bazarloader | 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9

Analysis

max time kernel
188s
max time network
168s
platform
windows10_x64
resource
win10-en-20211104
submitted
12-11-2021 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
Size

58KB
MD5

1cc5b508da9567f032ed78375bb45959
SHA1

c31a0e58ae70f571bf8140db8a1ab20a7f566ab5
SHA256

315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
SHA512

cef3bdf76e94904e0d170d3d208accef9ff8e50b85403130b12914ee6b20f0e49f58aa840757c7855b656cffa4400b83cd81fc5196fea66045a5724886970d61

Score

10^/10

bazarloader dropper loader ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1042495040-510797905-2613508344-1000\BackFiles_encoded01.txt

Ransom Note

[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Your ID: mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D Your support onion(TOR) url: http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D

URLs

http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\browser\xul.dll	BazarLoaderVar5
\Users\Admin\Desktop\browser\xul.dll	BazarLoaderVar5

Executes dropped EXE 4 IoCs

Processes:

firefox.exetor.exefirefox.exefirefox.exe

pid process

2116 firefox.exe
4080 tor.exe
4520 firefox.exe
3644 firefox.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	ioc	process
File created	\??\c:\users\admin\pictures\saveopen.crw.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\watchgrant.tiff	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\users\admin\pictures\watchgrant.tiff.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation firefox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	firefox.exe

Drops startup file 1 IoCs

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Loads dropped DLL 27 IoCs

Processes:

firefox.exetor.exefirefox.exefirefox.exe

pid	process
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
3644	firefox.exe
3644	firefox.exe
3644	firefox.exe
3644	firefox.exe
3644	firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 32 IoCs

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-1042495040-510797905-2613508344-1000\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\dataservices\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 whatismyipaddress.com
13 whatismyipaddress.com

flow	ioc
15	whatismyipaddress.com
13	whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	ioc	process
File created	\??\c:\program files\java\jdk1.8.0_66\db\bin\stopnetworkserver.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\slate\slate.inf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.zunevideo_10.16112.11601.0_x64__8wekyb3d8bbwe\assets\contrast-white\applist.targetsize-36_contrast-white.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_forward_18.svg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Internet Explorer\images\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\o365homepremr_subtest1-ppd.xrm-ms	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\thinappxmanifest.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.desktopappinstaller_1.0.10252.0_x64__8wekyb3d8bbwe\assets\contrast-black\apppackageapplist.targetsize-30_contrast-black.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowssoundrecorder_10.1702.301.0_x64__8wekyb3d8bbwe\assets\voicerecorderapplist.targetsize-72.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\licenses16\onenoter_retail-ppd.xrm-ms.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\licenses16\onenotevl_kms_client-ul-oob.xrm-ms.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\muauth.cab.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\root\ui-strings.js	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\meta-inf\manifest.mf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\videolan\vlc\locale\si\lc_messages\vlc.mo	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\mail.config	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.microsoftsolitairecollection_3.14.1181.0_x64__8wekyb3d8bbwe\assets\icons\statistics.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.office.onenote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.skypeapp_11.8.204.0_x64__kzf8qxf38zg5c\skypeapp\designs\flags\large\ma_60x42.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\da-dk\ui-strings.js.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\send2.16.grayf.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\strtedge\thmbnail.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.microsoftsolitairecollection_3.14.1181.0_x64__8wekyb3d8bbwe\assets\themes\aquarium\aquarium_11s.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\powerpoint2019vl_mak_ae-ul-phn.xrm-ms	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\blends\blends.inf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.people_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\contrast-white\peoplemedtile.scale-125.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.skypeapp_11.8.204.0_x64__kzf8qxf38zg5c\skypeapp\designs\flags\small\bo_16x11.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_filterselected-focus_32.svg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\images\rhp_world_icon.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\meta-inf\eclipse_.sf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\210x173\31.jpg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.microsoftsolitairecollection_3.14.1181.0_x64__8wekyb3d8bbwe\arkadium.win10.dailychallenges\assets\diamond_badge_earned.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.office.onenote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6449_40x40x32.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.skypeapp_11.8.204.0_x64__kzf8qxf38zg5c\skypeapp\designs\flags\large\mn_60x42.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\7-zip\history.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\powerpointr_retail-ppd.xrm-ms	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\423x173\34.jpg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1612.10312.0_x64__8wekyb3d8bbwe\assets\insiderhubapplist.targetsize-96.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowsmaps_5.1611.10393.0_x64__8wekyb3d8bbwe\assets\secondarytiles\home\contrast-white\largetile.scale-200.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\faf-main.js.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.skypeapp_11.8.204.0_x64__kzf8qxf38zg5c\skypeapp\designs\flags\small\sj_16x11.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\hxmailapplist.targetsize-40_altform-unplated.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\stationery\softblue.jpg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\licenses16\visiostdvl_kms_client-ppd.xrm-ms.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\grphflt\gifimp32.flt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXEnotepad.exe

