amadey | 18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b

Analysis

max time kernel
129s
max time network
124s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
31-03-2023 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe
Size

993KB
MD5

db6d56f9bfcdffea6a321d50af01a8c8
SHA1

daf60eebc4d9f2b1a884004e80d7cba302a4a000
SHA256

18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b
SHA512

51565678980246126f13a0159a255ddff06653d12def33847b81816f9e5ce7537b7e77668217c55e3d33871386a4f9363fe7c7a52a2da36b32d00b0afebe98ca
SSDEEP

12288:nMruy90NBABu/wo+I/2G/AYk/s+4L5lfaHA/S1nAQf3Xk2OvsbH8/NKKWME5E9IF:NyEV/r+IhRSqDJ/qnk2O0K85HGZqH/v

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz3641.exev3272FT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3641.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3272FT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3272FT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3272FT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3272FT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3641.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3641.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3641.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3641.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3272FT.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3564-198-0x00000000022C0000-0x0000000002306000-memory.dmp	family_redline
behavioral1/memory/3564-199-0x0000000004A90000-0x0000000004AD4000-memory.dmp	family_redline
behavioral1/memory/3564-200-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-201-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-203-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-205-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-207-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-209-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-211-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-213-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-215-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-217-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-219-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-223-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-221-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-225-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-227-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-235-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-231-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3564-237-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

zap9246.exezap1366.exezap2491.exetz3641.exev3272FT.exew48Ze27.exexGyYt00.exey65sl99.exeoneetx.exebuildghost.exeoneetx.exeoneetx.exe

pid	process
2680	zap9246.exe
3412	zap1366.exe
4092	zap2491.exe
5108	tz3641.exe
4008	v3272FT.exe
3564	w48Ze27.exe
3504	xGyYt00.exe
4612	y65sl99.exe
5076	oneetx.exe
596	buildghost.exe
504	oneetx.exe
2312	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1592 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1592	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v3272FT.exetz3641.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3272FT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3272FT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3641.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2491.exe18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exezap9246.exezap1366.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2491.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap2491.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9246.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9246.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1366.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4788 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz3641.exev3272FT.exew48Ze27.exexGyYt00.exe

pid process

5108 tz3641.exe
5108 tz3641.exe
4008 v3272FT.exe
4008 v3272FT.exe
3564 w48Ze27.exe
3564 w48Ze27.exe
3504 xGyYt00.exe
3504 xGyYt00.exe

flow	ioc
22	ip-api.com

pid	process
4788	schtasks.exe

pid	process
5108	tz3641.exe
5108	tz3641.exe
4008	v3272FT.exe
4008	v3272FT.exe
3564	w48Ze27.exe
3564	w48Ze27.exe
3504	xGyYt00.exe
3504	xGyYt00.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz3641.exev3272FT.exew48Ze27.exexGyYt00.exebuildghost.exe

description	pid	process
Token: SeDebugPrivilege	5108	tz3641.exe
Token: SeDebugPrivilege	4008	v3272FT.exe
Token: SeDebugPrivilege	3564	w48Ze27.exe
Token: SeDebugPrivilege	3504	xGyYt00.exe
Token: SeDebugPrivilege	596	buildghost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y65sl99.exe

pid process

4612 y65sl99.exe

pid	process
4612	y65sl99.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exezap9246.exezap1366.exezap2491.exey65sl99.exeoneetx.execmd.exe

