amadey | c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Size

2.8MB
MD5

62cfbf48cbec19b909d15fc91d70cb47
SHA1

1c900301e2fa4b10cc69fb53c160f27254c607c6
SHA256

c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b
SHA512

952f885a05b2474d76cf53607323c06646908470bf30770f2c639c5440421b1ad8c8a130807b0ad38ca88267dff2d52cbdc790aaff827b8e422d04b2148e878c
SSDEEP

49152:2r4wwAxziwgFtvyMcy4MmjQfcMIQVzhzsSWSbnDBQkk:2r7wOefvyMc1MmUflFWSbnDBQkk

Score

10^/10

amadey exelastealer gurcu lumma stealc default_valenciga fed3aa collection credential_access defense_evasion discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://drive-connect.cyou/api

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

https://shineugler.biz/api

Extracted

Family

lumma

https://tacitglibbr.biz/api

https://shineugler.biz/api

Extracted

Family

gurcu

https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessag

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v_dolg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
50	3256	rundll32.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2980	netsh.exe
4828	netsh.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v_dolg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v_dolg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	defnur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sintv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AllNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	am209.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3184	cmd.exe
4396	powershell.exe

Executes dropped EXE 25 IoCs

pid	Process
1348	axplong.exe
3132	stealc_default2.exe
5032	alexshlu.exe
5080	alexshlu.exe
3960	AllNew.exe
380	Gxtuum.exe
1984	am209.exe
3336	defnur.exe
1648	v_dolg.exe
3204	axplong.exe
4192	defnur.exe
740	Gxtuum.exe
2648	roblox.exe
1840	stub.exe
4440	goldlummaa.exe
1252	goldlummaa.exe
3932	sintv.exe
2056	Out.exe
4636	Out.exe
212	axplong.exe
1172	defnur.exe
4912	Gxtuum.exe
1824	axplong.exe
2692	defnur.exe
2920	Gxtuum.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	axplong.exe

Loads dropped DLL 35 IoCs

pid	Process
3132	stealc_default2.exe
3132	stealc_default2.exe
1840	stub.exe
1840	stub.exe
3256	rundll32.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe
1840	stub.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	v_dolg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2384	cmd.exe
2644	ARP.EXE

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3932	tasklist.exe
1824	tasklist.exe
3304	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2496	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2556	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
1348	axplong.exe
1648	v_dolg.exe
3204	axplong.exe
212	axplong.exe
1824	axplong.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5032 set thread context of 5080	5032	alexshlu.exe	87
PID 4440 set thread context of 1252	4440	goldlummaa.exe	116

