users\Admin\AppData\Local\Temp\FutureApp\2\2.exe
                "C:\Users\Admin\AppData\Local\Temp\FutureApp\2\2.exe" -s
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5060
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\FutureApp\2.bat" "
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1616
                  • C:\ProgramData\FutureApp\FutureApp.exe
                    C:\ProgramData\FutureApp\FutureApp.exe
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:3176
          • C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe
            "C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe
              "C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4760
          • C:\Users\Admin\AppData\Local\Temp\1017120001\016de88efc.exe
            "C:\Users\Admin\AppData\Local\Temp\1017120001\016de88efc.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:556
          • C:\Users\Admin\AppData\Local\Temp\1017121001\fcaaaec432.exe
            "C:\Users\Admin\AppData\Local\Temp\1017121001\fcaaaec432.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:5088
          • C:\Users\Admin\AppData\Local\Temp\1017122001\f1722d687f.exe
            "C:\Users\Admin\AppData\Local\Temp\1017122001\f1722d687f.exe"
            4⤵
            • Enumerates VirtualBox registry keys
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:5076
          • C:\Users\Admin\AppData\Local\Temp\1017123001\cc52689236.exe
            "C:\Users\Admin\AppData\Local\Temp\1017123001\cc52689236.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:5060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 772
              5⤵
              • Program crash
              PID:2628
          • C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe
            "C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:3748
            • C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe
              "C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2916
          • C:\Users\Admin\AppData\Local\Temp\1017125001\287c0c2c35.exe
            "C:\Users\Admin\AppData\Local\Temp\1017125001\287c0c2c35.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1768
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
              5⤵
                PID:764
                • C:\Windows\system32\mode.com
                  mode 65,10
                  6⤵
                    PID:1364
                  • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                    7z.exe e file.zip -p24291711423417250691697322505 -oextracted
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2940
                  • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                    7z.exe e extracted/file_7.zip -oextracted
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2412
                  • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                    7z.exe e extracted/file_6.zip -oextracted
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    PID:736
                  • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                    7z.exe e extracted/file_5.zip -oextracted
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3500
                  • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                    7z.exe e extracted/file_4.zip -oextracted
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5032
                  • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                    7z.exe e extracted/file_3.zip -oextracted
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4864
                  • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                    7z.exe e extracted/file_2.zip -oextracted
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    PID:688
                  • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                    7z.exe e extracted/file_1.zip -oextracted
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2904
                  • C:\Windows\system32\attrib.exe
                    attrib +H "in.exe"
                    6⤵
                    • Views/modifies file attributes
                    PID:2304
                  • C:\Users\Admin\AppData\Local\Temp\main\in.exe
                    "in.exe"
                    6⤵
                    • Executes dropped EXE
                    PID:2020
                    • C:\Windows\SYSTEM32\attrib.exe
                      attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                      7⤵
                      • Views/modifies file attributes
                      PID:4260
                    • C:\Windows\SYSTEM32\attrib.exe
                      attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                      7⤵
                      • Views/modifies file attributes
                      PID:3728
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                      7⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:4836
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell ping 127.0.0.1; del in.exe
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5072
                      • C:\Windows\system32\PING.EXE
                        "C:\Windows\system32\PING.EXE" 127.0.0.1
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2888
              • C:\Users\Admin\AppData\Local\Temp\1017126001\a412c43f30.exe
                "C:\Users\Admin\AppData\Local\Temp\1017126001\a412c43f30.exe"
                4⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:4552
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Y7445.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Y7445.exe
            2⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2268
            • C:\Users\Admin\AppData\Local\Temp\HFX64SQRC6T1LS2D09B5IIVMCG.exe
              "C:\Users\Admin\AppData\Local\Temp\HFX64SQRC6T1LS2D09B5IIVMCG.exe"
              3⤵
              • Modifies Windows Defender Real-time Protection settings
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Windows security modification
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3500
            • C:\Users\Admin\AppData\Local\Temp\LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe
              "C:\Users\Admin\AppData\Local\Temp\LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe"
              3⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2648
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2764
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5060 -ip 5060
          1⤵
            PID:1064
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:780
          • C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
            C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
            1⤵
            • Executes dropped EXE
            PID:2800
            • C:\Windows\explorer.exe
              explorer.exe
              2⤵
                PID:2292
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                2⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:776
                • C:\Windows\system32\PING.EXE
                  "C:\Windows\system32\PING.EXE" 127.1.10.1
                  3⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2328