description	pid	process	target process
PID 1012 wrote to memory of 2680	1012	18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe	zap9246.exe
PID 1012 wrote to memory of 2680	1012	18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe	zap9246.exe
PID 1012 wrote to memory of 2680	1012	18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe	zap9246.exe
PID 2680 wrote to memory of 3412	2680	zap9246.exe	zap1366.exe
PID 2680 wrote to memory of 3412	2680	zap9246.exe	zap1366.exe
PID 2680 wrote to memory of 3412	2680	zap9246.exe	zap1366.exe
PID 3412 wrote to memory of 4092	3412	zap1366.exe	zap2491.exe
PID 3412 wrote to memory of 4092	3412	zap1366.exe	zap2491.exe
PID 3412 wrote to memory of 4092	3412	zap1366.exe	zap2491.exe
PID 4092 wrote to memory of 5108	4092	zap2491.exe	tz3641.exe
PID 4092 wrote to memory of 5108	4092	zap2491.exe	tz3641.exe
PID 4092 wrote to memory of 4008	4092	zap2491.exe	v3272FT.exe
PID 4092 wrote to memory of 4008	4092	zap2491.exe	v3272FT.exe
PID 4092 wrote to memory of 4008	4092	zap2491.exe	v3272FT.exe
PID 3412 wrote to memory of 3564	3412	zap1366.exe	w48Ze27.exe
PID 3412 wrote to memory of 3564	3412	zap1366.exe	w48Ze27.exe
PID 3412 wrote to memory of 3564	3412	zap1366.exe	w48Ze27.exe
PID 2680 wrote to memory of 3504	2680	zap9246.exe	xGyYt00.exe
PID 2680 wrote to memory of 3504	2680	zap9246.exe	xGyYt00.exe
PID 2680 wrote to memory of 3504	2680	zap9246.exe	xGyYt00.exe
PID 1012 wrote to memory of 4612	1012	18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe	y65sl99.exe
PID 1012 wrote to memory of 4612	1012	18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe	y65sl99.exe
PID 1012 wrote to memory of 4612	1012	18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe	y65sl99.exe
PID 4612 wrote to memory of 5076	4612	y65sl99.exe	oneetx.exe
PID 4612 wrote to memory of 5076	4612	y65sl99.exe	oneetx.exe
PID 4612 wrote to memory of 5076	4612	y65sl99.exe	oneetx.exe
PID 5076 wrote to memory of 4788	5076	oneetx.exe	schtasks.exe
PID 5076 wrote to memory of 4788	5076	oneetx.exe	schtasks.exe
PID 5076 wrote to memory of 4788	5076	oneetx.exe	schtasks.exe
PID 5076 wrote to memory of 3148	5076	oneetx.exe	cmd.exe
PID 5076 wrote to memory of 3148	5076	oneetx.exe	cmd.exe
PID 5076 wrote to memory of 3148	5076	oneetx.exe	cmd.exe
PID 3148 wrote to memory of 4792	3148	cmd.exe	cmd.exe
PID 3148 wrote to memory of 4792	3148	cmd.exe	cmd.exe
PID 3148 wrote to memory of 4792	3148	cmd.exe	cmd.exe
PID 3148 wrote to memory of 4228	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 4228	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 4228	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 3208	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 3208	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 3208	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 1492	3148	cmd.exe	cmd.exe
PID 3148 wrote to memory of 1492	3148	cmd.exe	cmd.exe
PID 3148 wrote to memory of 1492	3148	cmd.exe	cmd.exe
PID 3148 wrote to memory of 4192	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 4192	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 4192	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 5100	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 5100	3148	cmd.exe	cacls.exe
PID 3148 wrote to memory of 5100	3148	cmd.exe	cacls.exe
PID 5076 wrote to memory of 596	5076	oneetx.exe	buildghost.exe
PID 5076 wrote to memory of 596	5076	oneetx.exe	buildghost.exe
PID 5076 wrote to memory of 1592	5076	oneetx.exe	rundll32.exe
PID 5076 wrote to memory of 1592	5076	oneetx.exe	rundll32.exe
PID 5076 wrote to memory of 1592	5076	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe
"C:\Users\Admin\AppData\Local\Temp\18fb2e7f61c10229948126c6b6cef0e86c3e92f0271535d004090cbb332cf53b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9246.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9246.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1366.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1366.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2491.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2491.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3641.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3641.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3272FT.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3272FT.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48Ze27.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48Ze27.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGyYt00.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGyYt00.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65sl99.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65sl99.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4792

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:4228

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1492

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4192

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
"C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1592

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:504

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\buildghost.exe
Filesize
51KB

MD5
6dc5093b21da27e63cdee704e910f936

SHA1
5b90c867205a209bf69387a59ed97cc4aef3dc77

SHA256
86fd1820b532ba02bfc4c72c9a6486f2e3f55e3dd44f4ab6f53665b3765984c9

SHA512
f46dffe6ef752eb7801cedd1008156546cfae6e3730a395d64d123eb040bdfd116ee3e2ea42d69ee0f676f1d9577b2549de999711f3cde410e345f57fb249b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65sl99.exe
Filesize
236KB

MD5
2906d81d77f8b9bf13b4beb7083564bb

SHA1
29f567545ea0e4abf2bda2dec004e55594e0191e

SHA256
a629d7455c6f222189afdacfb3e0988d8b829c2e792929bb9a17684fc127a6c8

SHA512
f75d57b03ac14d8d715a74d2380b93fd87731c2f26ce8fb87fa1d1c9031747a3fb2d3fb4d35bbfcc5181310d29335621f9df3fa25cacf773cf05a85cb159224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65sl99.exe
Filesize
236KB

