xtremerat | a58eb70c9e826fad3872d70134cb945ef72d0865407b066090408cce53a38b23

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
Size

3.9MB
MD5

a91a9b39b94464b44184730ddf5c9ea2
SHA1

0a07247bf87258f8205f6380819086f0c22d081d
SHA256

a58eb70c9e826fad3872d70134cb945ef72d0865407b066090408cce53a38b23
SHA512

3d4bdf2a1745f19d350f0b83d2491d155b3256ca5fe2e74a02bfcc099e906d90f6e1fdcecf13bdeb9689518ddde31584fa85b68c1bfb1b0f40e637440d698e26
SSDEEP

98304:eBXC0RWM6bbpdl6Jz1leThe1hJKS3cTcKlEJZL9TAgAI:elCHM6bbLl6JZlKheJKSMcDZL9TAA

Score

10^/10

xtremerat aspackv2 bootkit discovery evasion persistence phishing rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
asd3q2da211a

Extracted

Family

xtremerat

412341.sytes.net

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015cd1-28.dat	family_xtremerat
behavioral1/memory/2176-50-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1164-58-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2716-59-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1164-61-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe"	svchost.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Shell.exe restart"	Update.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Shell.exe restart"	svchost.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000016d54-232.dat	aspack_v212_v242
behavioral1/files/0x0006000000016d67-253.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

pid	Process
3024	Audio.exe
2828	setup.exe
2716	Update.exe
2832	GLB6D53.tmp
1608	Ent.exe
1576	srv64.exe

Loads dropped DLL 59 IoCs

pid	Process
2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
3024	Audio.exe
3024	Audio.exe
2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
2828	setup.exe
2828	setup.exe
2828	setup.exe
2828	setup.exe
2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
2716	Update.exe
2716	Update.exe
2716	Update.exe
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
2832	GLB6D53.tmp
1608	Ent.exe
2832	GLB6D53.tmp
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Shell.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Shell.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysAudio.exe"	Audio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Shell.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Shell.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Ent.exe
File opened (read-only)	\??\J:	Ent.exe
File opened (read-only)	\??\K:	Ent.exe
File opened (read-only)	\??\M:	Ent.exe
File opened (read-only)	\??\N:	Ent.exe
File opened (read-only)	\??\Q:	Ent.exe
File opened (read-only)	\??\R:	Ent.exe
File opened (read-only)	\??\U:	Ent.exe
File opened (read-only)	\??\B:	Ent.exe
File opened (read-only)	\??\Y:	Ent.exe
File opened (read-only)	\??\Z:	Ent.exe
File opened (read-only)	\??\X:	Ent.exe
File opened (read-only)	\??\I:	Ent.exe
File opened (read-only)	\??\L:	Ent.exe
File opened (read-only)	\??\P:	Ent.exe
File opened (read-only)	\??\V:	Ent.exe
File opened (read-only)	\??\A:	Ent.exe
File opened (read-only)	\??\H:	Ent.exe
File opened (read-only)	\??\O:	Ent.exe
File opened (read-only)	\??\S:	Ent.exe
File opened (read-only)	\??\T:	Ent.exe
File opened (read-only)	\??\W:	Ent.exe
File opened (read-only)	\??\E:	Ent.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Ent.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB6D53.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1608	Ent.exe

