xtremerat | e74d8e70050e4b107cc18b363f9830c289fff64e60c6dd98e598c3096825645e

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Size

4.3MB
MD5

82515a842317ff8ee1c35812b0433634
SHA1

3ea612a37abd791f616d5fd39f2e2acfef64e24f
SHA256

e74d8e70050e4b107cc18b363f9830c289fff64e60c6dd98e598c3096825645e
SHA512

d940e7c9a812e30d3854b5084469d28baa351b451fe7c5b77915383772333eacdfa774d3711075712c9ad152caf7f1e678a57bad86f983d489301ac5aec9d0c2
SSDEEP

98304:M++l/rWoxd5mBSqRxc60fhAMDubWhkYI+TOvQN:M3Soxd5wRxc6FAbqYI07N

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2440-22-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat
behavioral1/memory/2440-21-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat
behavioral1/memory/2440-20-0x0000000000C80000-0x0000000001063000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{340331OF-5454-GXI1-8LC0-RH8SGT247631}	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{340331OF-5454-GXI1-8LC0-RH8SGT247631}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exee4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

pid	Process
2652	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe
2016	e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

Loads dropped DLL 9 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exee4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

pid	Process
2440	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
2440	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
2652	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe
2016	e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE
2016	e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exe

description	pid	Process	procid_target
PID 2980 set thread context of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2652 set thread context of 2020	2652	427Proxy Finder Enterprise.exe	49
PID 2020 set thread context of 2016	2020	427Proxy Finder Enterprise.exe	51

Drops file in Windows directory 3 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exee4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	427Proxy Finder Enterprise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	427Proxy Finder Enterprise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

Modifies registry class 44 IoCs

Processes:

427Proxy Finder Enterprise.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 70003100000000001e3d9186100050527e5633325a530000580008000400efbe1e3d91861e3d91862a00000000000000000000000000000000000000000000000000500072006f0078007900460069006e0064006500720045006e0074006500720070007200690073006500000018000000	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	427Proxy Finder Enterprise.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\ = "Object for encoding scriptlets"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\InprocServer32	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	427Proxy Finder Enterprise.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\InprocServer32\ThreadingModel = "Apartment"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\ProgID\ = "Scriptlet.HostEncode"	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 94003100000000002359e02a110050524f4752417e3200007c0008000400efbeee3a851a2359e02a2a00000011010000000001000000000000000000520000000000500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	427Proxy Finder Enterprise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	427Proxy Finder Enterprise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	427Proxy Finder Enterprise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{454ACC53-A260-EDEC-22D9-FA0F22D9FA0F}\ProgID	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	427Proxy Finder Enterprise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	427Proxy Finder Enterprise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	427Proxy Finder Enterprise.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

427Proxy Finder Enterprise.exe

pid	Process
2020	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

427Proxy Finder Enterprise.exe

pid	Process
2020	427Proxy Finder Enterprise.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

427Proxy Finder Enterprise.exe427Proxy Finder Enterprise.exe

pid	Process
2652	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	pid	Process
Token: 33	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Token: 33	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe427Proxy Finder Enterprise.exe

pid	Process
2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
2440	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
2020	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe
2020	427Proxy Finder Enterprise.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2440	2980	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2980	1908	82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\82515a842317ff8ee1c35812b0433634_JaffaCakes118.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2440
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2920
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\427Proxy Finder Enterprise.exe
      "C:\Users\Admin\AppData\Local\Temp\427Proxy Finder Enterprise.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\427Proxy Finder Enterprise.exe
        
        "C:\Program Files (x86)\ProxyFinderEnterprise\ProxyFinder.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\SKEL\e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE
        
        "C:\Program Files (x86)\ThinstallPlugins\QualityAgent.exe" -Report "Proxy Finder Enterprise Edition" "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\%Local AppData%\Microsoft\Windows\Explorer\thumbcache_1024.db

Filesize
24B

MD5
b623140136560adaf3786e262c01676f

SHA1
7143c103e1d52c99eeaa3b11beb9f02d2c50ca3d

SHA256
ee3e1212dbd47e058e30b119a92f853d3962558065fa3065ad5c1d47654c4140

SHA512
68528a7eb0efd59bed8e77edbee80ec654ec3b8f58a82b1c8ce594dcd3aba07af28268aa83f161837f63ff4278068238aa294e0b5649a688db5a483314df6700

