djvu | 7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-09-2022 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe
Size

201KB
MD5

d60e9559ac90afab9072c4afc2fc2dce
SHA1

9ceae279c46bbc44a5484ed6f99b3a673b7a1e53
SHA256

7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2
SHA512

775068f63dd926aa2dbabce86e54dfba3c5d570d2ed076cb8428fd2dc9e1ebe517aa22e75825a2f9f845c88d97c3481504631b4937ed3bf6f24c9ef9d76b6369
SSDEEP

3072:l23VZLDWJ91rN5NwKoEGWC0Zs7JnqvqBcnSFZwN/PkIXx:sLD81xwTWC0ilnWzSF

Score

10^/10

djvu smokeloader tofsee backdoor collection discovery evasion persistence ransomware trojan

Malware Config

Extracted

Family

djvu

http://winnlinne.com/lancer/get.php

Attributes

extension
.ofww
offline_id
xkNzhkB1wvgoDI7Uo0HPNLY3qCuwoFpP7nlhlut1
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-EWKSsSJiVn Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0569Jhyjd

rsa_pubkey.plain

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2836-241-0x0000000002310000-0x000000000242B000-memory.dmp	family_djvu
behavioral1/memory/4400-270-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/4992-346-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/4400-460-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-488-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4400-544-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-545-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3400-361-0x0000000000670000-0x0000000000679000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

FDBE.exe561.exeF64.exeFDBE.exe561.exeDE10.exeE247.exeF3CC.exeFC0A.exeD80.exewvzxtzar.exe

pid process

2836 FDBE.exe
4844 561.exe
3400 F64.exe
4400 FDBE.exe
4992 561.exe
3028 DE10.exe
4196 E247.exe
4940 F3CC.exe
5200 FC0A.exe
5712 D80.exe
5740 wvzxtzar.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

5636 netsh.exe
5384 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3012
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3432 regsvr32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2380 icacls.exe

pid	process
2836	FDBE.exe
4844	561.exe
3400	F64.exe
4400	FDBE.exe
4992	561.exe
3028	DE10.exe
4196	E247.exe
4940	F3CC.exe
5200	FC0A.exe
5712	D80.exe
5740	wvzxtzar.exe

pid	process
5636	netsh.exe
5384	netsh.exe

pid	process
3012

pid	process
3432	regsvr32.exe

pid	process
2380	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FDBE.exeE247.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e94969c3-9e0f-4a8e-afad-e1a132726869\\FDBE.exe\" --AutoStart"	FDBE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxxbienc = "\"C:\\Users\\Admin\\wvzxtzar.exe\""	E247.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.2ip.ua
6 api.2ip.ua
7 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

FDBE.exe561.exe

description pid process target process

PID 2836 set thread context of 4400 2836 FDBE.exe FDBE.exe
PID 4844 set thread context of 4992 4844 561.exe 561.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

5612 sc.exe
5252 sc.exe
5384 sc.exe
5504 sc.exe
6044 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
5	api.2ip.ua
6	api.2ip.ua
7	api.2ip.ua

description	pid	process	target process
PID 2836 set thread context of 4400	2836	FDBE.exe	FDBE.exe
PID 4844 set thread context of 4992	4844	561.exe	561.exe

pid	process
5612	sc.exe
5252	sc.exe
5384	sc.exe
5504	sc.exe
6044	sc.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exeF64.exeF3CC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F3CC.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F3CC.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F3CC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe

pid	process
1828	7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe
1828	7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3012

pid	process
3012

Suspicious behavior: MapViewOfSection 25 IoCs

Processes:

7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exeF64.exeF3CC.exe

pid	process
1828	7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe
3012
3012
3012
3012
3400	F64.exe
3012
3012
4940	F3CC.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pid process