Drops file in Program Files directory 61 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EssNetTools\~GLH0006.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\license.txt	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0008.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\srv64.exe	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\system-oids.txt	GLB6D53.tmp
File created	C:\PROGRA~2\ESSNET~1\INSTALL.LOG	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0005.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\prop.exe	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000f.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\RFC1514-HOSTS.MIB	GLB6D53.tmp
File opened for modification	C:\PROGRA~2\ESSNET~1\INSTALL.LOG	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0009.TMP	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000d.TMP	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0011.TMP	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001c.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\UNWISE.EXE	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000a.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\passlist.txt	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000e.TMP	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0012.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\RFC1213-MIB.MIB	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\client32.dll	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0014.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\swlaunch.dll	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0002.TMP	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0007.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\readme.txt	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\ss.dll	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\ntools.dll	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\s1.wav	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\1049.tlf	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\~GLH0017.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\MSFT.MIB	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\userlist.txt	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001b.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\LMMIB2.MIB	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0004.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\s2.wav	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0015.TMP	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001a.TMP	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0003.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\1031.tlf	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001e.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\LANG.INI	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\Ent.exe	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0010.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\INETSRV.MIB	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\entutil.dll	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\~GLH0016.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\enterprise-numbers.txt	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH0018.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\RFC1155-SMI.MIB	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000c.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\prop64.exe	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH0013.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\1034.tlf	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\~GLH000b.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\Ent.chm	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH0019.TMP	GLB6D53.tmp
File created	C:\Program Files (x86)\EssNetTools\SNMP\MIB\~GLH001d.TMP	GLB6D53.tmp
File opened for modification	C:\Program Files (x86)\EssNetTools\SNMP\MIB\LMALRT2.MIB	GLB6D53.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\InstallDir\Shell.exe	Update.exe
File opened for modification	C:\Windows\InstallDir\	Update.exe
File opened for modification	C:\Windows\InstallDir\Shell.exe	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLB6D53.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.E4L\ = "EssNetTools.License"	GLB6D53.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License	GLB6D53.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\shell\open\command	GLB6D53.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\shell	GLB6D53.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\shell\open\command\ = "C:\\PROGRA~2\\ESSNET~1\\Ent.exe \"%1\""	GLB6D53.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Ent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Ent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.E4L	GLB6D53.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\ = "Essential NetTools License"	GLB6D53.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EssNetTools.License\shell\open	GLB6D53.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Ent.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
296	reg.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1608	Ent.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeRestorePrivilege	2716	Update.exe
Token: SeBackupPrivilege	2716	Update.exe
Token: SeDebugPrivilege	3024	Audio.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe
Token: SeDebugPrivilege	1608	Ent.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1608	Ent.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1608	Ent.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1164	explorer.exe
3024	Audio.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe
1608	Ent.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3024	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	30
PID 2816 wrote to memory of 3024	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	30
PID 2816 wrote to memory of 3024	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	30
PID 2816 wrote to memory of 3024	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	30
PID 2816 wrote to memory of 3024	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	30
PID 2816 wrote to memory of 3024	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	30
PID 2816 wrote to memory of 3024	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	30
PID 2816 wrote to memory of 2828	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2828	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2828	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2828	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2828	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2828	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2828	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2716	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	33
PID 2816 wrote to memory of 2716	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	33
PID 2816 wrote to memory of 2716	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	33
PID 2816 wrote to memory of 2716	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	33
PID 2816 wrote to memory of 2716	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	33
PID 2816 wrote to memory of 2716	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	33
PID 2816 wrote to memory of 2716	2816	a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe	33
PID 2828 wrote to memory of 2832	2828	setup.exe	32
PID 2828 wrote to memory of 2832	2828	setup.exe	32
PID 2828 wrote to memory of 2832	2828	setup.exe	32
PID 2828 wrote to memory of 2832	2828	setup.exe	32
PID 2828 wrote to memory of 2832	2828	setup.exe	32
PID 2828 wrote to memory of 2832	2828	setup.exe	32
PID 2828 wrote to memory of 2832	2828	setup.exe	32
PID 2716 wrote to memory of 2176	2716	Update.exe	34
PID 2716 wrote to memory of 2176	2716	Update.exe	34
PID 2716 wrote to memory of 2176	2716	Update.exe	34
PID 2716 wrote to memory of 2176	2716	Update.exe	34
PID 2716 wrote to memory of 2176	2716	Update.exe	34
PID 2716 wrote to memory of 2176	2716	Update.exe	34
PID 2716 wrote to memory of 2176	2716	Update.exe	34
PID 2716 wrote to memory of 2176	2716	Update.exe	34
PID 2716 wrote to memory of 1164	2716	Update.exe	35
PID 2716 wrote to memory of 1164	2716	Update.exe	35
PID 2716 wrote to memory of 1164	2716	Update.exe	35
PID 2716 wrote to memory of 1164	2716	Update.exe	35
PID 2716 wrote to memory of 1164	2716	Update.exe	35
PID 2716 wrote to memory of 1164	2716	Update.exe	35
PID 2716 wrote to memory of 1164	2716	Update.exe	35
PID 2716 wrote to memory of 1164	2716	Update.exe	35
PID 3024 wrote to memory of 2092	3024	Audio.exe	36
PID 3024 wrote to memory of 2092	3024	Audio.exe	36
PID 3024 wrote to memory of 2092	3024	Audio.exe	36
PID 3024 wrote to memory of 2092	3024	Audio.exe	36
PID 3024 wrote to memory of 2092	3024	Audio.exe	36
PID 3024 wrote to memory of 2092	3024	Audio.exe	36
PID 3024 wrote to memory of 2092	3024	Audio.exe	36
PID 2092 wrote to memory of 296	2092	cmd.exe	38
PID 2092 wrote to memory of 296	2092	cmd.exe	38
PID 2092 wrote to memory of 296	2092	cmd.exe	38
PID 2092 wrote to memory of 296	2092	cmd.exe	38
PID 2092 wrote to memory of 296	2092	cmd.exe	38
PID 2092 wrote to memory of 296	2092	cmd.exe	38
PID 2092 wrote to memory of 296	2092	cmd.exe	38
PID 2832 wrote to memory of 1608	2832	GLB6D53.tmp	44
PID 2832 wrote to memory of 1608	2832	GLB6D53.tmp	44
PID 2832 wrote to memory of 1608	2832	GLB6D53.tmp	44
PID 2832 wrote to memory of 1608	2832	GLB6D53.tmp	44
PID 2832 wrote to memory of 1608	2832	GLB6D53.tmp	44
PID 2832 wrote to memory of 1608	2832	GLB6D53.tmp	44