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\%Local AppData%\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1024KB

MD5
8c3868c07ef1b73c62b27e22cea3f532

SHA1
7c22e2bc74edf133e40d92803566dbab2e57c35b

SHA256
8779fcb5fe70cec877a8b5f7e5019abfe7cbc62d563872879354b3a9bdf52068

SHA512
ca3b53f47439435a90027eea1faae1867b3c9867af900db7cccf232e8ef8c0b78a544765d4b9b08a2b60d9a0438240d2adab29df95fa612d92db3b13e68d859c

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\%Local AppData%\Microsoft\Windows\Explorer\thumbcache_32.db

Filesize
24B

MD5
ae08a2f7fbf44ad3cb6cbc529df8b1dd

SHA1
bb2665ee5cd1821d48cca1cb07cdfde9ed6081a6

SHA256
8429d5c6eb134eb64d8b0f3ecce83ab4d4d16e73c2d76993163372692b65ea8f

SHA512
4ba54d565403b82b8c293acc2da5a4c6bbbe5278ea9449720b18901f58a68c3e91c494d763a3de4f3c295bad5685156552c2979453a8765e0b994c28f378f089

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\%Local AppData%\Microsoft\Windows\Explorer\thumbcache_96.db

Filesize
24B

MD5
3e9c4eaba2c54dfe525197d54dc10532

SHA1
4b71d8970e657835ebceee5ec79faea2c1422fbe

SHA256
05da3daa836dc6ed72144dff35f8d90396b4d524dc35ef8d8cd01d86855be858

SHA512
d6c71d6d749ee3599216208ae7bb0dbb45153cec956c447756c826b06dee139df0903e18400cc73d143164a6e766e29ac7e6f6aed9b2f865b5bcf55caf2f5177

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\%Local AppData%\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
3KB

MD5
568642376fee35b59a9364e36683b87e

SHA1
53a3204f07fe45a6eefa4bf97bcfa4e0498e2bc7

SHA256
bcfaad738d8973dbbf1091668f1f8573e6f356402a700b49bd22b7dfdf06d37c

SHA512
02631b1c5ceb38545231802180b98b4eb56c0ff29a507d74abac1a9a2169cfff3458569424e6ac2a091643c01ae9499ecb346c11de09ce1045b75884c4015f08

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\%Local AppData%\Microsoft\Windows\Explorer\thumbcache_sr.db

Filesize
24B

MD5
2034995f0bbaa16db835b462eb78152a

SHA1
ce19b1a236f95307067d4979f8dd96c70d69c18a

SHA256
62ce260f5e10fc17bf63faafa39912febf61d20fad51cc11606a295801743799

SHA512
3427f74d944eaaf5a3e1dd22dc566c718be58e4ceb53ba414c72bca974136cac2f1cd8d0a2a0377ce3918c3f83b2480fffbd9088be135fe0fe48c5a499fa6759

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\Registry.rw.tvr

Filesize
4KB

MD5
51b99681adc441e0c182ebcd9d27499b

SHA1
94a1e2c890f740905650b494976d0edbf9476503

SHA256
a603933bd6ca4e29b86dc037901e0104e6afe49d96693e3b67d481e9f93c3f77

SHA512
43b653c8528417a3a7b98ac094166c882d8cc6d51c1be6dd4ca2af582c26ed4f003a655cd0f0441d20b9a23156417b36deb93a7d11ba2abca0e6c7595e3abd6f

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\Registry.rw.tvr.lck

Filesize
60B

MD5
7e565a6a7d5f2b66f29984c8e1d480b2

SHA1
30f517d31d1bfbbb630a70cca30059f57fc74075

SHA256
391780fd5161a7e12fe02e3abd03f9bc02723e3fe7c84eb18615ebc90dbb452c

SHA512
55e1b65305ed140760f47e0f526f8c35b92bd057ebcd29aeada448fd8e0fdcbff96a31fc4b8b31873dff273ef06473a5dc1045fb129ed1bbdf9c30f53417655d