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\FutureApp\1.bat

              Filesize

              273B

              MD5

              6830c0150df001a38bb0861ca4b845fc

              SHA1

              75d73856cd61dd44f24963b3d37b1d5643da0340

              SHA256

              c6dd5ebe08a4b916d36891d1ee4dce580a373f7e0dca5da285962bf18e55e696

              SHA512

              1891d90c288af59a27ed6cd5d9f221fc8155181c7825effc97680c11530d880688cce3c3e0e6649c8b213cfc4acc1a619039bda225fc3c803ca57014da0ef779

            • C:\ProgramData\FutureApp\2.bat

              Filesize

              54B

              MD5

              96067949bdf249671fc66c8f2449d637

              SHA1

              f0d988b6e0d8b06ddefa34a8a8cf72dd701ffbfd

              SHA256

              4af87dbcf275ac56834c2c693e70da7e505f750ef450da7c2ae1cf889dd8a33d

              SHA512

              a33fbf868f71a70ffd692c361e7c821155d4be63adafa95c918772674697a6e94c5340487fcf0e82036c11fb8cfe22f102704daac53039bb441896918ef2b070

            • C:\ProgramData\FutureApp\FutureApp.exe

              Filesize

              103KB

              MD5

              8d9709ff7d9c83bd376e01912c734f0a

              SHA1

              e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

              SHA256

              49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

              SHA512

              042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

            • C:\ProgramData\FutureApp\HTCTL32.DLL

              Filesize

              320KB

              MD5

              2d3b207c8a48148296156e5725426c7f

              SHA1

              ad464eb7cf5c19c8a443ab5b590440b32dbc618f

              SHA256

              edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

              SHA512

              55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

            • C:\ProgramData\FutureApp\NSM.LIC

              Filesize

              257B

              MD5

              7067af414215ee4c50bfcd3ea43c84f0

              SHA1

              c331d410672477844a4ca87f43a14e643c863af9

              SHA256

              2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

              SHA512

              17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

            • C:\ProgramData\FutureApp\PCICHEK.DLL

              Filesize

              18KB

              MD5

              a0b9388c5f18e27266a31f8c5765b263

              SHA1

              906f7e94f841d464d4da144f7c858fa2160e36db

              SHA256

              313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

              SHA512

              6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

            • C:\ProgramData\FutureApp\PCICL32.dll

              Filesize

              3.6MB

              MD5

              00587238d16012152c2e951a087f2cc9

              SHA1

              c4e27a43075ce993ff6bb033360af386b2fc58ff

              SHA256

              63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

              SHA512

              637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

            • C:\ProgramData\FutureApp\client32.ini

              Filesize

              702B

              MD5

              a4aa9219becdeec09159270bb041bb35

              SHA1

              2d08305017efb0a1ff7defdf66db80191ed9ccf8

              SHA256

              277b9bcb5778cd5dc167ed75528818b06ed12f3fd427339f3085f4db8a39ed2e

              SHA512

              4f7ce001da009fcba0c5beab572a16306d56fd91253c45d5196892142da78ec805982a4e1c136ad61471b5a951697eed76f9ee63d8b94eb64024a11e0fd0de42