3012
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

pid process

3012
3012
3012
3012
3012

pid	process
3012

pid	process
3012
3012
3012
3012
3012

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeFDBE.exe561.exeFDBE.exeE247.exe

description	pid	process	target process
PID 3012 wrote to memory of 2836	3012		FDBE.exe
PID 3012 wrote to memory of 2836	3012		FDBE.exe
PID 3012 wrote to memory of 2836	3012		FDBE.exe
PID 3012 wrote to memory of 4816	3012		regsvr32.exe
PID 3012 wrote to memory of 4816	3012		regsvr32.exe
PID 3012 wrote to memory of 4844	3012		561.exe
PID 3012 wrote to memory of 4844	3012		561.exe
PID 3012 wrote to memory of 4844	3012		561.exe
PID 4816 wrote to memory of 3432	4816	regsvr32.exe	regsvr32.exe
PID 4816 wrote to memory of 3432	4816	regsvr32.exe	regsvr32.exe
PID 4816 wrote to memory of 3432	4816	regsvr32.exe	regsvr32.exe
PID 3012 wrote to memory of 3400	3012		F64.exe
PID 3012 wrote to memory of 3400	3012		F64.exe
PID 3012 wrote to memory of 3400	3012		F64.exe
PID 3012 wrote to memory of 2332	3012		explorer.exe
PID 3012 wrote to memory of 2332	3012		explorer.exe
PID 3012 wrote to memory of 2332	3012		explorer.exe
PID 3012 wrote to memory of 2332	3012		explorer.exe
PID 3012 wrote to memory of 1096	3012		explorer.exe
PID 3012 wrote to memory of 1096	3012		explorer.exe
PID 3012 wrote to memory of 1096	3012		explorer.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 2836 wrote to memory of 4400	2836	FDBE.exe	FDBE.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4844 wrote to memory of 4992	4844	561.exe	561.exe
PID 4400 wrote to memory of 2380	4400	FDBE.exe	icacls.exe
PID 4400 wrote to memory of 2380	4400	FDBE.exe	icacls.exe
PID 4400 wrote to memory of 2380	4400	FDBE.exe	icacls.exe
PID 3012 wrote to memory of 3028	3012		DE10.exe
PID 3012 wrote to memory of 3028	3012		DE10.exe
PID 3012 wrote to memory of 3028	3012		DE10.exe
PID 3012 wrote to memory of 4196	3012		E247.exe
PID 3012 wrote to memory of 4196	3012		E247.exe
PID 3012 wrote to memory of 4196	3012		E247.exe
PID 3012 wrote to memory of 4940	3012		F3CC.exe
PID 3012 wrote to memory of 4940	3012		F3CC.exe
PID 3012 wrote to memory of 4940	3012		F3CC.exe
PID 4196 wrote to memory of 4080	4196	E247.exe	cmd.exe
PID 4196 wrote to memory of 4080	4196	E247.exe	cmd.exe
PID 4196 wrote to memory of 4080	4196	E247.exe	cmd.exe
PID 4196 wrote to memory of 5152	4196	E247.exe	cmd.exe
PID 4196 wrote to memory of 5152	4196	E247.exe	cmd.exe
PID 4196 wrote to memory of 5152	4196	E247.exe	cmd.exe
PID 3012 wrote to memory of 5200	3012		FC0A.exe
PID 3012 wrote to memory of 5200	3012		FC0A.exe
PID 3012 wrote to memory of 5200	3012		FC0A.exe
PID 4196 wrote to memory of 5252	4196	E247.exe	sc.exe
PID 4196 wrote to memory of 5252	4196	E247.exe	sc.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe
"C:\Users\Admin\AppData\Local\Temp\7173b4968de2b52c40d49fd0e752baa7460c8bf3470f69bc3d16db69843d29d2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1828

C:\Users\Admin\AppData\Local\Temp\FDBE.exe
C:\Users\Admin\AppData\Local\Temp\FDBE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\FDBE.exe
C:\Users\Admin\AppData\Local\Temp\FDBE.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e94969c3-9e0f-4a8e-afad-e1a132726869" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2380

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\224.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\224.dll
2⤵
- Loads dropped DLL
PID:3432

C:\Users\Admin\AppData\Local\Temp\561.exe
C:\Users\Admin\AppData\Local\Temp\561.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Local\Temp\561.exe
C:\Users\Admin\AppData\Local\Temp\561.exe
2⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\AppData\Local\Temp\F64.exe
C:\Users\Admin\AppData\Local\Temp\F64.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3400

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2332

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\DE10.exe
C:\Users\Admin\AppData\Local\Temp\DE10.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\AppData\Local\Temp\E247.exe
C:\Users\Admin\AppData\Local\Temp\E247.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jzzdkgpe\
2⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hteqbqyf.exe" C:\Windows\SysWOW64\jzzdkgpe\
2⤵
PID:5152