MD5
2906d81d77f8b9bf13b4beb7083564bb

SHA1
29f567545ea0e4abf2bda2dec004e55594e0191e

SHA256
a629d7455c6f222189afdacfb3e0988d8b829c2e792929bb9a17684fc127a6c8

SHA512
f75d57b03ac14d8d715a74d2380b93fd87731c2f26ce8fb87fa1d1c9031747a3fb2d3fb4d35bbfcc5181310d29335621f9df3fa25cacf773cf05a85cb159224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9246.exe
Filesize
816KB

MD5
76adcfaee67676960bc2f84c63960cb0

SHA1
0d80166bc355a9228176e6337ef3eb64042dbb11

SHA256
34d27886c9803a1681db75f565f4e94fc60865bcf9eabd6264d7810d1d7bd1c0

SHA512
9692fe5ca121561756f31d96af12a490799d90b6be6c7fd4ade10cbb1c7f1079dd240c684f3d01c97e1831f068661c95253069a502595a76a111957e3a3b5c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9246.exe
Filesize
816KB

MD5
76adcfaee67676960bc2f84c63960cb0

SHA1
0d80166bc355a9228176e6337ef3eb64042dbb11

SHA256
34d27886c9803a1681db75f565f4e94fc60865bcf9eabd6264d7810d1d7bd1c0

SHA512
9692fe5ca121561756f31d96af12a490799d90b6be6c7fd4ade10cbb1c7f1079dd240c684f3d01c97e1831f068661c95253069a502595a76a111957e3a3b5c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGyYt00.exe
Filesize
175KB

MD5
b0b9968ffb90a0e60294d3f029a3b8bd

SHA1
35441a9b16bdaba2ce54ecfe477479d8589cc46d

SHA256
271fe1a25fb7261ae0dfd0573fa1ec8f80a95cf124f6972e628469b4d108dfa3

SHA512
927b46b2764c7dff5e5281f57cb17dd0c735fdfbce1b70ecb0b694839e91134cddf8898bdae866a1159d67d55dc1d716fc0d13df186567cb1a49aeb7b636fdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGyYt00.exe
Filesize
175KB

MD5
b0b9968ffb90a0e60294d3f029a3b8bd

SHA1
35441a9b16bdaba2ce54ecfe477479d8589cc46d

SHA256
271fe1a25fb7261ae0dfd0573fa1ec8f80a95cf124f6972e628469b4d108dfa3

SHA512
927b46b2764c7dff5e5281f57cb17dd0c735fdfbce1b70ecb0b694839e91134cddf8898bdae866a1159d67d55dc1d716fc0d13df186567cb1a49aeb7b636fdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1366.exe
Filesize
675KB

MD5
5c75289aa9dc33da921ec0a10b99cb41

SHA1
10e4200a3788fa29c7aeced876097555bd492b03

SHA256
c1c9493e7126a84ded1220df6b59fa787ef4a4968ecd77346e4fca3958ce8b10

SHA512
3d78d10587340d5c76aa1fbd28ab64603b2abaf0af32dbdf9e1d0adf7f966cb509ac82e5d4331b4b8cf92f8b5e834db32f659f80c51ebf57f978e0a694886e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1366.exe
Filesize
675KB

MD5
5c75289aa9dc33da921ec0a10b99cb41

SHA1
10e4200a3788fa29c7aeced876097555bd492b03

SHA256
c1c9493e7126a84ded1220df6b59fa787ef4a4968ecd77346e4fca3958ce8b10

SHA512
3d78d10587340d5c76aa1fbd28ab64603b2abaf0af32dbdf9e1d0adf7f966cb509ac82e5d4331b4b8cf92f8b5e834db32f659f80c51ebf57f978e0a694886e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48Ze27.exe
Filesize
318KB

MD5
99ce96e36dcd88442151354c5166f887

SHA1
54d060caad232ee55ad2576362958f54af696e04

SHA256
6e3aa6f46d601f8d62ac9f47eb2ce53cb8d19294e60854d1f7615be9c3866952

SHA512
1fc47d1d658d861db016172efecb6d0b366010c4af2e184fefa573c799d0f0cd9ad3af0afd9cd35300bfef016dfa2550fb40963cbb3e1e4f014df8246a900aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48Ze27.exe
Filesize
318KB