            • C:\ProgramData\FutureApp\msvcr100.dll

              Filesize

              755KB

              MD5

              0e37fbfa79d349d672456923ec5fbbe3

              SHA1

              4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

              SHA256

              8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

              SHA512

              2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

            • C:\ProgramData\FutureApp\pcicapi.dll

              Filesize

              32KB

              MD5

              dcde2248d19c778a41aa165866dd52d0

              SHA1

              7ec84be84fe23f0b0093b647538737e1f19ebb03

              SHA256

              9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

              SHA512

              c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

            • C:\Users\Admin\AppData\Local\Temp\1017082001\Dh5yvWY.exe

              Filesize

              6.2MB

              MD5

              7ec59ba110bb9588ca11fd5eff41a0cb

              SHA1

              e1bb61da5dcf038e30ea2faa058714a75f3d08be

              SHA256

              723bdcaa98933334bda7454d1e50083c743da9c72edcd2a9e879cf024c4d1eb1

              SHA512

              66e3f5d55f3d0f89f53f80db88f7de1451d46c59a221fb56341a84864fc22235f3a490fc5d6a820dea98c2615e7649f2ff44f67b96870137e0314afa90bd17ec

            • C:\Users\Admin\AppData\Local\Temp\1017119001\740af2c1d3.exe

              Filesize

              758KB

              MD5

              afd936e441bf5cbdb858e96833cc6ed3

              SHA1

              3491edd8c7caf9ae169e21fb58bccd29d95aefef

              SHA256

              c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf

              SHA512

              928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325

            • C:\Users\Admin\AppData\Local\Temp\1017120001\016de88efc.exe

              Filesize

              1.8MB

              MD5

              25fb9c54265bbacc7a055174479f0b70

              SHA1

              4af069a2ec874703a7e29023d23a1ada491b584e

              SHA256

              552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c

              SHA512

              7dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668

            • C:\Users\Admin\AppData\Local\Temp\1017121001\fcaaaec432.exe

              Filesize

              1.8MB

              MD5

              ff279f4e5b1c6fbda804d2437c2dbdc8

              SHA1

              2feb3762c877a5ae3ca60eeebc37003ad0844245

              SHA256

              e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378

              SHA512

              c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967

            • C:\Users\Admin\AppData\Local\Temp\1017122001\f1722d687f.exe

              Filesize

              4.3MB

              MD5

              083ab041d543588b128c08732eb1a935

              SHA1

              2aab4765f9b00521a5d79764bf61d1c95a8a07c7

              SHA256

              6db4256ed69b6154cfbb1456b8b69154e50e6446a04874c0d4824ecaa36c76a3

              SHA512

              16bab58b6f485f6feb0fa1bbd453a08c055e47f46830d60f05371cc0181c3950beb596b691821374cb436a7ced52a186a1fed33ef121700de8a19714f4181997

            • C:\Users\Admin\AppData\Local\Temp\1017123001\cc52689236.exe

              Filesize

              1.9MB

              MD5

              93bf2910301e6f4b2ef217e83a36b5b5

              SHA1

              a2b029ef8f590a25f170c9b0421366306a3a254d

              SHA256

              0765fe1adbe71b297e93089dc7cc3498ea625239800f66e03643c8831d377d1e

              SHA512

              4f1423acd48d265fc24b05f9d77293239288c8618eafc94a0ee3bbb32ebf61bc4e5f2725f8301dd063835821d4ab18d98582be202867d1ceca750cfd23f1b2a9

            • C:\Users\Admin\AppData\Local\Temp\1017124001\edc2fafce9.exe

              Filesize

              747KB

              MD5

              8a9cb17c0224a01bd34b46495983c50a

              SHA1

              00296ea6a56f6e10a0f1450a20c5fb329b8856c1

              SHA256

              3d51b9523b387859bc0d94246dfb216cfa82f9d650c8d11be11ed67f70e7440b

              SHA512

              1472e4670f469c43227b965984ecc223a526f6284363d8e08a3b5b55e602ccce62df4bc49939ee5bd7df7b0c26e20da896b084eccab767f8728e6bf14d71c840