pid process

4252 NOTEPAD.EXE
5044 notepad.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

tor.exe

pid process

4080 tor.exe
4080 tor.exe
4080 tor.exe
4080 tor.exe
4080 tor.exe
4080 tor.exe

pid	process
4252	NOTEPAD.EXE
5044	notepad.exe

pid	process
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exefirefox.exe

description	pid	process	target process
PID 396 wrote to memory of 5044	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	notepad.exe
PID 396 wrote to memory of 5044	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	notepad.exe
PID 396 wrote to memory of 5044	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	notepad.exe
PID 396 wrote to memory of 2116	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	firefox.exe
PID 396 wrote to memory of 2116	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	firefox.exe
PID 396 wrote to memory of 2116	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	firefox.exe
PID 2116 wrote to memory of 4080	2116	firefox.exe	tor.exe
PID 2116 wrote to memory of 4080	2116	firefox.exe	tor.exe
PID 2116 wrote to memory of 4080	2116	firefox.exe	tor.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 4520	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe
PID 2116 wrote to memory of 3644	2116	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
"C:\Users\Admin\AppData\Local\Temp\jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\notepad.exe
"notepad.exe" C:\Users\Admin\Desktop\BackFiles_encoded01.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:5044

C:\Users\Admin\Desktop\browser\firefox.exe
"C:\Users\Admin\Desktop\browser\firefox.exe" --allow-remote http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\Desktop\browser\TorBrowser\Tor\tor.exe
"C:\Users\Admin\Desktop\browser\TorBrowser\Tor\tor.exe" --defaults-torrc C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\torrc-defaults -f C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\torrc DataDirectory C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor GeoIPFile C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\geoip GeoIPv6File C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\geoip6 HashedControlPassword 16:d19d18e4d27836e9608bf684c8b043ab75abc23854a3fc0b6b3391a336 +__ControlPort 9151 +__SocksPort "127.0.0.1:9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 2116 DisableNetwork 1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Users\Admin\Desktop\browser\firefox.exe
"C:\Users\Admin\Desktop\browser\firefox.exe" -contentproc --channel="2116.0.627203460\838123476" -childID 1 -isForBrowser -boolPrefs 299:0| -schedulerPrefs 0001,2 -greomni "C:\Users\Admin\Desktop\browser\omni.ja" -appomni "C:\Users\Admin\Desktop\browser\browser\omni.ja" -appdir "C:\Users\Admin\Desktop\browser\browser" 2116 tab
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4520

C:\Users\Admin\Desktop\browser\firefox.exe
"C:\Users\Admin\Desktop\browser\firefox.exe" -contentproc --channel="2116.6.433665060\1608908876" -childID 2 -isForBrowser -boolPrefs 299:0| -schedulerPrefs 0001,2 -greomni "C:\Users\Admin\Desktop\browser\omni.ja" -appomni "C:\Users\Admin\Desktop\browser\browser\omni.ja" -appdir "C:\Users\Admin\Desktop\browser\browser" 2116 tab
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BackFiles_encoded01.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\BackFiles_encoded01.txt
MD5
07a3ca40ac65e3afc518949a609c1152

SHA1
e202c0676b5163191468cc8cdaf41b99073e509e

SHA256
b7fde96346eb9624bf5afc50c7de7e5b71157d63aeba4eb07bdfa606e8dc685d

SHA512
86281441849544549cc5558a84edcc620622b87814b0952ad59fded1e9c303a413f75cc4763ad6fde35fdc4a721d9dfa15206b3fe11380b98102e6346e8432e0

Download Submit
C:\Users\Admin\Desktop\BackFiles_encoded01.txt
MD5
07a3ca40ac65e3afc518949a609c1152

SHA1
e202c0676b5163191468cc8cdaf41b99073e509e

SHA256
b7fde96346eb9624bf5afc50c7de7e5b71157d63aeba4eb07bdfa606e8dc685d

SHA512
86281441849544549cc5558a84edcc620622b87814b0952ad59fded1e9c303a413f75cc4763ad6fde35fdc4a721d9dfa15206b3fe11380b98102e6346e8432e0

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Browser\profile.default\extensions\https-everywhere-eff@eff.org.xpi
MD5
9734e638c658490dfd365b994d3f744e

SHA1
fc62ad0f9bf145bca031cf7ae30d9b2797be246e

SHA256
b37b8ddc871e539e97075b7ae9555c076003a51b389776bc2a4729e3f13690ce

SHA512
2f9565be53f20f6702862dbffe3731e8951dd0cb894a8c1b96537d3e426a444c2e4d7e2399ba2608f69222d20452bcd068cc4f2630fe2e526738340b30d2ece6

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Browser\profile.default\extensions\tor-launcher@torproject.org.xpi
MD5
75859ab1336c56fa990cfb87753ad4b2

SHA1
3f0925520503cc3f8502c8230137b0470ac61688

SHA256
7f1206ddb357f5d8729c6f711f916bbf05e7fb9bcd4409c687a3a8aeb4016f13

SHA512
a6f8b7f96d625c121be8cd2a79327bbccac13a9506e033b35d235d0319a4737a704b5a9ff76189d8adaab55e9404125b91ca4cd845b645768137557ed80d7750

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Browser\profile.default\extensions\torbutton@torproject.org.xpi
MD5
182f5435598bf1d3b06361594af3b26b

SHA1
43d3f0736b9f8d580c83bc9d047b1bc91e7c4dfc

SHA256
707b94d07668e03384b31330aa78d7c9d07e6ee4bb97249ca82d46b33b346e93

SHA512
7f98e29d5c96c38454f94fd9ae0e4b2e643bfad2c1e8e0cea868250f68a247f2cf45d19bd85c806b242f1bb67993686234e333999e8ef68249e42c8cb88ac014

