amadey | 64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
Size

1.8MB
MD5

533d9a119eb5ccb1885d741c2d2259a5
SHA1

ade39f5d839c1ead41c59195769198c13a8bb221
SHA256

64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83
SHA512

467fc15a6bf6033b8a0a97ec4ce33b92a03a2a5592279e22e5671b800d49c2769e545adfadd4c95e5c6a2556a07f451f707566b4abdcb459fdbaa7e259198698
SSDEEP

49152:PlDkFnqn9EsxNWJF94vIDlpx6xIHTUVzbnS:tD0Y1oX0qpx6KHTUVzDS

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

Extracted

Family

redline

185.215.113.67:21405

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

45.66.231.214:9932

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000235e9-321.dat	family_monster
behavioral1/memory/2796-432-0x00007FF6C70A0000-0x00007FF6C80C6000-memory.dmp	family_monster
behavioral1/memory/2796-443-0x00007FF6C70A0000-0x00007FF6C80C6000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1308-37-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/files/0x00070000000235c7-131.dat	family_redline
behavioral1/memory/740-144-0x0000000000E50000-0x0000000000EA2000-memory.dmp	family_redline
behavioral1/files/0x00070000000235d4-180.dat	family_redline
behavioral1/memory/4620-194-0x0000000000620000-0x0000000000672000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
548	netsh.exe
2304	netsh.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	newalp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	axplong.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3616	cmd.exe
1536	powershell.exe

Executes dropped EXE 17 IoCs

pid	Process
1272	axplong.exe
4224	GOLD.exe
4024	axplong.exe
428	crypteda.exe
1032	newalp.exe
4584	Hkbsse.exe
4476	L2vmGou6Ll.exe
4544	jHCWLD6zCa.exe
740	06082025.exe
336	stealc_default.exe
4620	MYNEWRDX.exe
1836	Hkbsse.exe
3968	axplong.exe
1876	zzzz1.exe
2796	stub.exe
2036	axplong.exe
4052	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	axplong.exe

Loads dropped DLL 35 IoCs

pid	Process
336	stealc_default.exe
336	stealc_default.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe
2796	stub.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
100	raw.githubusercontent.com
99	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
97	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
876	cmd.exe
4784	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
112	tasklist.exe
2256	tasklist.exe
1316	tasklist.exe
4624	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4468	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
5020	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
1272	axplong.exe
4024	axplong.exe
3968	axplong.exe
2036	axplong.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 1308	4224	GOLD.exe	101
PID 428 set thread context of 3832	428	crypteda.exe	116