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	sintv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	sintv.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe
File created	C:\Windows\Tasks\defnur.job	am209.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4936	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023ccd-298.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3580	1252	WerFault.exe	116
3304	1252	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goldlummaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alexshlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v_dolg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goldlummaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Out.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Out.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alexshlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	am209.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1844	cmd.exe
908	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3076	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3448	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2700	ipconfig.exe
3076	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
400	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4104	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2556	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
2556	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
1348	axplong.exe
1348	axplong.exe
3132	stealc_default2.exe
3132	stealc_default2.exe
3132	stealc_default2.exe
3132	stealc_default2.exe
1648	v_dolg.exe
1648	v_dolg.exe
3204	axplong.exe
3204	axplong.exe
4396	powershell.exe
4396	powershell.exe
4396	powershell.exe
1252	goldlummaa.exe
1252	goldlummaa.exe
1252	goldlummaa.exe
1252	goldlummaa.exe
3932	sintv.exe
3932	sintv.exe
4636	Out.exe
4636	Out.exe
4636	Out.exe
4636	Out.exe
212	axplong.exe
212	axplong.exe
1824	axplong.exe
1824	axplong.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	624	WMIC.exe
Token: SeSecurityPrivilege	624	WMIC.exe
Token: SeTakeOwnershipPrivilege	624	WMIC.exe
Token: SeLoadDriverPrivilege	624	WMIC.exe
Token: SeSystemProfilePrivilege	624	WMIC.exe
Token: SeSystemtimePrivilege	624	WMIC.exe
Token: SeProfSingleProcessPrivilege	624	WMIC.exe
Token: SeIncBasePriorityPrivilege	624	WMIC.exe
Token: SeCreatePagefilePrivilege	624	WMIC.exe
Token: SeBackupPrivilege	624	WMIC.exe
Token: SeRestorePrivilege	624	WMIC.exe
Token: SeShutdownPrivilege	624	WMIC.exe
Token: SeDebugPrivilege	624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	624	WMIC.exe
Token: SeRemoteShutdownPrivilege	624	WMIC.exe
Token: SeUndockPrivilege	624	WMIC.exe
Token: SeManageVolumePrivilege	624	WMIC.exe
Token: 33	624	WMIC.exe
Token: 34	624	WMIC.exe
Token: 35	624	WMIC.exe
Token: 36	624	WMIC.exe
Token: SeDebugPrivilege	3932	tasklist.exe
Token: SeIncreaseQuotaPrivilege	624	WMIC.exe
Token: SeSecurityPrivilege	624	WMIC.exe
Token: SeTakeOwnershipPrivilege	624	WMIC.exe
Token: SeLoadDriverPrivilege	624	WMIC.exe
Token: SeSystemProfilePrivilege	624	WMIC.exe
Token: SeSystemtimePrivilege	624	WMIC.exe
Token: SeProfSingleProcessPrivilege	624	WMIC.exe
Token: SeIncBasePriorityPrivilege	624	WMIC.exe
Token: SeCreatePagefilePrivilege	624	WMIC.exe
Token: SeBackupPrivilege	624	WMIC.exe
Token: SeRestorePrivilege	624	WMIC.exe
Token: SeShutdownPrivilege	624	WMIC.exe
Token: SeDebugPrivilege	624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	624	WMIC.exe
Token: SeRemoteShutdownPrivilege	624	WMIC.exe
Token: SeUndockPrivilege	624	WMIC.exe
Token: SeManageVolumePrivilege	624	WMIC.exe
Token: 33	624	WMIC.exe
Token: 34	624	WMIC.exe
Token: 35	624	WMIC.exe
Token: 36	624	WMIC.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2556	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
3960	AllNew.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1348	2556	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe	83
PID 2556 wrote to memory of 1348	2556	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe	83
PID 2556 wrote to memory of 1348	2556	c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe	83
PID 1348 wrote to memory of 3132	1348	axplong.exe	84
PID 1348 wrote to memory of 3132	1348	axplong.exe	84
PID 1348 wrote to memory of 3132	1348	axplong.exe	84
PID 1348 wrote to memory of 5032	1348	axplong.exe	85
PID 1348 wrote to memory of 5032	1348	axplong.exe	85
PID 1348 wrote to memory of 5032	1348	axplong.exe	85
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 5032 wrote to memory of 5080	5032	alexshlu.exe	87
PID 1348 wrote to memory of 3960	1348	axplong.exe	95
PID 1348 wrote to memory of 3960	1348	axplong.exe	95
PID 1348 wrote to memory of 3960	1348	axplong.exe	95
PID 3960 wrote to memory of 380	3960	AllNew.exe	96
PID 3960 wrote to memory of 380	3960	AllNew.exe	96