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Browser\profile.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
MD5
c0dd6b242f8668e1347aba9580993db2

SHA1
3bd0c783727edb468003321924cb6b042c8347d8

SHA256
68c3ef1b753210d376ab9b9c73fa053043f4f0f4cab219e317759fb32b104a27

SHA512
8f73af036262408db15dc703a80ccf4659dd3464d41e158c2b349a9d7313b672be44d41bcc8cabe47abc3826cff529ebf90ba677e0ad69d0beb1a939b8aea880

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Browser\profiles.ini
MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\geoip
MD5
9562b5fe3cd4963f4fd371cbf507fed2

SHA1
cffd7b0544879150a31f966e83dbb7dddfa16f49

SHA256
d3e083e561ce2c847f1b40119f040f511295493ba451c5711a67a2b07dabe224

SHA512
155ae9e420cb2464c078d44d9c3b71685323549de190d52080ce5bbe34d235a10ba965fdd397228552ec10c438fd2b201b5125fef36b720bed8e60bd12fd7726

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\geoip6
MD5
f3b5f5c94021b8ba9c98b782021815ac

SHA1
b25710f60cb23f0c76f58afb0a26a26acb701bb2

SHA256
8bd5cba56f8cb2326776082fcf92a8bc2c01725481b95c55da8f6dd6cd6b10c2

SHA512
c26df649ab71ec2a1b707bd51ea2c226fe321175e53e99cbd46e93dc124a72830eb94cbf3e390e4967da113ab93a732332cffe7eeaa80ce2b8e0b9813cdf365c

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\torrc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\torrc-defaults
MD5
4f834229a3b846c1d804d0b5aca84a9a

SHA1
56622d62cb3a097076c245766e36b0cdf22614bf

SHA256
921c7856fee3fd4f70a37864a7f89bc24cd2d39f5cda97fa92a99aefc89b0c5d

SHA512
e7caeb16c52d32362357a0cd480125baf8579f7cde45e3e743b08708679303d6c38772b264369c259401da73b46c5da89d27bfab544fa1a22a5e5b72de488049

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\LIBEAY32.dll
MD5
ab2afe846d7026e6664fcc78c7baa3dd

SHA1
dd5ce1a5b7a9c2bedf46dc6f17ea56e1e14bcf3b

SHA256
20e5be0893ec2c3f87dda631c5e0f44ab0fbd7a342989e3f71376c1e45ae0211

SHA512
22642c0b9467300ec8cd9300adc4e58cf462ba1906fefce8640395a26f081e44d4218bf50a0f015062c035df2e41f8f5564d5a6e177675270930508a4c2dbc14

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\SSLEAY32.dll
MD5
972dd6bcac3f4148c7b19165a6ea2346

SHA1
097ef0ad7cbf9f622288c8bf1b225d03c26c1cfc

SHA256
3566d7f5e755d5871acbe39bd6194e29f4beefc94aa067df92dcc136d315f0a3

SHA512
c22d00921920c3ce89cdd8a7f7cb09215a4b03fba6af5796d37d7dd1f7f5d319c3bff6cba51c65cd8aafc77bceb515cca6d520e4ea28c38ee268b7203ecf15f5

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\libevent-2-1-6.dll
MD5
52dc140cbb14e2154e9087ecbc8cdc28

SHA1
68a2c92e99a283a67b898fd3208c19160cd36617

SHA256
b946b94a6abec862e0685327f76f5f55ed690268c4cd3ceb4018acd6e0e12d6e

SHA512
4dc2bd64cfcf4fce6f2030b2077df212da260d89505f16e71e1f06eae7d45437831c34e4de6c1d24ae0b02ca142e261eb363b495595cfd6e404d2304c403ebb0

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\libgcc_s_sjlj-1.dll
MD5
286cdf5fdb6414f3e0508c446af62c30

SHA1
394d333371cad5735f09ed8bed128448b1b965ea

SHA256
481c13cf972fafa748486fbbd0366a44babaeabd19ba56e691bb3a064c653153

SHA512
9ffe9f6d881df0b6a35e9cc7636b64097196102115d9451dd4db71d22fb37ccedfe32879952cd979f85247bb8168f9df95af18dc0eba478deafb2301a6b24c1c

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\libssp-0.dll
MD5
606110186930c205e48942975a851ca4

SHA1
d2b7a21bd55a035e2a7813eccc9e33f5f7815823

SHA256
33115d4f22517c23939d8f8ab65bbb35cccb5d463ba81b44623e3cb57c8867f7

SHA512
3b00c7fecdbaec3fced8f8ecb2b0351d406a3d0a461011140f60d9e1e52afcef3b92baa8c1079ce01716ba266a975c0f54e16f282bf4cf97fafa2e0164c0245c

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\libwinpthread-1.dll
MD5
40a7215c1bd90c1da72b1d4e139f1821

SHA1
9106d6140ceec25059c6fd8bbead9005346c88a9

SHA256
c115d1a52cd1e848969928a07dbc5312c53c10380bf44a7cdd82a31d5f37404e

SHA512
11d1b8a704d02b413822a2bdf8f0c9ea4e5a72509484e1ce96033b226ffb6ef3bdfed0bb05ea3c2396bc7543d9fa0d1f04169277deeeb341186e2ae9de500019