C:\Users\Admin\AppData\Local\Temp\a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\Audio.exe
  "C:\Users\Admin\AppData\Local\Temp\Audio.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:296
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\GLB6D53.tmp
    C:\Users\Admin\AppData\Local\Temp\GLB6D53.tmp 4736 C:\Users\Admin\AppData\Local\Temp\setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\PROGRA~2\ESSNET~1\Ent.exe
      "C:\PROGRA~2\ESSNET~1\Ent.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1608
    - - C:\PROGRA~2\ESSNET~1\srv64.exe
        
        "C:\PROGRA~2\ESSNET~1\srv64.exe"
        5⤵
        Executes dropped EXE
        
        PID:1576
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2176
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\ESSNET~1\CLIENT32.dll

Filesize
44KB

MD5
d56b88426dfcf5b7f7dcb91f2c815d26

SHA1
33584bc890ea1210c632e433d0996984ac83a27e

SHA256
659204ea1640fb2241cae1cca227788c600780627b949bd70798af5e83bf1ff3

SHA512
fa45db376f29e4d3460b5cc7fc7c66ad10154709f675dc5f2cb16bdc968dceffa0bec277495aa9842f462dce4d53d9657833afe7c7d8a018ba15ea50cd53675d

Download Submit
C:\PROGRA~2\ESSNET~1\ntools.dll

Filesize
11KB

MD5
bda8787a4a296f5178c4e2fbe4c09770

SHA1
3873c48d6c9360cfe46645685949139a68011348

SHA256
37433da15a318cb8d6e46f6f14c013a7ff4b90a41eca9ea1d5c950501631c506

SHA512
4f7813de55289ce57b242bc27943ad4a29fa20495eccc7090aa197ba15be16e2fd34bb6ff1d3c1bf5fc53e8f81304adc25f6da43bc2b9d3a44b3c4290c5717fe

Download Submit
C:\PROGRA~2\ESSNET~1\ss.dll

Filesize
466KB

MD5
1a1078ff177fc65fe8ff8dde49ffb697

SHA1
eef25860a9376f6b45c80c50e8906600a901c1ec

SHA256
8b070dc40d1f3869fe8d0d86ac82dcad8b6b8988bd46f96beb4b35ea7499a60a

SHA512
a63f2d8a4f3122dcde0d58a9fbe29411431dc6b07722a974dda17f7050df68bb5251e6aa50f4dd473fe64b418081913ccfa9b132a5c30149dfb9f53dd424ad5d

Download Submit
C:\Program Files (x86)\EssNetTools\LANG.INI

Filesize
23B

MD5
1ffa7c3866e90bd9bdae07241ac73afd

SHA1
8a5219053a0fec8ed1cc625b51c5367671720d6f

SHA256
945cb27070511c81b25394ba66b336ed01ff6f7545bd41d6bffbfb761c33bbd5

SHA512
91e4dd9039b9de7ec9d69dcb6d510e1239b27cba14c07fa2c6abc3f5a0ed48993a35421f61aca8f336a8d68a23becb3f2bd9a8155df4f3f4a9c8a743efa04b24