PID 3960 wrote to memory of 380	3960	AllNew.exe	96
PID 1348 wrote to memory of 1984	1348	axplong.exe	97
PID 1348 wrote to memory of 1984	1348	axplong.exe	97
PID 1348 wrote to memory of 1984	1348	axplong.exe	97
PID 1984 wrote to memory of 3336	1984	am209.exe	100
PID 1984 wrote to memory of 3336	1984	am209.exe	100
PID 1984 wrote to memory of 3336	1984	am209.exe	100
PID 1348 wrote to memory of 1648	1348	axplong.exe	101
PID 1348 wrote to memory of 1648	1348	axplong.exe	101
PID 1348 wrote to memory of 1648	1348	axplong.exe	101
PID 1348 wrote to memory of 2648	1348	axplong.exe	110
PID 1348 wrote to memory of 2648	1348	axplong.exe	110
PID 2648 wrote to memory of 1840	2648	roblox.exe	112
PID 2648 wrote to memory of 1840	2648	roblox.exe	112
PID 3336 wrote to memory of 3256	3336	defnur.exe	113
PID 3336 wrote to memory of 3256	3336	defnur.exe	113
PID 3336 wrote to memory of 3256	3336	defnur.exe	113
PID 1348 wrote to memory of 4440	1348	axplong.exe	114
PID 1348 wrote to memory of 4440	1348	axplong.exe	114
PID 1348 wrote to memory of 4440	1348	axplong.exe	114
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 4440 wrote to memory of 1252	4440	goldlummaa.exe	116
PID 1840 wrote to memory of 1540	1840	stub.exe	118
PID 1840 wrote to memory of 1540	1840	stub.exe	118
PID 1840 wrote to memory of 2772	1840	stub.exe	119
PID 1840 wrote to memory of 2772	1840	stub.exe	119
PID 1840 wrote to memory of 1680	1840	stub.exe	120
PID 1840 wrote to memory of 1680	1840	stub.exe	120
PID 2772 wrote to memory of 624	2772	cmd.exe	121
PID 2772 wrote to memory of 624	2772	cmd.exe	121
PID 1680 wrote to memory of 3932	1680	cmd.exe	122
PID 1680 wrote to memory of 3932	1680	cmd.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
"C:\Users\Admin\AppData\Local\Temp\c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3132
- - C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe
    "C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe
      "C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5080
- - C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
    "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:380
- - C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe
    "C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
      "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3256
- - C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe
    "C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe
    "C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\stub.exe
      C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:2496
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:2948
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:1828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        
        PID:3996
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:2632
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:3184
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:4556
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:4308
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:2384
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:400
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:4776
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:3260
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:4340
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:4104
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:2948
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:1648
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:4664
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:4056
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:2036
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:1644
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:5084
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:3880
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:4912
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:2904
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:3304
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:2700
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:1808
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:2644
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3076
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:4936
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4828
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1844
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1172
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3056
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4484
- - C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe
    "C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe
      "C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1260
        5⤵
        Program crash
        