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jzzdkgpe binPath= "C:\Windows\SysWOW64\jzzdkgpe\hteqbqyf.exe /d\"C:\Users\Admin\AppData\Local\Temp\E247.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:5252

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jzzdkgpe "wifi internet conection"
2⤵
- Launches sc.exe
PID:5384

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jzzdkgpe
2⤵
- Launches sc.exe
PID:5504

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:5636

C:\Users\Admin\wvzxtzar.exe
"C:\Users\Admin\wvzxtzar.exe" /d"C:\Users\Admin\AppData\Local\Temp\E247.exe"
2⤵
- Executes dropped EXE
PID:5740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pgwbfped.exe" C:\Windows\SysWOW64\jzzdkgpe\
3⤵
PID:5880

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config jzzdkgpe binPath= "C:\Windows\SysWOW64\jzzdkgpe\pgwbfped.exe /d\"C:\Users\Admin\wvzxtzar.exe\""
3⤵
- Launches sc.exe
PID:6044

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jzzdkgpe
3⤵
- Launches sc.exe
PID:5612

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:5384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0153.bat" "
3⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\F3CC.exe
C:\Users\Admin\AppData\Local\Temp\F3CC.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4940

C:\Users\Admin\AppData\Local\Temp\FC0A.exe
C:\Users\Admin\AppData\Local\Temp\FC0A.exe
1⤵
- Executes dropped EXE
PID:5200

C:\Users\Admin\AppData\Local\Temp\D80.exe
C:\Users\Admin\AppData\Local\Temp\D80.exe
1⤵
- Executes dropped EXE
PID:5712

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5452

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5768

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
32958182234a80a5b2589418864f6117

SHA1
598276140fd27d8931dbe02625e3378ad9085b8d

SHA256
a6f4c0928ecef1052acb557bf148d4d06206afaa0d334d30ef676d8b4b89fdb2

SHA512
04157e1f291fb8e11e8134fa321d6473ff7ed55c7848170ac9c6db4dd9e42d8303c40746ce56f4112f26c5ea730703ad00fa52fdf57377c81221473210e49dfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
0d870ca424457579d4bd345ac1ec6c3c

SHA1
fc3d8924e13b4fc5eca7cabd4967eea3d4db1690

SHA256
cf9df8d62ec78ca20a50633047af6c913dc2d10f15823795e8d86042c7b05ed0

SHA512
a1e731ae03b1a2259f8e1afc86058aabb3b8ce3b0141f08ea18b6c7003c55aeb135d40bba38ebf1f76174eb1ad758fbec10841dee1ed704fb0285e36b2f7d66b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
12dad3c6b5dec2004970b2a73c674639

SHA1
f104d8fa0e09b36fff331742a11eac29ec66d72c

SHA256
9d90af1a5534345d063eccf4f64cdd85f4f1f783b2755ef131d1a810236ffc7c

SHA512
42c9d5cc9349e235bb4a0850ddc43a9230c62fcd768ac2fa3f3ba3fcd66ed7caceb406e4309ba41ad6bd679aaeb8c5b351a38ff940b210a7d2e0a27ec8fa3296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
d79f6e1a71aad8830e91a03dd34c40d7

SHA1
72f6defd4b744fd528a83018d316bc6a6cef23f9

SHA256
073f470ede039d479ca2803a2c5b6b3ba2e0f179b441d9c8a6a7923e55ed7d4b

SHA512
8cad4616d388444856323336a6865f7869f92e904cc5b36d5278e64fd05149d030bf59324e79dfcef73ad9815395d11f1f600cc102319ec81c9d0ededf5aac72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
81aa32c209a9a65e953b3414610a674a

SHA1
97ef2bdcb128c262b86a2fafd7612b96b25a6cbe

SHA256
bd8da03b70d9ee1824705474fba17c8da14316d2d9c3b1478e72429bad46c3ed

SHA512
e5d31c7004df37f76851a4a9fdf095400ab749cad37e95a49c9a08369a3eae98c8c13baf412f3279d8fa383bee7e3f7848c6e91b22573fdecd76ce45f6c39059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
1220da21933f372ab4e94d468c3b636f

