bazarloader | 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9

Analysis

max time kernel
192s
max time network
160s
platform
windows7_x64
resource
win7-en-20211014
submitted
12/11/2021, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
Size

58KB
MD5

1cc5b508da9567f032ed78375bb45959
SHA1

c31a0e58ae70f571bf8140db8a1ab20a7f566ab5
SHA256

315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
SHA512

cef3bdf76e94904e0d170d3d208accef9ff8e50b85403130b12914ee6b20f0e49f58aa840757c7855b656cffa4400b83cd81fc5196fea66045a5724886970d61

Score

10^/10

bazarloader dropper loader ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2955169046-2371869340-1800780948-1000\BackFiles_encoded01.txt

Ransom Note

[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Your ID: rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D Your support onion(TOR) url: http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D

URLs

http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0003000000019e04-76.dat	BazarLoaderVar5
behavioral1/files/0x0003000000019e04-77.dat	BazarLoaderVar5
behavioral1/files/0x0003000000019e04-142.dat	BazarLoaderVar5

Executes dropped EXE 2 IoCs

pid	Process
2000	firefox.exe
1832	firefox.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	\??\c:\users\admin\pictures\mountdeny.raw.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\users\admin\pictures\syncrestore.crw.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\users\admin\pictures\userevoke.crw.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Loads dropped DLL 12 IoCs

pid	Process
1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
2000	firefox.exe
2000	firefox.exe
2000	firefox.exe
2000	firefox.exe
1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
2000	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 47 IoCs

description	ioc	Process
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-2955169046-2371869340-1800780948-1000\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\freecell\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\spidersolitaire\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\cc9lyj78\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\recorded tv\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\dataservices\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\videos\sample videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\mahjong\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\links for united states\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\solitaire\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\b30t6pba\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\pictures\sample pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\recorded tv\sample media\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\chess\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\purble place\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\music\sample music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\76wfqhvb\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\ejujzxd4\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\hearts\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows mail\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\bin\server\classes.jsa	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\africa\tripoli.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0099153.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\forms\1033\scdrests.ico.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0150150.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.com.mx.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\meta-inf\eclipse_.rsa	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\sports\previousmenubuttonicon.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jre7\lib\zi\europe\brussels.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\media\cagcat10\j0196374.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\themes14\network\network.elm	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0099204.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\bullets\bd21434_.gif	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\calendar_single_bkg.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\resizingpanels\panel_mask.wmv	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\america\managua.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0239943.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0241077.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\templates\1033\salesreport.xltx.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\desert\header.gif	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Uninstall Information\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jre7\lib\zi\america\argentina\mendoza.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jre7\lib\zi\america\noronha.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\7-zip\lang\en.ttt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\dd01628_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\1033\quickstyles\thatch.dotx.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\templates\1033\equityletter.dotx	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0216570.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\bullets\j0115864.gif	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bdcmetadata.xsd.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\calendar\calendartooliconimagesmask.bmp.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\mset7db.kic	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\videolan\vlc\locale\tl\lc_messages\vlc.mo.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\media\cagcat10\j0183290.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\fd02161_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\na01069_.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\forms\1033\postit.cfg.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\pubwiz\dgcal.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jre7\lib\zi\america\grand_turk	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\an00914_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\an00965_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\7-zip\lang\da.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\resizingpanels\bandwidth.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0318804.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\bg_country.gif.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\google\chrome\application\89.0.4389.114\default_apps\youtube.crx.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\security\trusted.libraries	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windows sidebar\gadgets\mediacenter.gadget\images\gadget_star_half.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\sl00256_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\whitebox.jpg.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\toolbmps\taskbariconimagesmask256colors.bmp.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jre7\lib\zi\cet.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\reader 9.0\reader\plug_ins\annotations\stamps\words.pdf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0187835.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1236	notepad.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1236	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	32
PID 1552 wrote to memory of 1236	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	32
PID 1552 wrote to memory of 1236	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	32
PID 1552 wrote to memory of 1236	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	32
PID 1552 wrote to memory of 2000	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	34
PID 1552 wrote to memory of 2000	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	34
PID 1552 wrote to memory of 2000	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	34
PID 1552 wrote to memory of 2000	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	34

C:\Users\Admin\AppData\Local\Temp\jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
"C:\Users\Admin\AppData\Local\Temp\jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\notepad.exe
  "notepad.exe" C:\Users\Admin\Desktop\BackFiles_encoded01.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1236
- C:\Users\Admin\Desktop\browser\firefox.exe
  "C:\Users\Admin\Desktop\browser\firefox.exe" --allow-remote http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2000

C:\Users\Admin\Desktop\browser\firefox.exe
"C:\Users\Admin\Desktop\browser\firefox.exe" --allow-remote http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1552-55-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/1552-56-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1832-139-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1832-138-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2000-99-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-115-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-93-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-94-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-95-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-90-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-96-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-98-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-97-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-91-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-100-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-101-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-102-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-103-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-104-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-105-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-106-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-107-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-108-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-109-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-110-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-111-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-112-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-113-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-114-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-92-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-116-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-117-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-118-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-119-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-120-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-121-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-122-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-123-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-124-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-126-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-125-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-127-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-128-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-129-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-130-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-131-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-132-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-133-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-89-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-88-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-87-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-86-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-85-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-69-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2000-68-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download