            • C:\Users\Admin\AppData\Local\Temp\1017125001\287c0c2c35.exe

              Filesize

              4.2MB

              MD5

              3a425626cbd40345f5b8dddd6b2b9efa

              SHA1

              7b50e108e293e54c15dce816552356f424eea97a

              SHA256

              ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

              SHA512

              a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

            • C:\Users\Admin\AppData\Local\Temp\1017126001\a412c43f30.exe

              Filesize

              4.3MB

              MD5

              39cb781a70f40105ffdbb75e77aa6d7f

              SHA1

              79805738b703d0b7375140a0067f720f6ff5fb99

              SHA256

              c3ce51918df45e9cae14921d25c0419397003733e9ada04a33e4cde97013e2e6

              SHA512

              1d131ff871ee80937334672c905f8e94cb43d28e22843a7a6538cb54ec060ed01e02d48ab5569218bdb57248c6e2c7920e54ecb506f75ef7cefeb200c4587a98

            • C:\Users\Admin\AppData\Local\Temp\FutureApp\0\Setup.exe

              Filesize

              5.1MB

              MD5

              860d1f0fea634d144687ca9b4ee03312

              SHA1

              204cbef54d7eb4dbcdca7aed5db8fad259fb4ff1

              SHA256

              8201f374070f944d650a02a5d8ee365dacd92ef4b175aaf4ad994f0f5fd86047

              SHA512

              d8d32a0978c859efde07e1b26886d9f1397889c46f051e632236ad0bdd009c866b6e4f1b494424ab4ea420304a3107abbac00de56512c1588595150f0fcf18e4

            • C:\Users\Admin\AppData\Local\Temp\FutureApp\1\11.exe

              Filesize

              323KB

              MD5

              75064ea68fb7baeec3681034d9267a12

              SHA1

              555ba32a06cb3d5da92ab44540786dab3b27e0f9

              SHA256

              48fec89589b940e903923b588f3dcbb636676b15ba39e7b644a0c185bdea695e

              SHA512

              9621ce7c64a84064ab374110239296aadd5ffecf03ba7ed1e605978d2c28f279858fb2c814e8675a9257fc9b85eabaaa06aedcc17cfaa6dc49f257c573464bb4

            • C:\Users\Admin\AppData\Local\Temp\FutureApp\2\2.exe

              Filesize

              323KB

              MD5

              f76410e6255ed89c286c35b7b7c5269a

              SHA1

              8a22735312d9a4692350464b107ed5872bf2527e

              SHA256

              0b8c0c908da39e77e0ef2f4b3b0eb96f3709d052252e0eae619790c61fc42b81

              SHA512

              51792ac3843450672ede7a44e1dab0509b26e1ab4d2fa93d08c0d25644920bc5afbeb35372cf55a99fa624f61c5e1188ee9d3bff58808c9b3d7c8f61c95435d7

            • C:\Users\Admin\AppData\Local\Temp\FutureApp\SibCa.dll

              Filesize

              4KB

              MD5

              c87335758e909c8cc2006896026291e5

              SHA1

              c235435d74a5c411fca494640f0367f0c898603c

              SHA256

              bbb4de5522fd19c27180d907946e1bfa57ef89f2ff1ca365b75d9c166ef61df1

              SHA512

              7bdcdaad66abb725f52fb5569b7e4f2b7e17367b6bbdffb94699c360cc9ed803c51cd097832510d9adb3dfb9a2577431833fe3b58ff31522e993a411df2dc777

            • C:\Users\Admin\AppData\Local\Temp\FutureApp\SibClr.dll

              Filesize

              66KB

              MD5

              640f3d42e52e3d361569c3fb6bb4441d

              SHA1

              2c7acdc20d3788b58bf139f304ed38ceaa98af31

              SHA256

              ffc17acf3f3c8e73b944e279fee7ecaf6fac46ec4c305aedc1c51122db256e37

              SHA512

              5429b2ede62400166950e6385b44612960338ccb7162b82fe7e62cb6e48b9e07be22eea6a8c798defb5320a34a8e26d85e71886754e8e8a71d0a0ffc30ba1158