Download Submit
C:\Program Files (x86)\EssNetTools\license.txt

Filesize
2KB

MD5
e497a7368b157f0a67979be2b2a4237d

SHA1
574e3e9b26a1c3f7b995ab7b5adfd9d1e0277573

SHA256
ad57c29b63626dcdedf9f26735f402cb0e310013684910ce1d5bc11cf89dc89f

SHA512
d5de4033c6ed4aa27a2689e69347ba0fb603761ce3a785af13ab8053a3d1037be034d55aacd86f797e9bc54347876fb9425910088773e0f00cf19cf690504a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE60D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE62F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\ESSNET~1\entutil.dll

Filesize
26KB

MD5
99c62c1b2288747369121598667698ca

SHA1
b79c6f40c4994c0f0417f66282d9c1777785228c

SHA256
31728d3bb4cb38d91815bed65bc20f7362e28a1cb5f6667af20777bd69f8ca4b

SHA512
5968c1e2dcd05079c3d3c6e54ae0af05368ec8c7974752b99aa546519fda253ec761ee6a040cc7a297f408a6981eb557756a4820602c163f5890c041960e91a7

Download Submit
\PROGRA~2\ESSNET~1\srv64.exe

Filesize
83KB

MD5
e029d26a0cc2ca3a527742cccdd1aa79

SHA1
2809c750725bc254750af847cf91e7eae7157f9b

SHA256
dadf2b2d00e26635ae9b58235fd4ce9849d543a9e1bfd57a2b156241d8290625

SHA512
0aafc95cfe3a1e1ecafb43a380efcccc13eee0d5c2200254708b5d2fceb0144e0a8ed1cf4dfb78ab78efba4c3480ce89732040e80ab9051119f1526b1d9473be

Download Submit
\PROGRA~2\ESSNET~1\swlaunch.dll

Filesize
16KB

MD5
eaceabaa685a464309359b26811bef05

SHA1
05545e6f8ceb0ecef4196d08e6b332cd739d1d2b

SHA256
bdbc4501bd1b0f0bdb0b8d01df11d3a9aa59a3d3f77ec269d6e909073c845459

SHA512
ed1a0868aa562c688eaa2bb071fd8997c47771c9006b9dae141c8a68244d49f1ecaae82e1db097fe46c271a158372c2d3250e3ee2ec962337711660f9578da1c

Download Submit
\Program Files (x86)\EssNetTools\Ent.exe

Filesize
1.2MB

MD5
ce259027520abb925afd1452f60e1a54

SHA1
13b3008bc72f4999353c2d46a5de9ae502ce2df6

SHA256
61128469387bee5b868c52e6227936aaf5917eb4182fabc48068d68fac0518ab

SHA512
bce48fc0784f12dc180a2b3fe2543a0a0644dbbb925166b5d4f7578a1e4947cc09cf6e007dbae7a3ccd9a5f4caaf5b96dbbe11b811a0f33c4b2365029429a1ef

Download Submit
\Program Files (x86)\EssNetTools\UNWISE.EXE

Filesize
162KB

MD5
ba76f31eda329484767df598a4d1129c

SHA1
65522c778544244db3170b1a28d00fb2399dc0f6

SHA256
df311b636812c919d6c842deba6bc9bac5f08afe0fc0de759e35ef9989cee000

SHA512
0c58ff1c57f5fe2a95fe1625a0948833dc5818a8c86da5a5a27c98002f8f4af38761fb66b94cc6213beea30ad1fd0545a3e21c49368feb1e1335caeabba1dd1e

Download Submit
\Users\Admin\AppData\Local\Temp\Audio.exe

Filesize
179KB

MD5
1da15a41d35b860551f79024d786f519

SHA1
860bc51df0029cff0532659943d696009b894771

SHA256
30812fdfa5b8becc827a632c55f61876ab6b8cd86b9046631a4083bb7290e399

SHA512
1d292f1d6566afde75a367e63f64ee7e9fc6a7bf7137e6c7c2dfa3cd11e7271455926bcd8d98653454e9af0695ac4afa765b70e2f6e6b7d8c12b420a8606cb32