SHA1
60dc4ebcd35be123022db7f770f9449562004bae

SHA256
2441afd0f0623e797af398ac242cbf48a4b772f0e01b5990cfc9f84e36d0caf1

SHA512
4a176d57342094e0df7e7f2e250fcc6052d6fc50cb018b4c0ed83589e7e6b822a5cf8f8bdaa75c10dd680414090b6f4d11bf826845356d85f060cebcd6ea0be4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
8f1b388b7fcbf7210a37a9630a639f8d

SHA1
9dff543905b2ea241c1a75e616b4a3669f2d5f86

SHA256
2a33d69f5119db04ed789b8eca486b0a55c41960893d82e7374508424112cb50

SHA512
65c645c4c9b60ea9b8845e0212adb48d59121de7432c2e07dca160f1b8214aed3096f9658d98cce2c9c4c32bf802cb59dfb3c8e3a018cd7595d2d642e58afa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\0153.bat
Filesize
150B

MD5
e3b3d18ca95ef8576cde07584dd920d3

SHA1
683fea76ff06401eff425b793758f73005cd871f

SHA256
96f4f269ee21e04f36fe860dbce17739d355c3bb6a0e91abd01e7f6458fb145f

SHA512
eae8909e157a116a94c829fe21ca091262c8260fcb52d3372815a4b5700a547da48856f8abcdc2738b505a272b25bf6fe38dbcb930aaedd13899f3d61c7c4d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\224.dll
Filesize
1.8MB

MD5
8ab585be25263cf35aa25949122a799a

SHA1
0f2d595650a69aa105587200699cf2a683f3fd31

SHA256
7fb97a500122df88d2e9ee2241e9fa1d2ab9b14ac8fdeb7354885e5803d0a56e

SHA512
22c47912dad253f83bdcc79b5f7ee6825410e1b9b53aa96e3dfa6189c44ab65be0c9c753a5af10a553674fe6950586d0f9df56749597f2cd9bb79ee23ad1d5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\561.exe
Filesize
714KB

MD5
447de8d85d9c621acf1478bd50cc9b33

SHA1
2c5b58a4234ccc3e0c936645ae13c01c71b7d412

SHA256
e881205eae8deac9e912716d525777eba690c176a978a0422add6508d95d63c1

SHA512
7d44584fb7ed94078d1db8bebcfe2810a765cf2842fdd7b1a059dc6eab0091362779dda76828f7725c31b19f3e33b9d3bfcc2e376e320c4002d6d5a0f91fd89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\561.exe
Filesize
714KB

MD5
447de8d85d9c621acf1478bd50cc9b33

SHA1
2c5b58a4234ccc3e0c936645ae13c01c71b7d412

SHA256
e881205eae8deac9e912716d525777eba690c176a978a0422add6508d95d63c1

SHA512
7d44584fb7ed94078d1db8bebcfe2810a765cf2842fdd7b1a059dc6eab0091362779dda76828f7725c31b19f3e33b9d3bfcc2e376e320c4002d6d5a0f91fd89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\561.exe
Filesize
714KB

MD5
447de8d85d9c621acf1478bd50cc9b33

SHA1
2c5b58a4234ccc3e0c936645ae13c01c71b7d412

SHA256
e881205eae8deac9e912716d525777eba690c176a978a0422add6508d95d63c1

SHA512
7d44584fb7ed94078d1db8bebcfe2810a765cf2842fdd7b1a059dc6eab0091362779dda76828f7725c31b19f3e33b9d3bfcc2e376e320c4002d6d5a0f91fd89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D80.exe
Filesize
365KB

MD5
1c92b308eeb3ee01d7622de9f8fea0b5

SHA1
5e5c89f5c6f15bad6b62ca0ea22f6dcfac1a6dda

SHA256
775f7f9041236757b05676318037000e221a582bdfd161b89a11a19fc4fde73c

SHA512
5a9836b2af8b7088bfca79e84b3d5ef51a620fe1d59f2a0f1f02605907bcedcbb3f95fd16f9812d405045056d688061cb4c5ef47f09ba0e7779de77b45f013eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D80.exe
Filesize
365KB