        PID:3580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1476
        5⤵
        Program crash
        
        PID:3304
- - C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe
    "C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3932
  - - C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp8B74.tmp"
      4⤵
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe
    "C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe
      "C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4636

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3204

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1252 -ip 1252
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1252 -ip 1252
1⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe

Filesize
809KB

MD5
9821fa45714f3b4538cc017320f6f7e5

SHA1
5bf0752889cefd64dab0317067d5e593ba32e507

SHA256
fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72

SHA512
90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe

Filesize
429KB

MD5
ce27255f0ef33ce6304e54d171e6547c

SHA1
e594c6743d869c852bf7a09e7fe8103b25949b6e

SHA256
82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c

SHA512
96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe

Filesize
3.6MB

MD5
378706614b22957208e09fc84fceece8

SHA1
d35e1f89f36aed26553b665f791cd69d82136fb8

SHA256
df6e6d5bead4aa34f8e0dd325400a5829265b0f615cd1da48d155cc30b89ad6d

SHA512
bef7a09ce1ffd0a0b169a6ec7c143ca322c929139ca0af40353502ae22fed455fe10a9b80ba93cc399a88add94f921b7aa801033ddae351f8f8d477781ca476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe

Filesize
10.7MB

MD5
6898eace70e2da82f257bc78cb081b2f

SHA1
5ac5ed21436d8b4c59c0b62836d531844c571d6d

SHA256
bcdd8b7c9ec736765d4596332c0fec1334b035d4456df1ec25b569f9b6431a23

SHA512
ca719707417a095fe092837e870aefc7e8874ef351e27b5b41e40f46a9e2f6cb2ba915858bc3c99a14c2f1288c71c7ddd9c2adee6588d6b43cd3ba276e1585d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe

Filesize
396KB

MD5
876bf2dec67ea8626322d2c268219d76

SHA1
ecb0c0cd486733491804a05cf387f2d04d5e2279

SHA256
08d37bbc1881f5fbfdcc84e3270320bb4d03a3ad4fcdf1d996c9de0ca8f2b425

SHA512
9268392683a9962143f987f069d97016abd1ccd61bb67aa8e3f8d9c4b7aa6168d3c01884ce9023831216b8710eddee2d52fcb3c84dbacefe94cb28fa661b6a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe

Filesize
4.5MB

MD5
38fcaa23700e62fb0b3fc2591f82cc80

SHA1
abedd6ec573a6fede05d15920f3ac3763062c75c

SHA256
fb829a6a8535a443932cd167e8301b5e74c60702b5f7fade7e9f13a736ce72b0

SHA512
5da88a61c716a9891cb225f36f275040d69915c4c731c2a5c042d5c997ca39241a3e9d6646569468d477f47db42462c21b58f2de7f56a84cb145e6cee478eeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe

Filesize
2.5MB

MD5
7ff947867bc70055adffa2164a741b01

SHA1
cff424168c2f6bcef107ebc9bd65590f3ead76ae

SHA256
b6d6628d2dc7dea808eef05180c27abe10a1af245d624aacdacccc52a1eb7b40

SHA512
da507d1847056d0dc2c122c45ecbea4901a81c06890bcdbffc2f18ad4b96f0ac2c2fa9ebde1a315828c74a97af653062a8c50ce70c9b6d6966c48871150747ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
2.8MB

MD5
62cfbf48cbec19b909d15fc91d70cb47

SHA1
1c900301e2fa4b10cc69fb53c160f27254c607c6

SHA256
c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b

SHA512
952f885a05b2474d76cf53607323c06646908470bf30770f2c639c5440421b1ad8c8a130807b0ad38ca88267dff2d52cbdc790aaff827b8e422d04b2148e878c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8B34.tmp

Filesize
2KB

MD5
62453b928eecdf0428f3b5a231749914

SHA1
8e3a3a867481cb584dc103b28a37fbfadf842ea7

SHA256
4e294eb6e36342e8b95b7b4e9d3e64e45d7f45994d4ba2f58e3af30e89c588bf

SHA512
f77f71d7245dcc56c658d1ade260946dbde3b40e22d03df225e4142d7f10d65431dc25e4efe738799772990421de76d2f196b4a7bec504c718fecd4ab4e5885b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
9a3be5cb8635e4df5189c9aaa9c1b3c0

SHA1
9a7ce80c8b4362b7c10294bb1551a6172e656f47

SHA256
958f70959a70caf02c0063fe80f12c4d4d3f822a9fd640a6685c345d98708c26

SHA512
5c538513eba7ebaf7028b924d992b4c32ca323ad44f7a31e21970ed6852ea8b54cf71b2f811e8bf97f2744ee151e001ea52ba43b61cd032cc5a4c886292aac65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytohsikr.uf5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\_cffi_backend.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2648_133788323466925281\stub.exe

Filesize
16.1MB

MD5
d09a400f60c7a298e884f90539e9c72f

SHA1
41582ba130bef907e24f87534e7a0fdd37025101

SHA256
700962aa295e2fa207ff522e2f5ca051a2929eb6f252d42c9cb0a56a4f084bfe

SHA512
d8ba2859bb2ea109c1ca33cb924e40bf61db79aefb59324101d9f47a08835d86834790d3bc6bad4151a561ef82265b32d5111bc80f95dce769c5eb4da5116cc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F46067429940CD05161D8D28608C764B646C2B30