            • C:\Users\Admin\AppData\Local\Temp\FutureApp\Sibjs.exe

              Filesize

              2.1MB

              MD5

              cb98aab3f8a161d55d04086ffcafbbbd

              SHA1

              14c4c97c22d6c3456da33c59ed1dc9d8f86fdc73

              SHA256

              94a297719f304bb12f650d693984db73c7a72685f28cdeeca2fa34a407808231

              SHA512

              fd79696e98c8e3f9a422fa879c28b3305f007b8ea5efd80b5524704b8bea8183c0ba11d4336d5a4aed1c97b17a668b488808fb0a0f7614f001a32c48e3d8083b

            • C:\Users\Admin\AppData\Local\Temp\FutureApp\Sibuia.exe

              Filesize

              2.2MB

              MD5

              a27781beec02a26de306aae4f1a07eca

              SHA1

              56cfe4516031a3cbb6e9ea93d910447914f22e01

              SHA256

              845bb388322c35078cfc9d47d4d1752b62f796f4defa79215004547a040d0704

              SHA512

              dfc25773b867805c5ffaabde22be435512cf9597237aacb4627f6b66c69f68180f78877983b5099dba7b3792a0a0836ad0991004af1a9271b3827d53aca03236

            • C:\Users\Admin\AppData\Local\Temp\FutureApp\sib.dat

              Filesize

              5KB

              MD5

              29cd6e1c8ff658a4ddb263711010f910

              SHA1

              d52bf677db91278c332a2de7ce7f425c8a6b5e40

              SHA256

              d3e610de7de2f7af4458c76debcbad3a770ecbb8d08360523448559a4baa8cc4

              SHA512

              6f42b277418524f396899ee7aa11223676e0a630235ac0daf513fe0cdc69adace5de4b66d98b559b3cdc195e064873d67c26767f7ae0ed80a2d5d4527e62137b

            • C:\Users\Admin\AppData\Local\Temp\HFX64SQRC6T1LS2D09B5IIVMCG.exe

              Filesize

              1.7MB

              MD5

              79570b0cf02a64d470b0eba42fc95917

              SHA1

              07831967f7a32b71159261db90b5df73eaf84b9e

              SHA256

              52fc1e8680bc6187367fe55785ff1b9592be46e6a6621824511d3cf748a86c24

              SHA512

              bdf8d29356eaf6819c6d6ae2911ad911a941b4f917ef11b28aa6891e4890286fbbc7dd7c86c4c911aeaf3c75dd748a44220ff6e2da9d482218f14a79f8d592af

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1T31J4.exe

              Filesize

              2.8MB

              MD5

              d066fa57fe45e81e1718b9626b469209

              SHA1

              cffa0cb764cf71bfae214a68f5dfb799a0a4c614

              SHA256

              96e780dc197438053737878154b2f1bc4c7476f3ec487c88a5ebd7d91a0570fb

              SHA512

              07b3a818c8efa477dc000ec1acf9b4b7a882993da58d02cdc59901cfa55a00a9f727b554c34173cfb1bd924d0f85d4ec1fff7527e0f02b3750bd24af4c81899d

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Y7445.exe

              Filesize

              1.8MB

              MD5

              df0dce83067b009b5190d62f241fb4fe

              SHA1

              648df52d7f8f675df4b752d146103a63447c6ea9

              SHA256

              2bc198b56d532a372c320219e02d1041f0cbd41872ee886f43e9ca8a9124dee6

              SHA512

              cae71eae242590094f58697240f3aa0461ff15e92dae8d5e6eaca053c7a7d54a824272c46b93a110f9981b25d8757b06717214e5b2b35453766ed5fbfa94dc5f

            • C:\Users\Admin\AppData\Local\Temp\LGSJ4PIFKPYRAP9MAAVWI2QB8MQ7KL.exe

              Filesize

              2.8MB

              MD5

              c717ce97d1ccb5e1e40ab567fcc1a6c2

              SHA1

              4f7fc6b325ed56442667126f527a7a8dd701d0f1

              SHA256

              33a44faa62d905dcb4a870dac7bb2f5e206b624b0be0db5800d98597b42b670e

              SHA512

              a61cbcd7ccf743a2c18f7fc9c225d9dac056f198f60ba9c1cf43aa73f55eeaca925240917dcbe36185a579e5aa3341b43fb1df12963b2820fd309cb5642322e3