MD5
1c92b308eeb3ee01d7622de9f8fea0b5

SHA1
5e5c89f5c6f15bad6b62ca0ea22f6dcfac1a6dda

SHA256
775f7f9041236757b05676318037000e221a582bdfd161b89a11a19fc4fde73c

SHA512
5a9836b2af8b7088bfca79e84b3d5ef51a620fe1d59f2a0f1f02605907bcedcbb3f95fd16f9812d405045056d688061cb4c5ef47f09ba0e7779de77b45f013eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE10.exe
Filesize
2.6MB

MD5
ea6fee4ce432602e3dd2b849f8396027

SHA1
5151b46012f637fe7fdbda551be1651009eb453a

SHA256
b44181d7365ab6868e1cf0d7127a56862075944099f6f1f965b11f41c78fd75d

SHA512
b567449c006248a4311a1a3325279e2d4edfacacb272ae3152b085d3164e722370aa748cbaa3299425ede1e4910218988e88f24de744944903b2001b70e263be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE10.exe
Filesize
2.6MB

MD5
ea6fee4ce432602e3dd2b849f8396027

SHA1
5151b46012f637fe7fdbda551be1651009eb453a

SHA256
b44181d7365ab6868e1cf0d7127a56862075944099f6f1f965b11f41c78fd75d

SHA512
b567449c006248a4311a1a3325279e2d4edfacacb272ae3152b085d3164e722370aa748cbaa3299425ede1e4910218988e88f24de744944903b2001b70e263be

Download Submit
C:\Users\Admin\AppData\Local\Temp\E247.exe
Filesize
201KB

MD5
f5a2b47d112ad48b217f27a0ffc4014e

SHA1
be36dbcfced8ae41257aa9f01598ddf232ece6fe

SHA256
0ef96177554f1cd2eea823b6dc0c3dc54aec830827a2e82f59aed9fe7b896ba5

SHA512
ba59b8939e00fad5ff72780952571d86820c18fc2b891e4d8367dfc2d61b24c57eaec46a8eb236c79a3728d6fad902c6a13497015407977f33f8a3e07aa75458

Download Submit
C:\Users\Admin\AppData\Local\Temp\E247.exe
Filesize
201KB

MD5
f5a2b47d112ad48b217f27a0ffc4014e

SHA1
be36dbcfced8ae41257aa9f01598ddf232ece6fe

SHA256
0ef96177554f1cd2eea823b6dc0c3dc54aec830827a2e82f59aed9fe7b896ba5

SHA512
ba59b8939e00fad5ff72780952571d86820c18fc2b891e4d8367dfc2d61b24c57eaec46a8eb236c79a3728d6fad902c6a13497015407977f33f8a3e07aa75458

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3CC.exe
Filesize
187KB

MD5
ed89332cb4fb426b7e9ad5d8853be58f

SHA1
4c6dbd10b19dd0a53d76bc8ca8c5df055a5f0ccc

SHA256
56c77e5efa069fdbea2beaf1cbb234735d6aa70eba0fe50b736ab5f9bbe6e69a

SHA512
9f23967e804be45bf892f7c1c1590efe633ae34ddb4d953f8a29ea14febdda51ae217e9c38e59acbbf9e578d5564fd50d6239d15b57495884adfd07ece988862

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3CC.exe
Filesize
187KB

MD5
ed89332cb4fb426b7e9ad5d8853be58f

SHA1
4c6dbd10b19dd0a53d76bc8ca8c5df055a5f0ccc

SHA256
56c77e5efa069fdbea2beaf1cbb234735d6aa70eba0fe50b736ab5f9bbe6e69a

SHA512
9f23967e804be45bf892f7c1c1590efe633ae34ddb4d953f8a29ea14febdda51ae217e9c38e59acbbf9e578d5564fd50d6239d15b57495884adfd07ece988862

Download Submit
C:\Users\Admin\AppData\Local\Temp\F64.exe
Filesize
200KB

MD5
42bc7169cb277afe6629e5802a97d285

SHA1
85b6d767deeb0b6426381b740ca739d85d1bad77

SHA256
0413cd47fc3feec56b1de4491071ad14f2025487143821a34694867e31520494

SHA512
9dd773823b2ca2a791095366f6e7c433bd3433cfd18b27d2544a85366d25ea964e636b89e86f844fb9585edb9509af980124ab71d6fc9ba1cf023344431ade56