Download Submit
\Users\Admin\AppData\Local\Temp\GLB6D53.tmp

Filesize
70KB

MD5
9c4e4277bf7f56318301bcf62452c8e6

SHA1
2092162aada654516ae70b1cf75d0b36964f8716

SHA256
2aba4c054e4145d684c4814b9311a1fdcf42485a268c945a589afddbec006246

SHA512
480576de39cd31529546e6f06eea6fea415d55ec54c1b835493ea23ed220ebf43cff2ab6301d39aed275a4664a7bb47bb9bce3bc37256d31dc1bb7e724e19b3d

Download Submit
\Users\Admin\AppData\Local\Temp\GLC6D92.tmp

Filesize
161KB

MD5
263e81631fb67194dc968dc3f4bdb4e7

SHA1
2998697c503a542d5cf1e25a0d0df18fcd38d66c

SHA256
9200949ab6f777df957fc524d4733e2cb47b89a209c07d2be57b4c63cecbf766

SHA512
2eb6fd28ba87f193a35f1c4bd4c6ff29495a3c10fea8bfa0506df97fcae5ca16f2617703137ecb32cf6b7dbd3048507dd4d0c7418845cfdce5c43896aec45dbb

Download Submit
\Users\Admin\AppData\Local\Temp\GLF6FE6.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
45KB

MD5
76ba75a7ce68516f5e2a76031e5ec185

SHA1
399bed8aef82a85702c48ef3f15c46005fc15979

SHA256
8070c926913db533326ef061dffca76550bfe9139a60365be604ca2fcef766eb

SHA512
e7caf3284e2668cc52b976b063ac87ffb09b46ec7b2900dfee87a9d0ea95110b3cc11751de942f254f8962b320be49a5866a120dbc971600a60f3f55ecbc4f54

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
3.8MB

MD5
185c5f195d51214fdb80d1672e59d57a

SHA1
09a02913e68065a37e0f87148702f9a8cccb4088

SHA256
7b0123cf0b310370eaaea949a9d788ce9c624a10756376abef82ee897a66d7cc

SHA512
e9c8a68e038ee9a86d31562daf117adeb43b36d50f18c9dbcb17c0001774b0e54579c4557c09e1175d019b50d58d986376ffe116ee224c5099d8e912ae766eaa

Download Submit
memory/1164-61-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1164-58-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1608-233-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-274-0x0000000050FE0000-0x0000000051139000-memory.dmp

Filesize
1.3MB

Download
memory/1608-293-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-289-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-235-0x0000000042300000-0x0000000042310000-memory.dmp

Filesize
64KB

Download
memory/1608-288-0x0000000042300000-0x0000000042310000-memory.dmp

Filesize
64KB

Download
memory/1608-284-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-280-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-241-0x0000000000D90000-0x00000000010E6000-memory.dmp

Filesize
3.3MB

Download
memory/1608-243-0x0000000000D90000-0x00000000010E6000-memory.dmp

Filesize
3.3MB

Download
memory/1608-242-0x0000000000D90000-0x00000000010E6000-memory.dmp

Filesize
3.3MB

Download
memory/1608-276-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-272-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-273-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1608-268-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-264-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-256-0x0000000003FE0000-0x0000000003FEA000-memory.dmp

Filesize
40KB

Download
memory/1608-260-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-258-0x0000000005240000-0x0000000005596000-memory.dmp

Filesize
3.3MB

Download
memory/1608-259-0x0000000000400000-0x0000000000756000-memory.dmp

Filesize
3.3MB

Download
memory/1608-262-0x0000000050FE0000-0x0000000051139000-memory.dmp

Filesize
1.3MB

Download
memory/1608-261-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2176-50-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2176-48-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2716-59-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2832-212-0x00000000039B0000-0x0000000003D06000-memory.dmp

Filesize
3.3MB

Download
memory/2832-224-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2832-179-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2832-234-0x0000000003860000-0x0000000003870000-memory.dmp

Filesize
64KB

Download
memory/2832-202-0x00000000039A0000-0x0000000003CF6000-memory.dmp

Filesize
3.3MB

Download
memory/2832-210-0x00000000039A0000-0x0000000003CF6000-memory.dmp

Filesize
3.3MB

Download
memory/2832-211-0x00000000039B0000-0x0000000003D06000-memory.dmp

Filesize
3.3MB

Download
memory/3024-13-0x0000000073A52000-0x0000000073A54000-memory.dmp

Filesize
8KB

Download
memory/3024-63-0x0000000073A52000-0x0000000073A54000-memory.dmp

Filesize
8KB

Download