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n14i45f2.rhe.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\main\main.bat

              Filesize

              440B

              MD5

              3626532127e3066df98e34c3d56a1869

              SHA1

              5fa7102f02615afde4efd4ed091744e842c63f78

              SHA256

              2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

              SHA512

              dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

            • C:\Users\Admin\AppData\Local\Temp\nsp5EA6.tmp\siblog.dll

              Filesize

              146KB

              MD5

              2fab606d750aad11fbf8e0a9060172db

              SHA1

              b2e40332e179f921a73c64ea09a54c0f2bf75959

              SHA256

              d3289b09fc9c37a80f0215b5c8c7990b9d3353e0c27cc4689e806d6026b6dda7

              SHA512

              1670ddfb2233c346a8cd5ee88700697c17123923da964e115c6ade238f77b421f51bf6459bf46bb3966f1de8fdeeeda774d7100b5c5dac46e53e738e8691ab1f

            • memory/556-244-0x0000000000FD0000-0x000000000147B000-memory.dmp

              Filesize

              4.7MB

            • memory/556-262-0x0000000000FD0000-0x000000000147B000-memory.dmp

              Filesize

              4.7MB

            • memory/780-419-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2020-388-0x00007FF77C0D0000-0x00007FF77C560000-memory.dmp

              Filesize

              4.6MB

            • memory/2020-391-0x00007FF77C0D0000-0x00007FF77C560000-memory.dmp

              Filesize

              4.6MB

            • memory/2096-36-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-23-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-312-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-105-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-264-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-402-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-38-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-245-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-30-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-31-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-50-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-34-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2096-337-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2140-305-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

              Filesize

              40KB

            • memory/2140-308-0x00007FFBFF5D0000-0x00007FFBFF7C5000-memory.dmp

              Filesize

              2.0MB

            • memory/2140-310-0x0000000075220000-0x0000000075435000-memory.dmp

              Filesize

              2.1MB

            • memory/2140-307-0x0000000001250000-0x0000000001650000-memory.dmp

              Filesize

              4.0MB

            • memory/2268-35-0x0000000000820000-0x0000000000CC2000-memory.dmp

              Filesize

              4.6MB

            • memory/2268-39-0x0000000000820000-0x0000000000CC2000-memory.dmp

              Filesize

              4.6MB

            • memory/2268-29-0x0000000000820000-0x0000000000CC2000-memory.dmp

              Filesize

              4.6MB

            • memory/2268-32-0x0000000000820000-0x0000000000CC2000-memory.dmp

              Filesize

              4.6MB

            • memory/2268-33-0x0000000000820000-0x0000000000CC2000-memory.dmp

              Filesize

              4.6MB

            • memory/2268-52-0x0000000000820000-0x0000000000CC2000-memory.dmp

              Filesize

              4.6MB

            • memory/2268-37-0x0000000000820000-0x0000000000CC2000-memory.dmp

              Filesize

              4.6MB

            • memory/2292-430-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-428-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-427-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-426-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-424-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-423-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-431-0x0000000000DA0000-0x0000000000DC0000-memory.dmp

              Filesize

              128KB

            • memory/2292-425-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-432-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-422-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2292-421-0x0000000140000000-0x0000000140770000-memory.dmp