Download Submit
C:\Users\Admin\AppData\Local\Temp\F64.exe
Filesize
200KB

MD5
42bc7169cb277afe6629e5802a97d285

SHA1
85b6d767deeb0b6426381b740ca739d85d1bad77

SHA256
0413cd47fc3feec56b1de4491071ad14f2025487143821a34694867e31520494

SHA512
9dd773823b2ca2a791095366f6e7c433bd3433cfd18b27d2544a85366d25ea964e636b89e86f844fb9585edb9509af980124ab71d6fc9ba1cf023344431ade56

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC0A.exe
Filesize
318KB

MD5
6917d28aae7b190af4cc9e8c82597b99

SHA1
00ac38f05b4d99691ef09883f7f141a6cd3d4d3a

SHA256
5d72a91ee3aeab2a634e8023b2c0530c8429f1151f1e29421ff7a16cec75617d

SHA512
e5a2d6d37555a7f06bfd27aa52eb2075b142ffadd155c4e27e76c371ebd01710b4072576d4ae0fabd221a47f6386a44e37bb2097d9db5e88889ea76ed8170fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC0A.exe
Filesize
318KB

MD5
6917d28aae7b190af4cc9e8c82597b99

SHA1
00ac38f05b4d99691ef09883f7f141a6cd3d4d3a

SHA256
5d72a91ee3aeab2a634e8023b2c0530c8429f1151f1e29421ff7a16cec75617d

SHA512
e5a2d6d37555a7f06bfd27aa52eb2075b142ffadd155c4e27e76c371ebd01710b4072576d4ae0fabd221a47f6386a44e37bb2097d9db5e88889ea76ed8170fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDBE.exe
Filesize
687KB

MD5
7e28871412c8e200ba9fb55a9e07afa1

SHA1
2cb322f4da363d642047161980bcd790d5cf5eab

SHA256
4c1b735b7da4b82d92134e0cc557d6ea8d3e2019c1510b189e98f5577b4079f3

SHA512
a93c2eae83cdd1b657d8589fab1a69727af59d0105d536d5ee7b343570d4df3044b5cafc6e9bb01516341777362b9e7d57afbe8b7d1fa2a87e93382c609079d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDBE.exe
Filesize
687KB

MD5
7e28871412c8e200ba9fb55a9e07afa1

SHA1
2cb322f4da363d642047161980bcd790d5cf5eab

SHA256
4c1b735b7da4b82d92134e0cc557d6ea8d3e2019c1510b189e98f5577b4079f3

SHA512
a93c2eae83cdd1b657d8589fab1a69727af59d0105d536d5ee7b343570d4df3044b5cafc6e9bb01516341777362b9e7d57afbe8b7d1fa2a87e93382c609079d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDBE.exe
Filesize
687KB

MD5
7e28871412c8e200ba9fb55a9e07afa1

SHA1
2cb322f4da363d642047161980bcd790d5cf5eab

SHA256
4c1b735b7da4b82d92134e0cc557d6ea8d3e2019c1510b189e98f5577b4079f3

SHA512
a93c2eae83cdd1b657d8589fab1a69727af59d0105d536d5ee7b343570d4df3044b5cafc6e9bb01516341777362b9e7d57afbe8b7d1fa2a87e93382c609079d3

Download Submit
C:\Users\Admin\wvzxtzar.exe
Filesize
10.1MB

MD5
3508ec207d9eaefbd7d5dcf170aa842a

SHA1
f6572e8d899246be2f3babf01b3c003abd732210

SHA256
c5d41765e7e8918eff6537d3ceeccc57782a73edc22ae155817830b46a87f6c8

SHA512
785de1e85eb0d3bd3fbd631709b08b24b56bc8b354b4d9f0725d03164199cafe74fda3ad459a1a7908499143afa02d1917259b18952dbc513e4956d9344b25e9

Download Submit
C:\Users\Admin\wvzxtzar.exe
Filesize
10.1MB

MD5
3508ec207d9eaefbd7d5dcf170aa842a

SHA1
f6572e8d899246be2f3babf01b3c003abd732210

SHA256
c5d41765e7e8918eff6537d3ceeccc57782a73edc22ae155817830b46a87f6c8

SHA512
785de1e85eb0d3bd3fbd631709b08b24b56bc8b354b4d9f0725d03164199cafe74fda3ad459a1a7908499143afa02d1917259b18952dbc513e4956d9344b25e9