Filesize
1KB

MD5
e68d54750da4ce6c0e476bb947e48ef8

SHA1
6228c8c30fa6402c279b1e6de15f18cdf7528949

SHA256
c5257bd43177af884a7aa0eaae49ea6d4361608e79ad7e2ea1bbe9bd5ac22841

SHA512
5521bbde35eb1597de915d2e82cd751edf2ca1ef02fbefac722c3d0481ad3c6fdc2ef71c1064aae4a6624d29610b0f744cedbd5a7f9609ddd7b1bde57c0eb45c

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
124KB

MD5
0d3418372c854ee228b78e16ea7059be

SHA1
c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1

SHA256
885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7

SHA512
e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19

Download Submit
memory/212-489-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/212-490-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1252-317-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1252-453-0x00000000043D0000-0x0000000004680000-memory.dmp

Filesize
2.7MB

Download
memory/1252-454-0x00000000043D0000-0x0000000004680000-memory.dmp

Filesize
2.7MB

Download
memory/1252-452-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1252-309-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1348-149-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-21-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-486-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-153-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-488-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-106-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-207-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-56-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-496-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-495-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-494-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-492-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-499-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-20-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-19-0x0000000000961000-0x000000000098F000-memory.dmp

Filesize
184KB

Download
memory/1348-483-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-16-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-461-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-493-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-491-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1348-377-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1648-196-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/1648-169-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/1648-174-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/1648-197-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/1648-173-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/1648-199-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/1824-497-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1824-498-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/1840-480-0x00007FF710880000-0x00007FF7118E9000-memory.dmp

Filesize
16.4MB

Download
memory/1840-396-0x00007FF710880000-0x00007FF7118E9000-memory.dmp

Filesize
16.4MB

Download
memory/2556-2-0x0000000000461000-0x000000000048F000-memory.dmp

Filesize
184KB

Download
memory/2556-1-0x0000000077174000-0x0000000077176000-memory.dmp

Filesize
8KB

Download
memory/2556-18-0x0000000000460000-0x000000000076F000-memory.dmp

Filesize
3.1MB

Download
memory/2556-0-0x0000000000460000-0x000000000076F000-memory.dmp

Filesize
3.1MB

Download
memory/2556-3-0x0000000000460000-0x000000000076F000-memory.dmp

Filesize
3.1MB

Download
memory/2556-4-0x0000000000460000-0x000000000076F000-memory.dmp

Filesize
3.1MB

Download
memory/2648-481-0x00007FF60AA40000-0x00007FF60B512000-memory.dmp

Filesize
10.8MB

Download
memory/2648-482-0x00007FF60AA40000-0x00007FF60B512000-memory.dmp

Filesize
10.8MB

Download
memory/2648-378-0x00007FF60AA40000-0x00007FF60B512000-memory.dmp

Filesize
10.8MB

Download
memory/3132-84-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3132-37-0x0000000000410000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/3132-200-0x0000000000410000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/3204-204-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/3204-202-0x0000000000960000-0x0000000000C6F000-memory.dmp

Filesize
3.1MB

Download
memory/3932-398-0x000001A96E7E0000-0x000001A96E9A2000-memory.dmp

Filesize
1.8MB

Download
memory/3932-395-0x000001A96B9C0000-0x000001A96BE50000-memory.dmp

Filesize
4.6MB

Download
memory/4396-363-0x00000181F9680000-0x00000181F96A2000-memory.dmp

Filesize
136KB

Download
memory/4636-487-0x00000000000C0000-0x0000000000116000-memory.dmp

Filesize
344KB

Download
memory/4636-485-0x00000000000C0000-0x0000000000116000-memory.dmp

Filesize
344KB

Download
memory/4636-484-0x00000000000C0000-0x0000000000116000-memory.dmp

Filesize
344KB

Download
memory/5080-53-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5080-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download