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\tor.exe
MD5
a3b8bc5120fecb06d89bb6e59a69ed39

SHA1
51c469269c683fc5ac734525649698707387dcf5

SHA256
f11bd1f492a5245a30ae001c978b5abbca52d97d8effcf88032fff5cbd7ebdff

SHA512
5067548b8ab13ef7279277294bf9baee5a47919207bf6b70584ed5b788e1efab44be8e5530910ef15f5fcb3899a0e9fbffab085985ee98e85c7283a4ebf9814e

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\tor.exe
MD5
a3b8bc5120fecb06d89bb6e59a69ed39

SHA1
51c469269c683fc5ac734525649698707387dcf5

SHA256
f11bd1f492a5245a30ae001c978b5abbca52d97d8effcf88032fff5cbd7ebdff

SHA512
5067548b8ab13ef7279277294bf9baee5a47919207bf6b70584ed5b788e1efab44be8e5530910ef15f5fcb3899a0e9fbffab085985ee98e85c7283a4ebf9814e

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Tor\zlib1.dll
MD5
7b7f33f2d84c9cfbfdd0f755140d2bbf

SHA1
98b084b1f3f2637fad742ce497659c052ce1e310

SHA256
6d2c002ba600b97e0d514166bcf33667553f41fcbd73e2cd87baef74d4c6f060

SHA512
66e8540a4da9c248980096d20a368458a221facb47a353907da636e39bbad9dd3fb70679b8d7cf6b1d6b3d0ffad3ac8b29148c9998fbdbdbb217c1597c839708

Download Submit
C:\Users\Admin\Desktop\browser\browser\blocklist.xml
MD5
0792487d166d1ba82bf412be9bf2e3fa

SHA1
92db9b35a132e3a1549194fab2458118db9b089b

SHA256
ba6ecf90cc41ee46217be5748ab57a522f33e1ab31c0023455ef0902de9469b7

SHA512
01da47545e36af0e6e9b4da3ca84a200f717fc47e84900e91ad4ad88b7746b52981b95a281c5099f5f429eed891eccfed8166b18f4dfdb4d662d225ff194894f

Download Submit
C:\Users\Admin\Desktop\browser\browser\chrome.manifest
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\browser\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
MD5
833cb7f04e00bd0ca5c08527d748261e

SHA1
bdbbaeb2de9497da4e0274ad0dc9bfb7d256a93f

SHA256
d048d40a8dbf6ac596027d694b4f6aa97820a8b4a7b36c7e696ee10bcb56c0b1

SHA512
ea5f91997865892791df5c04789ea7035f6e7dff36ae736221eb7fc39fec2acedc5347780cc0d6c0a2ceafaed45fd1048be54a6325ecb5358017fb516376a030

Download Submit
C:\Users\Admin\Desktop\browser\browser\features\onboarding@mozilla.org.xpi
MD5
ba7a8f7a4d203cca446f6d7ace6b7056

SHA1
c843f80f0ed056ef4477f3bc7f54e378199275e4

SHA256
3e95f9fa6d6254a71cab2f3e472e00878feab77febffdc8a8ccacf3ae4514321

SHA512
600d22c7e84005ac66fff07296d68033f12b3b88976cee261af85c27d9e361281c379112f3762aba99b5e265ece5875d4b2e7139ac198204262619c8013d7978

Download Submit
C:\Users\Admin\Desktop\browser\browser\omni.ja
MD5
9c804185751c533439d1b4b040fa1aea

SHA1
cf87d2cd611d8f813bbe893626a9ca02e5f567fe

SHA256
4dc914e8b8e36794550f38414d45a3147e354c0d09b1c68e3d81b09d159808b9

SHA512
af6728700781301a3f29c7f563a4fd26e099cc3d10c00bd110e3a459b7b83f58d03117781fb5219b1860e77fe7c46aa0b5d62a2a795c600d1f2bfec81d866beb

Download Submit
C:\Users\Admin\Desktop\browser\chrome.manifest
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\browser\defaults\pref\channel-prefs.js
MD5
c13b7ffae99396fdbcba2f8eb6c90826

SHA1
26cddfcf6ee1d7231749df6d86f3d82ce49cdd21

SHA256
f2d608eafcddee87986419d5f987490efcfbe83f53cb300a67ba28085f625e08

SHA512
a6ce770b66e08ac417c550a062aacec9f195d6347ed56a7686096a3f819f0eac31e59c61005233357cfb9ad82b038699c3426635a7c9c431604e43c5fe0b2a21

Download Submit
C:\Users\Admin\Desktop\browser\dependentlibs.list
MD5
f2986058d6ee186d6d446f817859c242

SHA1
7984a1afacbe080bae20371d8109936ee5fc0e33

SHA256
3b4bfc3e8cb35aef1b97d0d20860b85f6c7466e77fc5bc5a6ab9d7b741700e87

SHA512
99b47691154322146be0f9e6a542d0303c0e9ab9e783e611d7e4535cebcc1bb6dd632f8af9d89ff012e45406f701c7ce352704d09749d2cfbde5b8f708a8a045

Download Submit
C:\Users\Admin\Desktop\browser\firefox.exe
MD5
40731fb4b78fc0d8ba2ab9852cb6ce0e