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
File created	C:\Windows\Tasks\Hkbsse.job	newalp.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1444	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000700000002360c-340.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L2vmGou6Ll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYNEWRDX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06082025.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jHCWLD6zCa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newalp.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3008	cmd.exe
2676	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3140	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1324	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1008	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3140	NETSTAT.EXE
4304	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3068	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2680	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
5020	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
5020	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
1272	axplong.exe
1272	axplong.exe
4024	axplong.exe
4024	axplong.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
1308	RegAsm.exe
4476	L2vmGou6Ll.exe
4476	L2vmGou6Ll.exe
4544	jHCWLD6zCa.exe
4544	jHCWLD6zCa.exe
740	06082025.exe
740	06082025.exe
740	06082025.exe
336	stealc_default.exe
336	stealc_default.exe
3968	axplong.exe
3968	axplong.exe
336	stealc_default.exe
336	stealc_default.exe
4620	MYNEWRDX.exe
4620	MYNEWRDX.exe
4620	MYNEWRDX.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
2036	axplong.exe
2036	axplong.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	RegAsm.exe
Token: SeDebugPrivilege	4476	L2vmGou6Ll.exe
Token: SeBackupPrivilege	4476	L2vmGou6Ll.exe
Token: SeSecurityPrivilege	4476	L2vmGou6Ll.exe
Token: SeSecurityPrivilege	4476	L2vmGou6Ll.exe
Token: SeSecurityPrivilege	4476	L2vmGou6Ll.exe
Token: SeSecurityPrivilege	4476	L2vmGou6Ll.exe
Token: SeDebugPrivilege	4544	jHCWLD6zCa.exe
Token: SeBackupPrivilege	4544	jHCWLD6zCa.exe
Token: SeSecurityPrivilege	4544	jHCWLD6zCa.exe
Token: SeSecurityPrivilege	4544	jHCWLD6zCa.exe
Token: SeSecurityPrivilege	4544	jHCWLD6zCa.exe
Token: SeSecurityPrivilege	4544	jHCWLD6zCa.exe
Token: SeDebugPrivilege	740	06082025.exe
Token: SeDebugPrivilege	4620	MYNEWRDX.exe
Token: SeIncreaseQuotaPrivilege	1008	WMIC.exe
Token: SeSecurityPrivilege	1008	WMIC.exe
Token: SeTakeOwnershipPrivilege	1008	WMIC.exe
Token: SeLoadDriverPrivilege	1008	WMIC.exe
Token: SeSystemProfilePrivilege	1008	WMIC.exe
Token: SeSystemtimePrivilege	1008	WMIC.exe
Token: SeProfSingleProcessPrivilege	1008	WMIC.exe
Token: SeIncBasePriorityPrivilege	1008	WMIC.exe
Token: SeCreatePagefilePrivilege	1008	WMIC.exe
Token: SeBackupPrivilege	1008	WMIC.exe
Token: SeRestorePrivilege	1008	WMIC.exe
Token: SeShutdownPrivilege	1008	WMIC.exe
Token: SeDebugPrivilege	1008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1008	WMIC.exe
Token: SeRemoteShutdownPrivilege	1008	WMIC.exe
Token: SeUndockPrivilege	1008	WMIC.exe
Token: SeManageVolumePrivilege	1008	WMIC.exe
Token: 33	1008	WMIC.exe
Token: 34	1008	WMIC.exe
Token: 35	1008	WMIC.exe
Token: 36	1008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5072	WMIC.exe
Token: SeSecurityPrivilege	5072	WMIC.exe
Token: SeTakeOwnershipPrivilege	5072	WMIC.exe
Token: SeLoadDriverPrivilege	5072	WMIC.exe
Token: SeSystemProfilePrivilege	5072	WMIC.exe
Token: SeSystemtimePrivilege	5072	WMIC.exe
Token: SeProfSingleProcessPrivilege	5072	WMIC.exe
Token: SeIncBasePriorityPrivilege	5072	WMIC.exe
Token: SeCreatePagefilePrivilege	5072	WMIC.exe
Token: SeBackupPrivilege	5072	WMIC.exe
Token: SeRestorePrivilege	5072	WMIC.exe
Token: SeShutdownPrivilege	5072	WMIC.exe
Token: SeDebugPrivilege	5072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5072	WMIC.exe
Token: SeRemoteShutdownPrivilege	5072	WMIC.exe
Token: SeUndockPrivilege	5072	WMIC.exe
Token: SeManageVolumePrivilege	5072	WMIC.exe
Token: 33	5072	WMIC.exe
Token: 34	5072	WMIC.exe
Token: 35	5072	WMIC.exe
Token: 36	5072	WMIC.exe
Token: SeDebugPrivilege	112	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5072	WMIC.exe
Token: SeSecurityPrivilege	5072	WMIC.exe
Token: SeTakeOwnershipPrivilege	5072	WMIC.exe
Token: SeLoadDriverPrivilege	5072	WMIC.exe
Token: SeSystemProfilePrivilege	5072	WMIC.exe
Token: SeSystemtimePrivilege	5072	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1272	5020	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe	94
PID 5020 wrote to memory of 1272	5020	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe	94
PID 5020 wrote to memory of 1272	5020	64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe	94
PID 1272 wrote to memory of 4224	1272	axplong.exe	98
PID 1272 wrote to memory of 4224	1272	axplong.exe	98
PID 1272 wrote to memory of 4224	1272	axplong.exe	98
PID 4224 wrote to memory of 624	4224	GOLD.exe	100
PID 4224 wrote to memory of 624	4224	GOLD.exe	100
PID 4224 wrote to memory of 624	4224	GOLD.exe	100
PID 4224 wrote to memory of 1308	4224	GOLD.exe	101
PID 4224 wrote to memory of 1308	4224	GOLD.exe	101
PID 4224 wrote to memory of 1308	4224	GOLD.exe	101
PID 4224 wrote to memory of 1308	4224	GOLD.exe	101
PID 4224 wrote to memory of 1308	4224	GOLD.exe	101
PID 4224 wrote to memory of 1308	4224	GOLD.exe	101
PID 4224 wrote to memory of 1308	4224	GOLD.exe	101
PID 4224 wrote to memory of 1308	4224	GOLD.exe	101
PID 1272 wrote to memory of 428	1272	axplong.exe	112
PID 1272 wrote to memory of 428	1272	axplong.exe	112
PID 1272 wrote to memory of 428	1272	axplong.exe	112
PID 1272 wrote to memory of 1032	1272	axplong.exe	114
PID 1272 wrote to memory of 1032	1272	axplong.exe	114
PID 1272 wrote to memory of 1032	1272	axplong.exe	114
PID 1032 wrote to memory of 4584	1032	newalp.exe	115
PID 1032 wrote to memory of 4584	1032	newalp.exe	115
PID 1032 wrote to memory of 4584	1032	newalp.exe	115
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 428 wrote to memory of 3832	428	crypteda.exe	116
PID 3832 wrote to memory of 4476	3832	RegAsm.exe	117
PID 3832 wrote to memory of 4476	3832	RegAsm.exe	117
PID 3832 wrote to memory of 4476	3832	RegAsm.exe	117
PID 3832 wrote to memory of 4544	3832	RegAsm.exe	119
PID 3832 wrote to memory of 4544	3832	RegAsm.exe	119
PID 3832 wrote to memory of 4544	3832	RegAsm.exe	119
PID 1272 wrote to memory of 740	1272	axplong.exe	121
PID 1272 wrote to memory of 740	1272	axplong.exe	121
PID 1272 wrote to memory of 740	1272	axplong.exe	121
PID 1272 wrote to memory of 336	1272	axplong.exe	122
PID 1272 wrote to memory of 336	1272	axplong.exe	122
PID 1272 wrote to memory of 336	1272	axplong.exe	122
PID 1272 wrote to memory of 4620	1272	axplong.exe	123
PID 1272 wrote to memory of 4620	1272	axplong.exe	123
PID 1272 wrote to memory of 4620	1272	axplong.exe	123
PID 1272 wrote to memory of 1876	1272	axplong.exe	131
PID 1272 wrote to memory of 1876	1272	axplong.exe	131
PID 1876 wrote to memory of 2796	1876	zzzz1.exe	132
PID 1876 wrote to memory of 2796	1876	zzzz1.exe	132
PID 2796 wrote to memory of 3320	2796	stub.exe	133
PID 2796 wrote to memory of 3320	2796	stub.exe	133
PID 2796 wrote to memory of 1308	2796	stub.exe	135
PID 2796 wrote to memory of 1308	2796	stub.exe	135
PID 2796 wrote to memory of 1444	2796	stub.exe	136
PID 2796 wrote to memory of 1444	2796	stub.exe	136
PID 2796 wrote to memory of 3424	2796	stub.exe	137
PID 2796 wrote to memory of 3424	2796	stub.exe	137
PID 2796 wrote to memory of 2280	2796	stub.exe	138