Download Submit
\Users\Admin\AppData\Local\Temp\224.dll
Filesize
1.8MB

MD5
8ab585be25263cf35aa25949122a799a

SHA1
0f2d595650a69aa105587200699cf2a683f3fd31

SHA256
7fb97a500122df88d2e9ee2241e9fa1d2ab9b14ac8fdeb7354885e5803d0a56e

SHA512
22c47912dad253f83bdcc79b5f7ee6825410e1b9b53aa96e3dfa6189c44ab65be0c9c753a5af10a553674fe6950586d0f9df56749597f2cd9bb79ee23ad1d5f3

Download Submit
memory/1096-253-0x0000000000000000-mapping.dmp

Download
memory/1096-272-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download
memory/1188-1051-0x0000000000000000-mapping.dmp

Download
memory/1828-138-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-125-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-156-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-157-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1828-147-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1828-146-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-154-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-144-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-143-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-153-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-141-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-152-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-140-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-120-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-151-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-139-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-145-0x00000000006D0000-0x000000000081A000-memory.dmp

Filesize
1.3MB

Download
memory/1828-137-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-136-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-135-0x0000000000816000-0x0000000000826000-memory.dmp

Filesize
64KB

Download
memory/1828-134-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-122-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-133-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-132-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-131-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-129-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-130-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-128-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-127-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-121-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-126-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-155-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-142-0x00000000006D0000-0x000000000081A000-memory.dmp

Filesize
1.3MB

Download
memory/1828-123-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-124-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-150-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-149-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-148-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2332-458-0x0000000000A70000-0x0000000000AE5000-memory.dmp

Filesize
468KB

Download
memory/2332-463-0x0000000000A00000-0x0000000000A6B000-memory.dmp

Filesize
428KB

Download
memory/2332-525-0x0000000000A00000-0x0000000000A6B000-memory.dmp

Filesize
428KB

Download
memory/2332-222-0x0000000000000000-mapping.dmp

Download
memory/2380-539-0x0000000000000000-mapping.dmp

Download
memory/2836-168-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-169-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-164-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-236-0x0000000002200000-0x0000000002296000-memory.dmp

Filesize
600KB

Download
memory/2836-163-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-241-0x0000000002310000-0x000000000242B000-memory.dmp

Filesize
1.1MB

Download
memory/2836-162-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-165-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-161-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-176-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-170-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-160-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-158-0x0000000000000000-mapping.dmp

Download
memory/2836-171-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-173-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-166-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-174-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-175-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3028-556-0x0000000000000000-mapping.dmp

Download
memory/3400-366-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/3400-355-0x0000000000846000-0x0000000000856000-memory.dmp

Filesize
64KB

Download
memory/3400-200-0x0000000000000000-mapping.dmp

Download
memory/3400-361-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/3400-536-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/3400-533-0x0000000000846000-0x0000000000856000-memory.dmp

Filesize
64KB

Download
memory/3432-542-0x0000000005080000-0x0000000005186000-memory.dmp

Filesize
1.0MB

Download
memory/3432-189-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3432-182-0x0000000000000000-mapping.dmp

Download
memory/3432-195-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3432-185-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3432-186-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3432-194-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3432-541-0x0000000004E30000-0x0000000004F6F000-memory.dmp

Filesize
1.2MB

Download
memory/3432-191-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3432-555-0x0000000005080000-0x0000000005186000-memory.dmp

Filesize
1.0MB

Download
memory/4036-903-0x0000000000000000-mapping.dmp

Download
memory/4036-1311-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

Filesize
36KB

Download
memory/4036-1284-0x0000000000CB0000-0x0000000000CB5000-memory.dmp

Filesize
20KB

Download
memory/4080-640-0x0000000000000000-mapping.dmp

Download
memory/4196-569-0x0000000000000000-mapping.dmp

Download
memory/4196-725-0x0000000000886000-0x0000000000897000-memory.dmp

Filesize
68KB

Download
memory/4196-597-0x0000000000886000-0x0000000000897000-memory.dmp

Filesize
68KB

Download
memory/4196-599-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/4196-616-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4196-729-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4400-544-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4400-460-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4400-270-0x0000000000424141-mapping.dmp