Download Submit
\Users\Admin\AppData\Local\Temp\427Proxy Finder Enterprise.exe

Filesize
3.8MB

MD5
9c8926f5976018c2f57b84930ac6bc68

SHA1
a04699c4305f35db7114dc1d71449000079a4b3c

SHA256
a00dae1931890c63824bfc89bd8ed94c0c45696ea5807b4020b40811e6814b4c

SHA512
e9a50d01a707a5cc287ef58e99506c657c822e1b8689f945c794a65f671da65bf04d32dc7260bed80667b6b3421900e9a6e8834572753f2ba866b242872d92d2

Download Submit
\Users\Admin\AppData\Roaming\Thinstall\Proxy Finder Enterprise Edition\SKEL\e4e38edfd6e5abbd18dc7e9a1e1879bb4e89.Console.EXE

Filesize
16KB

MD5
8c9dcac3b17dd5365b76942428219382

SHA1
0e04e308edfd6e5abbd18dc7e90a1e1879bb4e89

SHA256
4b77030d9baedccac0c9192cd52723d335e375f64035c360d5dce68f50d770e6

SHA512
e32592fcc4515747378cec846171afb7462222f0c198057c707d28d67b27e6b024a8706ade7fa293af6403dd1e5d69e2b84c6407079b538310e5c2711c7efe95

Download Submit
memory/1908-0-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1908-32-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1908-2-0x0000000002C50000-0x00000000030F6000-memory.dmp

Filesize
4.6MB

Download
memory/1908-23-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2016-164-0x00000000022B0000-0x00000000022B5000-memory.dmp

Filesize
20KB

Download
memory/2016-165-0x00000000022B0000-0x00000000022B5000-memory.dmp

Filesize
20KB

Download
memory/2016-141-0x0000000079BF0000-0x0000000079BF4000-memory.dmp

Filesize
16KB

Download
memory/2020-102-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-84-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-340-0x0000000002380000-0x0000000002384000-memory.dmp

Filesize
16KB

Download
memory/2020-92-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-93-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-94-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-95-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-100-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-91-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-82-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-83-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-88-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-90-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/2020-103-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-101-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-89-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-85-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-86-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-87-0x00000000004C0000-0x0000000000620000-memory.dmp

Filesize
1.4MB

Download
memory/2020-140-0x0000000002380000-0x0000000002384000-memory.dmp

Filesize
16KB

Download
memory/2020-139-0x0000000002380000-0x0000000002384000-memory.dmp

Filesize
16KB

Download
memory/2020-138-0x0000000002370000-0x0000000002374000-memory.dmp

Filesize
16KB

Download
memory/2440-31-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2440-22-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/2440-21-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/2440-338-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/2440-339-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/2440-44-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/2440-39-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/2440-20-0x0000000000C80000-0x0000000001063000-memory.dmp

Filesize
3.9MB

Download
memory/2652-53-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-56-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-46-0x0000000079BF0000-0x0000000079BF5000-memory.dmp

Filesize
20KB

Download
memory/2652-49-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-229-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download
memory/2652-51-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-73-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-79-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-69-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-72-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-68-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-67-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-66-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-65-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-60-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-59-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-57-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-48-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-54-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-55-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-58-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-52-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2652-50-0x0000000001CD0000-0x0000000001E30000-memory.dmp

Filesize
1.4MB

Download
memory/2980-10-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2980-19-0x0000000003B60000-0x0000000004006000-memory.dmp

Filesize
4.6MB

Download
memory/2980-12-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2980-11-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2980-9-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2980-4-0x00000000020E0000-0x000000000212B000-memory.dmp

Filesize
300KB

Download
memory/2980-3-0x000000000046A000-0x000000000046B000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2980-15-0x00000000020E0000-0x000000000212B000-memory.dmp

Filesize
300KB

Download
memory/2980-14-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2980-13-0x00000000020E0000-0x000000000212B000-memory.dmp

Filesize
300KB

Download
memory/2980-30-0x00000000020E0000-0x000000000212B000-memory.dmp

Filesize
300KB

Download