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3460	attrib.exe

C:\Users\Admin\AppData\Local\Temp\64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe
"C:\Users\Admin\AppData\Local\Temp\64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308
- - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Users\Admin\AppData\Roaming\L2vmGou6Ll.exe
        
        "C:\Users\Admin\AppData\Roaming\L2vmGou6Ll.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
    - - C:\Users\Admin\AppData\Roaming\jHCWLD6zCa.exe
        
        "C:\Users\Admin\AppData\Roaming\jHCWLD6zCa.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
- - C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4584
- - C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
    "C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:336
- - C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe
    "C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- - C:\Users\Admin\AppData\Local\Temp\1000118001\zzzz1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000118001\zzzz1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\stub.exe
      C:\Users\Admin\AppData\Local\Temp\1000118001\zzzz1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:1308
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:1444
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:3424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:2280
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:4052
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:2788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1596
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:4012
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:4468
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:3460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:3648
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:2292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        
        PID:4496
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:2680
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4004
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:3616
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:780
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:4868
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:876
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2092
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:3068
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:3400
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:1324
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:2556
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:1840
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:3224
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:880
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:3508
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:1036
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:3148
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:4960
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:2784
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:3964
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:2664
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:4720
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:3516
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:4624
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:4304
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:1608
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:4784
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3140
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:1444
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:548
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3008
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2696
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4564
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3968

C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
cf378aacf4f7ccae2e9d7fe1580ca0d6

SHA1
09c6d8d07e2e704f4272d26b01124bcb15415e11

SHA256
a7e4cb45acd1ea49a050ea64de261d901d1c66ca74bd785aebf016e2ff4dfa93

SHA512
c745a381721b1d3e4932b9cbd10b968a79dc03efc174c59107ced4497388943253797a8b9b99476cb18baab5de091c61a5cc41d5544fb043b454e27023ca823c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe

