Overview

overview

10

Static

static

1

S0FTWARE.rar

windows10-1703-x64

10

Analysis

  • max time kernel
    221s
  • max time network
    198s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-09-2024 11:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S0FTWARE.rar

  • Size

    21.4MB

  • MD5

    9e836a69e0bbdc74c826da13227f78b7

  • SHA1

    ae7b5cba4cf8bd0baf276785d073fbc4cc84b1df

  • SHA256

    4aaa1052ec1148f52506afe6087c885b979b2b4923df82b142eb007d160656d5

  • SHA512

    10997f3544277d4e3db862fbef2e1a373ef0b700b53eef8de26452cf9facc60afbb12ade59c2783a7a1ca7d6cba5e4eceb46f58cad909f3c4f38168a61e6a886

  • SSDEEP

    393216:1RFfxJKFA4VNEMPa/TacMM8McH3YYCKoEt2WW8VqQhqfyDCQ8ppqb76U/q:DFfaVNyaXM8MKCK5z3Vqqqq+T+Nq

Score
10/10
vidarxmrig346a77fbabba142b23c256004b5a7c5dcredential_accessdiscoveryevasionexecutionminerpersistencespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

vidar

Version

11

Botnet

346a77fbabba142b23c256004b5a7c5d

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

  • Detect Vidar Stealer 16 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 7 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 51 IoCs
  • Modifies registry class 20 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\S0FTWARE.rar
    1⤵
    • Modifies registry class
    PID:2464
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4428
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:564
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\S0FTWARE\" -spe -an -ai#7zMap28063:74:7zEvent5173
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4420
    • C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe
      "C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe"
      1⤵
      • Executes dropped EXE
      PID:3164
    • C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe
      "C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe"
      1⤵
      • Executes dropped EXE
      PID:2296
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2684
    • C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe
      "C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4648
        • C:\ProgramData\FBFCFIEBKE.exe
          "C:\ProgramData\FBFCFIEBKE.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:4252
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2912
            • C:\Windows\system32\wusa.exe
              wusa /uninstall /kb:890830 /quiet /norestart
              5⤵
                PID:200
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop UsoSvc
              4⤵
              • Launches sc.exe
              PID:3184
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop WaaSMedicSvc
              4⤵
              • Launches sc.exe
              PID:4552
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop wuauserv
              4⤵
              • Launches sc.exe
              PID:3512
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop bits
              4⤵
              • Launches sc.exe
              PID:4628
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop dosvc
              4⤵
              • Launches sc.exe
              PID:4864
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              4⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:2396
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              4⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:3004
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              4⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:2740
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              4⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:4860
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
              4⤵
              • Launches sc.exe
              PID:4152
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
              4⤵
              • Launches sc.exe
              PID:2208
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop eventlog
              4⤵
              • Launches sc.exe
              PID:2632
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
              4⤵
              • Launches sc.exe
              PID:5076
          • C:\ProgramData\JDAKJJDBGC.exe
            "C:\ProgramData\JDAKJJDBGC.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2016
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3896
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
                5⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:512
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEBFHJKJEBF" & exit
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2928
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 10
              4⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:3164
      • C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe
        "C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:4556
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S0FTWARE\Readme.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:3780
      • C:\ProgramData\GoogleUP\Chrome\Updater.exe
        C:\ProgramData\GoogleUP\Chrome\Updater.exe
        1⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:516
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:2364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3512
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            3⤵
              PID:4864
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            2⤵
            • Launches sc.exe
            PID:1640
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            2⤵
            • Launches sc.exe
            PID:3424
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            2⤵
            • Launches sc.exe
            PID:1808
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            2⤵
            • Launches sc.exe
            PID:3136
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            2⤵
            • Launches sc.exe
            PID:3312
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2336
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:652
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:708
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2012
          • C:\Windows\system32\conhost.exe
            C:\Windows\system32\conhost.exe
            2⤵
              PID:4964
            • C:\Windows\explorer.exe
              explorer.exe
              2⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:2840
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k SDRSVC
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:640