MD5
99ce96e36dcd88442151354c5166f887

SHA1
54d060caad232ee55ad2576362958f54af696e04

SHA256
6e3aa6f46d601f8d62ac9f47eb2ce53cb8d19294e60854d1f7615be9c3866952

SHA512
1fc47d1d658d861db016172efecb6d0b366010c4af2e184fefa573c799d0f0cd9ad3af0afd9cd35300bfef016dfa2550fb40963cbb3e1e4f014df8246a900aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2491.exe
Filesize
334KB

MD5
56a69d748416f2656dea67dad1ba8f5f

SHA1
eb5a6c6f2f30a1d0b4324f7dbf6817df21a8c5e5

SHA256
7a470d8b341eabc7ef4b27bfb9548cfac94c68e6b3b2f4d17723d5464d138791

SHA512
0330bcdc76b647b236c6f38f6e7bf9e9187c1f02aa33fcd48903c41bdcfcdd28da4af84f927062693bd209d308f755279041d1d841c6c2b2a7bde54a6eac8937

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2491.exe
Filesize
334KB

MD5
56a69d748416f2656dea67dad1ba8f5f

SHA1
eb5a6c6f2f30a1d0b4324f7dbf6817df21a8c5e5

SHA256
7a470d8b341eabc7ef4b27bfb9548cfac94c68e6b3b2f4d17723d5464d138791

SHA512
0330bcdc76b647b236c6f38f6e7bf9e9187c1f02aa33fcd48903c41bdcfcdd28da4af84f927062693bd209d308f755279041d1d841c6c2b2a7bde54a6eac8937

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3641.exe
Filesize
11KB

MD5
20454f7830ca57a933dbbf80408bc954

SHA1
df86e9a8df4f6e0482ef9660b6e121b9ebdaadab

SHA256
4e19cd4c9ddea63202b1f3acdd1d0dc05561a32515a63eaf5e50971fba057cc9

SHA512
5d68f22ecddf91515ecd9212795efb920da68bcdea87f410e3005b5d54f0c26543920667ee980bfc2977258c87b1cb64825086db62c473c4a76fd06e66747d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3641.exe
Filesize
11KB

MD5
20454f7830ca57a933dbbf80408bc954

SHA1
df86e9a8df4f6e0482ef9660b6e121b9ebdaadab

SHA256
4e19cd4c9ddea63202b1f3acdd1d0dc05561a32515a63eaf5e50971fba057cc9

SHA512
5d68f22ecddf91515ecd9212795efb920da68bcdea87f410e3005b5d54f0c26543920667ee980bfc2977258c87b1cb64825086db62c473c4a76fd06e66747d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3272FT.exe
Filesize
260KB

MD5
5f462f7ff59c2b754c51eb0455ad9f94

SHA1
44f7dd0f591c8128cacfd6aebbd723c2a5fe2532

SHA256
7bb2ef6ca15482beb28b58660bdf6329d3645c6960cf7ffa397bd63f26e3ea88

SHA512
e3a0c2152490489cb94803f4c41d68552cb3c80ac5a79f6cf90cf370dbef104523823a5798cbf9a3d52ca6fec550c25900fe6a58e02758cf3f68b08ffb626b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3272FT.exe
Filesize
260KB

MD5
5f462f7ff59c2b754c51eb0455ad9f94

SHA1
44f7dd0f591c8128cacfd6aebbd723c2a5fe2532

SHA256
7bb2ef6ca15482beb28b58660bdf6329d3645c6960cf7ffa397bd63f26e3ea88

SHA512
e3a0c2152490489cb94803f4c41d68552cb3c80ac5a79f6cf90cf370dbef104523823a5798cbf9a3d52ca6fec550c25900fe6a58e02758cf3f68b08ffb626b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2906d81d77f8b9bf13b4beb7083564bb

SHA1
29f567545ea0e4abf2bda2dec004e55594e0191e

SHA256
a629d7455c6f222189afdacfb3e0988d8b829c2e792929bb9a17684fc127a6c8

SHA512
f75d57b03ac14d8d715a74d2380b93fd87731c2f26ce8fb87fa1d1c9031747a3fb2d3fb4d35bbfcc5181310d29335621f9df3fa25cacf773cf05a85cb159224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2906d81d77f8b9bf13b4beb7083564bb

SHA1
29f567545ea0e4abf2bda2dec004e55594e0191e

SHA256
a629d7455c6f222189afdacfb3e0988d8b829c2e792929bb9a17684fc127a6c8

SHA512
f75d57b03ac14d8d715a74d2380b93fd87731c2f26ce8fb87fa1d1c9031747a3fb2d3fb4d35bbfcc5181310d29335621f9df3fa25cacf773cf05a85cb159224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2906d81d77f8b9bf13b4beb7083564bb