Filesize
954KB

MD5
e71c0c5d72455dde6510ba23552d7d2f

SHA1
4dff851c07a9f9ebc9e71b7f675cc20b06a2439c

SHA256
de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f

SHA512
c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.4MB

MD5
04e90b2cf273efb3f6895cfcef1e59ba

SHA1
79afcc39db33426ee8b97ad7bfb48f3f2e4c3449

SHA256
e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e

SHA512
72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe

Filesize
416KB

MD5
6093bb59e7707afe20ca2d9b80327b49

SHA1
fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc

SHA256
3acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3

SHA512
d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe

Filesize
304KB

MD5
0d76d08b0f0a404604e7de4d28010abc

SHA1
ef4270c06b84b0d43372c5827c807641a41f2374

SHA256
6dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e

SHA512
979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe

Filesize
304KB

MD5
0f02da56dab4bc19fca05d6d93e74dcf

SHA1
a809c7e9c3136b8030727f128004aa2c31edc7a9

SHA256
e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379

SHA512
522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000118001\zzzz1.exe

Filesize
10.5MB

MD5
a5c740eb48fafb9b25d06c22b6f4a7e9

SHA1
70a24d83379e205bbbcda72da177fa0baae2be7f

SHA256
93429472073d0794c411a71f2f161aa8d7b8c51606ab497175cc5863fea7fba8

SHA512
524b83c112064bafbec17b43ef03f5f41888c584fc0baf2da59e58befa40b4cb7920f6e4a6f598289749919fbf7394a74352c0b301d1d1594e133aaf96cd3808

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
533d9a119eb5ccb1885d741c2d2259a5

SHA1
ade39f5d839c1ead41c59195769198c13a8bb221

SHA256
64e41b5731990894aa9f25891faf3deca6e79c3e1844d551cb46ed575fb8de83

SHA512
467fc15a6bf6033b8a0a97ec4ce33b92a03a2a5592279e22e5671b800d49c2769e545adfadd4c95e5c6a2556a07f451f707566b4abdcb459fdbaa7e259198698

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
6e389da3969c19b6dbfb95013149bbb5

SHA1
f02ff8f1f1b353e36e4f609d39815c17eba8cee3

SHA256
4928d3109995b2faee203bc67184c892e9633fc7df6ad619f5852cf680c36ed4

SHA512
af965dc6aa1c26442f883e2d916509bc7766b425768e6a482223fdd1d3a5133c3b1955ad91bd578c387cc260efee4f738095d8ed7bafb7ed953edcc948313636

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
232KB

MD5
04a2d3683c2e04767922f632a48bfa01

SHA1
8037570080ce996218349a2f98f0fc2beef973cd

SHA256
fd4eeb0356f8a05a8df2f9f79ed1d917385a813750fa365428cf4366d59e0113

SHA512
6db4d835193b6ffe31cec3b44867bc6d660763e02f8aa21abec062055d3b0e771b90f9c6901b8a2ead842ed232aef30d9739907bfbd668a0dd6374393000af5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgzspkiv.0oz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.6MB

MD5
b98d491ead30f30e61bc3e865ab72f18

SHA1
db165369b7f2ae513b51c4f3def9ea2668268221

SHA256
35d5aeb890b99e6bae3e6b863313fbc8a1a554acbcd416fe901b1e1ae2993c98

SHA512
044c9c39bddb13020ed865d3aa30926460ae6ded5fdea59eca2b1cf6a4ded55728d883f19ee0749f95a4d93f66e04fcc62bc3be67119c4ccabd17b003cf5f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\stub.exe

Filesize
15.9MB

MD5
fd8750fd175eb370b023e8c537e9c3fe

SHA1
7e97e886cc82b71781562944eb6b3f792d809739

SHA256
f45051c87cc2e70f1da0ba5ad074f2ff3e29eb02afd4b3a65a7b15506966fc9b

SHA512
73312816a2778aeb4876ccf61559196d8ba44f87d6149f0c1da7b34b1af983f055eb541b82d36d533a2d5f42a8f4bf61d9b0adaf10bb49bf08549293c77de57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1876_133678985021717233\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\L2vmGou6Ll.exe