SHA1
7d3934873e378a090023a9b1a0f011fee523aec9

SHA256
764eff480ceb85a4e16661b406dcbe2e050e888406c310adb713ba2113eb988e

SHA512
8010064d5eb2c04d691a438928b591bd245076b677fe3e3a1c1ffaac851f9a8c429a8bfa0dd5f1b7784d29c9596cfd18e625a2b46025bfe5a2a302ae65cca178

Download Submit
C:\Users\Admin\Desktop\browser\firefox.exe
MD5
40731fb4b78fc0d8ba2ab9852cb6ce0e

SHA1
7d3934873e378a090023a9b1a0f011fee523aec9

SHA256
764eff480ceb85a4e16661b406dcbe2e050e888406c310adb713ba2113eb988e

SHA512
8010064d5eb2c04d691a438928b591bd245076b677fe3e3a1c1ffaac851f9a8c429a8bfa0dd5f1b7784d29c9596cfd18e625a2b46025bfe5a2a302ae65cca178

Download Submit
C:\Users\Admin\Desktop\browser\firefox.exe
MD5
40731fb4b78fc0d8ba2ab9852cb6ce0e

SHA1
7d3934873e378a090023a9b1a0f011fee523aec9

SHA256
764eff480ceb85a4e16661b406dcbe2e050e888406c310adb713ba2113eb988e

SHA512
8010064d5eb2c04d691a438928b591bd245076b677fe3e3a1c1ffaac851f9a8c429a8bfa0dd5f1b7784d29c9596cfd18e625a2b46025bfe5a2a302ae65cca178

Download Submit
C:\Users\Admin\Desktop\browser\fonts\EmojiOneMozilla.ttf
MD5
b0a43a838944f6a95ed1682328134667

SHA1
09da4e3caf177343bc0458140549843ee89fb47c

SHA256
ed65f61abe6e06ff5aaa9eb2a93c6c3e9b6f28e5bb4b0d63cad377fc7f5bd609

SHA512
5b1261af5bbe718d8a2d5977c93df7ada87bf2eb7fa503530718858d748394cfe11a0c3f1fece7e68b4239662eea3d0440d1a7577b23556d896983dc058c81e9

Download Submit
C:\Users\Admin\Desktop\browser\fonts\NotoSansBuginese-Regular.ttf
MD5
f1165158457f9857f481dc2ff20dfb11

SHA1
fffd7b33a59ff45d290375f78014a898b1bf4ec8

SHA256
87ca7fb3cd61a3ded9e5127f8495df2a5164e30c5c492a41890e4e8f10f9f3a0

SHA512
d9cbdc4e09bcf38e2ea1c84c3dfcc76d0303db69307c199d9241a7e6d4360b3d240d59e9e524ee14a451141d5ba7d19db6fbc5f352a229f55e40cbe2f0fe3e08

Download Submit
C:\Users\Admin\Desktop\browser\fonts\NotoSansKhmer-Regular.ttf
MD5
1dda5eccfbd74284c9c2d99d462c0ff0

SHA1
43c601892aef5dd4d9f3673d934652063f717e58

SHA256
89b9cf9bcd7dda88d7f3d586936f52a3d011d00415a53063d1562751c730ef8a

SHA512
2d8c7165203727a0cc82c5a2f229d3394f1163782722e2ecc439d9efa660ea3ad8d8316ff5d7ff899e76bb20ca395e099e0800a9443415d4ca5e9972311215f4

Download Submit
C:\Users\Admin\Desktop\browser\fonts\NotoSansLao-Regular.ttf
MD5
8dec8eb73f625f21a674b2a20bc6e638

SHA1
da80db1755c5d6e50b9541935f3353a5b359867e

SHA256
933ff321319bd3a02a4c93230c4c02128777d5913f0965401015b947bfa6b861

SHA512
c120a415a5e14a5704723e273812de55d72490934ad0495b1f7c03fe63d9e467920d1979795cb7f4bdaed53faaf05ce68abc78de29744a76cb439df64bc0423e

Download Submit
C:\Users\Admin\Desktop\browser\fonts\NotoSansMyanmar-Regular.ttf
MD5
ed58ee35ce0ddbde550dde4efbbbe411

SHA1
8a7d291308b49bb978a7cbd79157e7688544358e

SHA256
b1aa5081f7963416a6bd56539b5a9ab7e744b6113aae3bafa6739ee34a5f844a

SHA512
a7c739077bac1c01d94df85565a45595e352b489577c046eb2eed5ef55fb970b4fc0713d747f6b6538af79a0509dbcb6d8701e7b140b9e2f17afd58102fffc21

Download Submit
C:\Users\Admin\Desktop\browser\fonts\NotoSansYi-Regular.ttf
MD5
980daec5dc17fb520d70cfed23065dfb

SHA1
711a7ed8bd6f054f9aab7d7b12ed7fbae09ff828

SHA256
681eae15d741f78f88635d69fe66efdbcce52b7c279176e5ad2bc84bdd58f006

SHA512
c5280ee728af19b82b85039ce8b54cf2bb011ccc0b7d28bd36f0feb5a72da15416d7b76a991c8610c4ddf1785e90dfe3573b2aa7dcd404d3e1ba11e942b52915