Download
memory/4816-172-0x0000000000000000-mapping.dmp

Download
memory/4844-184-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-190-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-177-0x0000000000000000-mapping.dmp

Download
memory/4844-193-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-308-0x00000000007C0000-0x000000000085F000-memory.dmp

Filesize
636KB

Download
memory/4844-188-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-183-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-180-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-181-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-196-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-187-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/4940-677-0x00000000006B0000-0x00000000007FA000-memory.dmp

Filesize
1.3MB

Download
memory/4940-680-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4940-624-0x0000000000000000-mapping.dmp

Download
memory/4940-795-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4940-674-0x00000000006B0000-0x00000000007FA000-memory.dmp

Filesize
1.3MB

Download
memory/4992-545-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-346-0x0000000000424141-mapping.dmp

Download
memory/4992-488-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5152-651-0x0000000000000000-mapping.dmp

Download
memory/5200-655-0x0000000000000000-mapping.dmp

Download
memory/5252-660-0x0000000000000000-mapping.dmp

Download
memory/5384-671-0x0000000000000000-mapping.dmp

Download
memory/5384-1025-0x0000000000000000-mapping.dmp

Download
memory/5452-1105-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/5452-1070-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/5452-787-0x0000000000000000-mapping.dmp

Download
memory/5504-685-0x0000000000000000-mapping.dmp

Download
memory/5612-990-0x0000000000000000-mapping.dmp

Download
memory/5624-807-0x0000000000000000-mapping.dmp

Download
memory/5624-822-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/5624-826-0x0000000000540000-0x000000000054F000-memory.dmp

Filesize
60KB

Download
memory/5624-1141-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/5636-703-0x0000000000000000-mapping.dmp

Download
memory/5712-710-0x0000000000000000-mapping.dmp

Download
memory/5720-1001-0x0000000000000000-mapping.dmp

Download
memory/5720-1349-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/5720-1549-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/5720-1347-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/5740-1068-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/5740-849-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/5740-714-0x0000000000000000-mapping.dmp

Download
memory/5740-1079-0x00000000008D6000-0x00000000008E7000-memory.dmp

Filesize
68KB

Download
memory/5740-784-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/5740-1060-0x00000000008D6000-0x00000000008E7000-memory.dmp

Filesize
68KB

Download
memory/5740-781-0x00000000008D6000-0x00000000008E7000-memory.dmp

Filesize
68KB

Download
memory/5768-1279-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/5768-874-0x0000000000000000-mapping.dmp

Download
memory/5768-1250-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/5840-1319-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/5840-934-0x0000000000000000-mapping.dmp

Download
memory/5840-1315-0x0000000000E70000-0x0000000000E76000-memory.dmp

Filesize
24KB

Download
memory/5840-1530-0x0000000000E70000-0x0000000000E76000-memory.dmp

Filesize
24KB

Download
memory/5844-828-0x0000000000000000-mapping.dmp

Download
memory/5844-1217-0x0000000000A30000-0x0000000000A39000-memory.dmp

Filesize
36KB

Download
memory/5844-1176-0x0000000000A40000-0x0000000000A45000-memory.dmp

Filesize
20KB

Download
memory/5880-929-0x0000000000000000-mapping.dmp

Download
memory/6020-1210-0x0000000000990000-0x0000000000996000-memory.dmp

Filesize
24KB

Download
memory/6020-851-0x0000000000000000-mapping.dmp

Download
memory/6020-880-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/6020-875-0x0000000000990000-0x0000000000996000-memory.dmp

Filesize
24KB

Download
memory/6044-958-0x0000000000000000-mapping.dmp

Download
memory/6116-1345-0x0000000001210000-0x0000000001217000-memory.dmp

Filesize
28KB

Download
memory/6116-997-0x0000000001200000-0x000000000120D000-memory.dmp

Filesize
52KB

Download
memory/6116-988-0x0000000001210000-0x0000000001217000-memory.dmp

Filesize
28KB

Download
memory/6116-966-0x0000000000000000-mapping.dmp

Download