              Filesize

              7.4MB

            • memory/2648-55-0x0000000000D30000-0x0000000001236000-memory.dmp

              Filesize

              5.0MB

            • memory/2648-53-0x0000000000D30000-0x0000000001236000-memory.dmp

              Filesize

              5.0MB

            • memory/2764-58-0x0000000000570000-0x000000000087F000-memory.dmp

              Filesize

              3.1MB

            • memory/2800-420-0x00007FF6F69C0000-0x00007FF6F6E50000-memory.dmp

              Filesize

              4.6MB

            • memory/2800-433-0x00007FF6F69C0000-0x00007FF6F6E50000-memory.dmp

              Filesize

              4.6MB

            • memory/2916-334-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

            • memory/2916-330-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

            • memory/2916-332-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

            • memory/3484-10-0x00000000007F0000-0x0000000000AFF000-memory.dmp

              Filesize

              3.1MB

            • memory/3484-9-0x00000000007F1000-0x000000000081F000-memory.dmp

              Filesize

              184KB

            • memory/3484-7-0x00000000007F0000-0x0000000000AFF000-memory.dmp

              Filesize

              3.1MB

            • memory/3484-25-0x00000000007F0000-0x0000000000AFF000-memory.dmp

              Filesize

              3.1MB

            • memory/3484-11-0x00000000007F0000-0x0000000000AFF000-memory.dmp

              Filesize

              3.1MB

            • memory/3484-8-0x00000000771B4000-0x00000000771B6000-memory.dmp

              Filesize

              8KB

            • memory/3500-46-0x0000000000680000-0x0000000000AE0000-memory.dmp

              Filesize

              4.4MB

            • memory/3500-44-0x0000000000680000-0x0000000000AE0000-memory.dmp

              Filesize

              4.4MB

            • memory/3500-57-0x0000000000680000-0x0000000000AE0000-memory.dmp

              Filesize

              4.4MB

            • memory/3500-45-0x0000000000680000-0x0000000000AE0000-memory.dmp

              Filesize

              4.4MB

            • memory/3500-62-0x0000000000680000-0x0000000000AE0000-memory.dmp

              Filesize

              4.4MB

            • memory/3848-111-0x0000000011150000-0x000000001120A000-memory.dmp

              Filesize

              744KB

            • memory/3848-115-0x0000000011020000-0x0000000011028000-memory.dmp

              Filesize

              32KB

            • memory/3848-110-0x0000000010FE0000-0x0000000010FF2000-memory.dmp

              Filesize

              72KB

            • memory/3984-168-0x0000000000C90000-0x0000000000FA1000-memory.dmp

              Filesize

              3.1MB

            • memory/4552-418-0x0000000000D60000-0x00000000018D6000-memory.dmp

              Filesize

              11.5MB

            • memory/4760-228-0x0000000000400000-0x0000000000456000-memory.dmp

              Filesize

              344KB

            • memory/4760-226-0x0000000000400000-0x0000000000456000-memory.dmp

              Filesize

              344KB

            • memory/4760-224-0x0000000000400000-0x0000000000456000-memory.dmp

              Filesize

              344KB

            • memory/5060-311-0x0000000000AF0000-0x0000000000FBF000-memory.dmp

              Filesize

              4.8MB

            • memory/5060-302-0x00007FFBFF5D0000-0x00007FFBFF7C5000-memory.dmp

              Filesize

              2.0MB

            • memory/5060-304-0x0000000075220000-0x0000000075435000-memory.dmp

              Filesize

              2.1MB

            • memory/5060-301-0x0000000004970000-0x0000000004D70000-memory.dmp

              Filesize

              4.0MB

            • memory/5060-300-0x0000000004970000-0x0000000004D70000-memory.dmp

              Filesize

              4.0MB

            • memory/5060-298-0x0000000000AF0000-0x0000000000FBF000-memory.dmp

              Filesize

              4.8MB

            • memory/5072-397-0x000001C8C1910000-0x000001C8C1932000-memory.dmp

              Filesize

              136KB

            • memory/5076-280-0x0000000000BA0000-0x0000000001789000-memory.dmp

              Filesize

              11.9MB

            • memory/5076-321-0x0000000000BA0000-0x0000000001789000-memory.dmp

              Filesize

              11.9MB

            • memory/5076-329-0x0000000000BA0000-0x0000000001789000-memory.dmp

              Filesize

              11.9MB

            • memory/5076-336-0x0000000000BA0000-0x0000000001789000-memory.dmp

              Filesize

              11.9MB

            • memory/5088-263-0x0000000000510000-0x00000000009B6000-memory.dmp

              Filesize

              4.6MB

            • memory/5088-261-0x0000000000510000-0x00000000009B6000-memory.dmp

              Filesize

              4.6MB