Download Submit
C:\Users\Admin\Desktop\browser\freebl3.dll
MD5
f596c9d5601d6f3a4a66bd8e9db72774

SHA1
9e4309e2a7f0adf691ff96c1fe2a0655ec4aaca3

SHA256
8b6253ac44ca44dc5ee407ae6f37baa68eb8d795d7befb5ce38a8fcf4cec8224

SHA512
ae06d019678096788eb280d3399c8c6db864a3d328aac9d7a6cd93907a31404e1674979cdff54c2bdb8226e8cc73127f1bcd10c1011699d50e411f2dc826465d

Download Submit
C:\Users\Admin\Desktop\browser\lgpllibs.dll
MD5
1ce12b7e17df910821934c0ca88e327e

SHA1
1c893ad79efc78ea0bc55a4e77e370aeb2b170a4

SHA256
a45423180152db88acb7aa2b3c4214a473a767ce575e1efbb4dcdf215538dea4

SHA512
1b27ad5534168ec5775ce0368185e6e44ef062be140b2cbc4fc7bdc1eb0fcb7f2c34a2820a93f91bb0a5616f63a1c5aca3be443ff54b699a0cc171db42db3a3f

Download Submit
C:\Users\Admin\Desktop\browser\mozglue.dll
MD5
c39597b497337ce44c85d532ae11e806

SHA1
0d974df8bb2b1f18b044031a74ba8f6c99c16a86

SHA256
6ac9cc7ab4bbc433583c37ae7d5f2501b643725bdd4b2c6d0ed24d95aa76c088

SHA512
2575486ddb8ed5180eeb22e878800d9372d9ec474a6e20034fed320b03258e063296ab2d3ab6f4301d82593d80b517e3145a7076b62be9529542b5565758546d

Download Submit
C:\Users\Admin\Desktop\browser\msvcr100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\Desktop\browser\nss3.dll
MD5
4f0a1859062c3bef38347c64d1269ac9

SHA1
339419554949249b34e823c84582856e41fe3d4b

SHA256
85c3d1920a5b8954fb123fb578442ac7ceb2dac24b167b715071c78f4898f580

SHA512
1aeebafb49b6c5be4d5b41b3d85eb000b1f3fdafc1b05cfebc61c4786c3c6698a651f1fff675e6731f4c2f1c0d8be19a6f194984ea0218ee1a3603260a3fa94d

Download Submit
C:\Users\Admin\Desktop\browser\nssckbi.dll
MD5
1fda48f5a61ee7790fde6c8e5aa29aac

SHA1
def031a5bbd58d68ab40f4c6b7c28373d9fa827a

SHA256
59701d04d055f1b23051c5cfa6b2f4373d63b557337e13bd755007f1d879f80d

SHA512
fb1416e930998324ff599a514ca9c4715f504c1776a28a611895286dfe4b914fdce584e1dc600abb986c713b32b5b149f83f6dd64b56688ba6145d3f1b737ffb

Download Submit
C:\Users\Admin\Desktop\browser\omni.ja
MD5
1dc2c39a6a6f604193578b67c75ae667

SHA1
1e960b6eff7ca7192a52bf19638529335bd6b3f7

SHA256
8e5df882204d56aaca9fbdf4e21eeb8e7b473dea152a53256283504266d3107d

SHA512
ce4d25b40bd237149d3948ac774941abdc8b491baef58e7037a4c5befb028b6fb8dc5af6afcaba9309ccb8bee4bab3e70d0a32aa7cc220f2545d93fed97eaf6e

Download Submit
C:\Users\Admin\Desktop\browser\softokn3.dll
MD5
a31ac011a4fe78c04873e6b66b7b12cc

SHA1
fed8784d25b905f54e3b4c3e59aa1b0748d3e8a3

SHA256
d6f1051b9e15d736457861660cc66fd34cd87f80450f01c3493bab0eae557ee5

SHA512
57d61ed023430864ce6e8854f5e86401dfaa96e9df281594d8b5b2bafafd2ae77f7088e774499c42e82f9f3a765ef285065a0eebac713f6218fbaf60959a75b3

Download Submit
C:\Users\Admin\Desktop\browser\xul.dll
MD5
3e234c4dd915cc5fd54b1898da5a8154

SHA1
012f86d8955f5d57acef592e49af280a78627519

SHA256
aec295ca435ffc83c72eabbc4c9e59d030c28f8c724113e2d625f451433acdd1

SHA512
0a41e55da0a2a4d49d7f7eca76b13dc381cf64b7faf2dc09420c540db719e7323ee775e5a42c6e692c7f7f8bc354c7805440d5d59afd3e700ea1967be77ccfe3

Download Submit
\Users\Admin\Desktop\browser\TorBrowser\Tor\libeay32.dll
MD5
ab2afe846d7026e6664fcc78c7baa3dd

SHA1
dd5ce1a5b7a9c2bedf46dc6f17ea56e1e14bcf3b

SHA256
20e5be0893ec2c3f87dda631c5e0f44ab0fbd7a342989e3f71376c1e45ae0211

SHA512
22642c0b9467300ec8cd9300adc4e58cf462ba1906fefce8640395a26f081e44d4218bf50a0f015062c035df2e41f8f5564d5a6e177675270930508a4c2dbc14