Filesize
510KB

MD5
74e358f24a40f37c8ffd7fa40d98683a

SHA1
7a330075e6ea3d871eaeefcecdeb1d2feb2fc202

SHA256
0928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6

SHA512
1525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf

Download Submit
C:\Users\Admin\AppData\Roaming\jHCWLD6zCa.exe

Filesize
503KB

MD5
2c2be38fb507206d36dddb3d03096518

SHA1
a16edb81610a080096376d998e5ddc3e4b54bbd6

SHA256
0c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e

SHA512
e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316

Download Submit
memory/336-267-0x00000000002B0000-0x00000000004F3000-memory.dmp

Filesize
2.3MB

Download
memory/336-175-0x00000000002B0000-0x00000000004F3000-memory.dmp

Filesize
2.3MB

Download
memory/336-195-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/740-144-0x0000000000E50000-0x0000000000EA2000-memory.dmp

Filesize
328KB

Download
memory/1272-49-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-238-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-46-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-48-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-20-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-270-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-269-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-449-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-448-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-19-0x0000000000251000-0x000000000027F000-memory.dmp

Filesize
184KB

Download
memory/1272-154-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-157-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-159-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-18-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-436-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-53-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-425-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1272-54-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/1308-146-0x0000000009380000-0x00000000098AC000-memory.dmp

Filesize
5.2MB

Download
memory/1308-38-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/1308-41-0x0000000006870000-0x0000000006E88000-memory.dmp

Filesize
6.1MB

Download
memory/1308-42-0x00000000064D0000-0x00000000065DA000-memory.dmp

Filesize
1.0MB

Download
memory/1308-145-0x00000000084C0000-0x0000000008682000-memory.dmp

Filesize
1.8MB

Download
memory/1308-39-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/1308-43-0x00000000063F0000-0x0000000006402000-memory.dmp

Filesize
72KB

Download
memory/1308-44-0x0000000006450000-0x000000000648C000-memory.dmp

Filesize
240KB

Download
memory/1308-45-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/1308-37-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1308-147-0x0000000008690000-0x00000000086E0000-memory.dmp

Filesize
320KB

Download
memory/1308-47-0x00000000067F0000-0x0000000006856000-memory.dmp

Filesize
408KB

Download
memory/1308-40-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/1536-428-0x000001DDE5A30000-0x000001DDE5B7E000-memory.dmp

Filesize
1.3MB

Download
memory/1536-415-0x000001DDCD3A0000-0x000001DDCD3C2000-memory.dmp

Filesize
136KB

Download
memory/1876-431-0x00007FF608B70000-0x00007FF609617000-memory.dmp

Filesize
10.7MB

Download
memory/1876-447-0x00007FF608B70000-0x00007FF609617000-memory.dmp

Filesize
10.7MB

Download
memory/2036-450-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/2036-451-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/2796-443-0x00007FF6C70A0000-0x00007FF6C80C6000-memory.dmp

Filesize
16.1MB

Download
memory/2796-432-0x00007FF6C70A0000-0x00007FF6C80C6000-memory.dmp

Filesize
16.1MB

Download
memory/3832-96-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3832-99-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3832-120-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3832-97-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3832-100-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3968-244-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/3968-248-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/4024-52-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/4024-51-0x0000000000250000-0x0000000000702000-memory.dmp

Filesize
4.7MB

Download
memory/4224-36-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4476-123-0x0000000000B10000-0x0000000000B96000-memory.dmp

Filesize
536KB

Download
memory/4476-151-0x0000000009740000-0x00000000097B6000-memory.dmp

Filesize
472KB

Download
memory/4476-152-0x0000000006E10000-0x0000000006E2E000-memory.dmp

Filesize
120KB

Download
memory/4544-125-0x0000000000F40000-0x0000000000FC4000-memory.dmp

Filesize
528KB

Download
memory/4620-194-0x0000000000620000-0x0000000000672000-memory.dmp

Filesize
328KB

Download
memory/4620-211-0x0000000005280000-0x00000000052CC000-memory.dmp

Filesize
304KB

Download
memory/5020-4-0x0000000000D10000-0x00000000011C2000-memory.dmp

Filesize
4.7MB

Download
memory/5020-17-0x0000000000D10000-0x00000000011C2000-memory.dmp

Filesize
4.7MB

Download
memory/5020-1-0x0000000077534000-0x0000000077536000-memory.dmp

Filesize
8KB

Download
memory/5020-2-0x0000000000D11000-0x0000000000D3F000-memory.dmp

Filesize
184KB

Download
memory/5020-0-0x0000000000D10000-0x00000000011C2000-memory.dmp

Filesize
4.7MB

Download
memory/5020-3-0x0000000000D10000-0x00000000011C2000-memory.dmp

Filesize
4.7MB

Download