SHA1
29f567545ea0e4abf2bda2dec004e55594e0191e

SHA256
a629d7455c6f222189afdacfb3e0988d8b829c2e792929bb9a17684fc127a6c8

SHA512
f75d57b03ac14d8d715a74d2380b93fd87731c2f26ce8fb87fa1d1c9031747a3fb2d3fb4d35bbfcc5181310d29335621f9df3fa25cacf773cf05a85cb159224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2906d81d77f8b9bf13b4beb7083564bb

SHA1
29f567545ea0e4abf2bda2dec004e55594e0191e

SHA256
a629d7455c6f222189afdacfb3e0988d8b829c2e792929bb9a17684fc127a6c8

SHA512
f75d57b03ac14d8d715a74d2380b93fd87731c2f26ce8fb87fa1d1c9031747a3fb2d3fb4d35bbfcc5181310d29335621f9df3fa25cacf773cf05a85cb159224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
2906d81d77f8b9bf13b4beb7083564bb

SHA1
29f567545ea0e4abf2bda2dec004e55594e0191e

SHA256
a629d7455c6f222189afdacfb3e0988d8b829c2e792929bb9a17684fc127a6c8

SHA512
f75d57b03ac14d8d715a74d2380b93fd87731c2f26ce8fb87fa1d1c9031747a3fb2d3fb4d35bbfcc5181310d29335621f9df3fa25cacf773cf05a85cb159224c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
memory/596-1166-0x000001797C880000-0x000001797C892000-memory.dmp

Filesize
72KB

Download
memory/596-1167-0x000001797EDF0000-0x000001797EE40000-memory.dmp

Filesize
320KB

Download
memory/596-1168-0x000001797EE70000-0x000001797EE80000-memory.dmp

Filesize
64KB

Download
memory/3504-1134-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3504-1133-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3504-1132-0x00000000059E0000-0x0000000005A2B000-memory.dmp

Filesize
300KB

Download
memory/3504-1131-0x0000000000FA0000-0x0000000000FD2000-memory.dmp

Filesize
200KB

Download
memory/3564-1124-0x0000000008A70000-0x0000000008F9C000-memory.dmp

Filesize
5.2MB

Download
memory/3564-1116-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/3564-1125-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3564-198-0x00000000022C0000-0x0000000002306000-memory.dmp

Filesize
280KB

Download
memory/3564-199-0x0000000004A90000-0x0000000004AD4000-memory.dmp

Filesize
272KB

Download
memory/3564-200-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-201-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-203-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-205-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-207-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-209-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-211-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-213-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-215-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-217-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-219-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-223-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-221-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-225-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-227-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-230-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3564-232-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3564-235-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-234-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3564-231-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-229-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/3564-237-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3564-1110-0x0000000005780000-0x0000000005D86000-memory.dmp

Filesize
6.0MB

Download
memory/3564-1111-0x0000000004B40000-0x0000000004C4A000-memory.dmp

Filesize
1.0MB

Download
memory/3564-1112-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/3564-1113-0x00000000051B0000-0x00000000051EE000-memory.dmp

Filesize
248KB

Download
memory/3564-1114-0x0000000005300000-0x000000000534B000-memory.dmp

Filesize
300KB

Download
memory/3564-1115-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3564-1123-0x0000000008890000-0x0000000008A52000-memory.dmp

Filesize
1.8MB

Download
memory/3564-1117-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/3564-1119-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3564-1120-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3564-1121-0x00000000087A0000-0x0000000008816000-memory.dmp

Filesize
472KB

Download
memory/3564-1122-0x0000000008830000-0x0000000008880000-memory.dmp

Filesize
320KB

Download
memory/4008-177-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-191-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4008-171-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-169-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-183-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-189-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-187-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-185-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-181-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-173-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-179-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-175-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-193-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4008-190-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4008-167-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-163-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-165-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-162-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/4008-160-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4008-161-0x0000000002450000-0x0000000002468000-memory.dmp

Filesize
96KB

Download
memory/4008-159-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4008-157-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4008-158-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4008-156-0x0000000004A80000-0x0000000004F7E000-memory.dmp

Filesize
5.0MB

Download
memory/4008-155-0x0000000002080000-0x000000000209A000-memory.dmp

Filesize
104KB

Download
memory/5108-149-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download