Download Submit
\Users\Admin\Desktop\browser\TorBrowser\Tor\libevent-2-1-6.dll
MD5
52dc140cbb14e2154e9087ecbc8cdc28

SHA1
68a2c92e99a283a67b898fd3208c19160cd36617

SHA256
b946b94a6abec862e0685327f76f5f55ed690268c4cd3ceb4018acd6e0e12d6e

SHA512
4dc2bd64cfcf4fce6f2030b2077df212da260d89505f16e71e1f06eae7d45437831c34e4de6c1d24ae0b02ca142e261eb363b495595cfd6e404d2304c403ebb0

Download Submit
\Users\Admin\Desktop\browser\TorBrowser\Tor\libgcc_s_sjlj-1.dll
MD5
286cdf5fdb6414f3e0508c446af62c30

SHA1
394d333371cad5735f09ed8bed128448b1b965ea

SHA256
481c13cf972fafa748486fbbd0366a44babaeabd19ba56e691bb3a064c653153

SHA512
9ffe9f6d881df0b6a35e9cc7636b64097196102115d9451dd4db71d22fb37ccedfe32879952cd979f85247bb8168f9df95af18dc0eba478deafb2301a6b24c1c

Download Submit
\Users\Admin\Desktop\browser\TorBrowser\Tor\libssp-0.dll
MD5
606110186930c205e48942975a851ca4

SHA1
d2b7a21bd55a035e2a7813eccc9e33f5f7815823

SHA256
33115d4f22517c23939d8f8ab65bbb35cccb5d463ba81b44623e3cb57c8867f7

SHA512
3b00c7fecdbaec3fced8f8ecb2b0351d406a3d0a461011140f60d9e1e52afcef3b92baa8c1079ce01716ba266a975c0f54e16f282bf4cf97fafa2e0164c0245c

Download Submit
\Users\Admin\Desktop\browser\TorBrowser\Tor\libwinpthread-1.dll
MD5
40a7215c1bd90c1da72b1d4e139f1821

SHA1
9106d6140ceec25059c6fd8bbead9005346c88a9

SHA256
c115d1a52cd1e848969928a07dbc5312c53c10380bf44a7cdd82a31d5f37404e

SHA512
11d1b8a704d02b413822a2bdf8f0c9ea4e5a72509484e1ce96033b226ffb6ef3bdfed0bb05ea3c2396bc7543d9fa0d1f04169277deeeb341186e2ae9de500019

Download Submit
\Users\Admin\Desktop\browser\TorBrowser\Tor\ssleay32.dll
MD5
972dd6bcac3f4148c7b19165a6ea2346

SHA1
097ef0ad7cbf9f622288c8bf1b225d03c26c1cfc

SHA256
3566d7f5e755d5871acbe39bd6194e29f4beefc94aa067df92dcc136d315f0a3

SHA512
c22d00921920c3ce89cdd8a7f7cb09215a4b03fba6af5796d37d7dd1f7f5d319c3bff6cba51c65cd8aafc77bceb515cca6d520e4ea28c38ee268b7203ecf15f5

Download Submit
\Users\Admin\Desktop\browser\TorBrowser\Tor\zlib1.dll
MD5
7b7f33f2d84c9cfbfdd0f755140d2bbf

SHA1
98b084b1f3f2637fad742ce497659c052ce1e310

SHA256
6d2c002ba600b97e0d514166bcf33667553f41fcbd73e2cd87baef74d4c6f060

SHA512
66e8540a4da9c248980096d20a368458a221facb47a353907da636e39bbad9dd3fb70679b8d7cf6b1d6b3d0ffad3ac8b29148c9998fbdbdbb217c1597c839708

Download Submit
\Users\Admin\Desktop\browser\freebl3.dll
MD5
f596c9d5601d6f3a4a66bd8e9db72774

SHA1
9e4309e2a7f0adf691ff96c1fe2a0655ec4aaca3

SHA256
8b6253ac44ca44dc5ee407ae6f37baa68eb8d795d7befb5ce38a8fcf4cec8224

SHA512
ae06d019678096788eb280d3399c8c6db864a3d328aac9d7a6cd93907a31404e1674979cdff54c2bdb8226e8cc73127f1bcd10c1011699d50e411f2dc826465d

Download Submit
\Users\Admin\Desktop\browser\lgpllibs.dll
MD5
1ce12b7e17df910821934c0ca88e327e

SHA1
1c893ad79efc78ea0bc55a4e77e370aeb2b170a4

SHA256
a45423180152db88acb7aa2b3c4214a473a767ce575e1efbb4dcdf215538dea4

SHA512
1b27ad5534168ec5775ce0368185e6e44ef062be140b2cbc4fc7bdc1eb0fcb7f2c34a2820a93f91bb0a5616f63a1c5aca3be443ff54b699a0cc171db42db3a3f

Download Submit
\Users\Admin\Desktop\browser\lgpllibs.dll
MD5
1ce12b7e17df910821934c0ca88e327e

SHA1
1c893ad79efc78ea0bc55a4e77e370aeb2b170a4

SHA256
a45423180152db88acb7aa2b3c4214a473a767ce575e1efbb4dcdf215538dea4

SHA512
1b27ad5534168ec5775ce0368185e6e44ef062be140b2cbc4fc7bdc1eb0fcb7f2c34a2820a93f91bb0a5616f63a1c5aca3be443ff54b699a0cc171db42db3a3f

Download Submit
\Users\Admin\Desktop\browser\mozglue.dll
MD5
c39597b497337ce44c85d532ae11e806

SHA1
0d974df8bb2b1f18b044031a74ba8f6c99c16a86

SHA256
6ac9cc7ab4bbc433583c37ae7d5f2501b643725bdd4b2c6d0ed24d95aa76c088

SHA512
2575486ddb8ed5180eeb22e878800d9372d9ec474a6e20034fed320b03258e063296ab2d3ab6f4301d82593d80b517e3145a7076b62be9529542b5565758546d

Download Submit
\Users\Admin\Desktop\browser\mozglue.dll
MD5
c39597b497337ce44c85d532ae11e806

SHA1
0d974df8bb2b1f18b044031a74ba8f6c99c16a86

SHA256
6ac9cc7ab4bbc433583c37ae7d5f2501b643725bdd4b2c6d0ed24d95aa76c088

SHA512
2575486ddb8ed5180eeb22e878800d9372d9ec474a6e20034fed320b03258e063296ab2d3ab6f4301d82593d80b517e3145a7076b62be9529542b5565758546d

Download Submit
\Users\Admin\Desktop\browser\msvcr100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\Desktop\browser\msvcr100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\Desktop\browser\nss3.dll
MD5
4f0a1859062c3bef38347c64d1269ac9

SHA1
339419554949249b34e823c84582856e41fe3d4b

SHA256
85c3d1920a5b8954fb123fb578442ac7ceb2dac24b167b715071c78f4898f580

SHA512
1aeebafb49b6c5be4d5b41b3d85eb000b1f3fdafc1b05cfebc61c4786c3c6698a651f1fff675e6731f4c2f1c0d8be19a6f194984ea0218ee1a3603260a3fa94d

Download Submit
\Users\Admin\Desktop\browser\nssckbi.dll
MD5
1fda48f5a61ee7790fde6c8e5aa29aac

SHA1
def031a5bbd58d68ab40f4c6b7c28373d9fa827a

SHA256
59701d04d055f1b23051c5cfa6b2f4373d63b557337e13bd755007f1d879f80d

SHA512
fb1416e930998324ff599a514ca9c4715f504c1776a28a611895286dfe4b914fdce584e1dc600abb986c713b32b5b149f83f6dd64b56688ba6145d3f1b737ffb

Download Submit
\Users\Admin\Desktop\browser\softokn3.dll
MD5
a31ac011a4fe78c04873e6b66b7b12cc

SHA1
fed8784d25b905f54e3b4c3e59aa1b0748d3e8a3

SHA256
d6f1051b9e15d736457861660cc66fd34cd87f80450f01c3493bab0eae557ee5

SHA512
57d61ed023430864ce6e8854f5e86401dfaa96e9df281594d8b5b2bafafd2ae77f7088e774499c42e82f9f3a765ef285065a0eebac713f6218fbaf60959a75b3

Download Submit
\Users\Admin\Desktop\browser\xul.dll
MD5
3e234c4dd915cc5fd54b1898da5a8154

SHA1
012f86d8955f5d57acef592e49af280a78627519

SHA256
aec295ca435ffc83c72eabbc4c9e59d030c28f8c724113e2d625f451433acdd1

SHA512
0a41e55da0a2a4d49d7f7eca76b13dc381cf64b7faf2dc09420c540db719e7323ee775e5a42c6e692c7f7f8bc354c7805440d5d59afd3e700ea1967be77ccfe3

Download Submit
memory/396-118-0x00000000011F0000-0x000000000129E000-memory.dmp

Filesize
696KB

Download
memory/2116-153-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-167-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-185-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-186-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-187-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-189-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-190-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-191-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-188-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-192-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-193-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-194-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-195-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-196-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-197-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-198-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-199-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-200-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-201-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-202-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-203-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-204-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-205-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-183-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-182-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-181-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-180-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-178-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-179-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-177-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-176-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-174-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-175-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-172-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-173-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-171-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-170-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-169-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-168-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-184-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-166-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-165-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-164-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-163-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-122-0x0000000000000000-mapping.dmp

Download
memory/2116-162-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-161-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-160-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-159-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-158-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-157-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-156-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-155-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-154-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-152-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-151-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-150-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-149-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-147-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-148-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-128-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2116-129-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2116-144-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-145-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-146-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/3644-483-0x0000000000000000-mapping.dmp

Download
memory/4080-298-0x0000000000000000-mapping.dmp

Download
memory/4080-320-0x0000000070B20000-0x0000000070BC7000-memory.dmp

Filesize
668KB

Download
memory/4080-318-0x0000000070BD0000-0x0000000070DD9000-memory.dmp

Filesize
2.0MB

Download
memory/4080-316-0x0000000070EF0000-0x0000000070F11000-memory.dmp

Filesize
132KB

Download
memory/4080-323-0x0000000000D00000-0x000000000109C000-memory.dmp

Filesize
3.6MB

Download
memory/4080-321-0x0000000070E30000-0x0000000070EED000-memory.dmp

Filesize
756KB

Download
memory/4520-328-0x0000000000000000-mapping.dmp

Download
memory/4520-480-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4520-515-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4520-519-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4520-522-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/5044-120-0x0000000000000000-mapping.dmp

Download