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          System Services

          2
          T1569

          Service Execution

          2
          T1569.002

          Persistence

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Power Settings

          1
          T1653

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Impair Defenses

          1
          T1562

          Virtualization/Sandbox Evasion

          1
          T1497

          Credential Access

          Unsecured Credentials

          2
          T1552

          Credentials In Files

          2
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          4
          T1012

          System Information Discovery

          5
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Virtualization/Sandbox Evasion

          1
          T1497

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Service Stop

          1
          T1489

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\DAEBFHJKJEBF\HJJEHJ
            Filesize

            244B

            MD5

            82d0a343d06f3aaa16c594284d6b1f6d

            SHA1

            9294bb014a3a8be3fc5c533f525ac7270b09bf51

            SHA256

            1a0655b5aa5b6d037e25893bd191323091025f1df92e6f8b4392b1889171da10

            SHA512

            de024359f7c3e247dfd61b3ef3be0f3bc65855e4863966345bfe99a9e7c21659e2d0e08ba50ee46cccd0e569633b4edf68e30050c8956005adb56500d263ad53

            Download Submit

          • C:\ProgramData\FBFCFIEBKE.exe
            Filesize

            6.1MB

            MD5

            6ef693da28af5e5da095708b29b5c45e

            SHA1

            022d277418431a05ca6a420c931ea26899d4847a

            SHA256

            69864d5ccf01fb603c926a4cc166a25dd1f9a7bbdd788b16fcab1b5098ea7a2c

            SHA512

            62251537b7a5c618457025371c17838f3e70a3e5fb8ef2189a452bc968bb21a0098218e9badf3970f165d817b2d37121c26b345b55fb1721defba054e54a2e8d

            Download Submit

          • C:\ProgramData\JDAKJJDBGC.exe
            Filesize

            3.1MB

            MD5

            7261b7341788137e8649905df3af747d

            SHA1

            f0c675f37cf7004fc020c724a76903ee7d038e56

            SHA256

            c060325ef9ff61c904036e821b78ef11be7be89a98302b1246d0ea6518e72730

            SHA512

            c3dd2e3f3d13beb3909f31c0e33f3528ff50e265abb13bf0d37812a450a84b5858d978cb9f94873a38e80b32538e07fbfacecc1d360b3cee73d5f3925c59a188

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
            Filesize

            28KB

            MD5

            dd198b016c2b7c67468df3d390de1d67

            SHA1

            0e6ff40ba10beb2d922ebf3a38dd073602e838d2

            SHA256

            5fb4ab0929c084d62447c8fe5a70dfa3224f84826067060736d9574e5073c8e5

            SHA512

            9e421a5620812f281d964fc54146cd26ece009f58aae4ec4417dcc17eb1543c926c532aa30b1887460eed6279b3e3d9796b095e8feb9c240eb7e629e8ddd4d79

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B4U56X23\76561199780418869[1].htm
            Filesize

            33KB

            MD5

            01d255187dbde65c9f987d69b672ff34

            SHA1

            b320bbc62bc9cdfb0659e8bfeb9df573e8250766

            SHA256

            0015c7e3496fab4b43a8384a03b843a901af8bae5f2fb5c3154b92562a74215d

            SHA512

            984f1c721697e1c7485d1518b4e97ad087fdb359a7c79172723505b06f7c71307617810560d3b200fd380f6ba034aed36c890107dfb620ce6f87d1e91b4dc0bf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lf2kx2go.ful.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit

          • C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe
            Filesize

            18.0MB

            MD5

            a11bb3b18eba3f07561ca84c92c520cd

            SHA1

            c09ffdaa9b11747b07e88f669c70566a48134678

            SHA256

            7cfae4e35c049f4aad444cca84c5fcdd0f4da67b5a1846e821322a9f9757096b

            SHA512

            108e8153f76adfb5eb840a771b5af0c80396838363add14e05baf1b953ae19a684bed0648c2b4404d23d2a8f9a0ad2968b2f3e6d6a062c462a217a75dd9a85ac

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            2KB

            MD5

            3e9af076957c5b2f9c9ce5ec994bea05

            SHA1

            a8c7326f6bceffaeed1c2bb8d7165e56497965fe

            SHA256

            e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

            SHA512

            933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

            Download Submit

          • \ProgramData\mozglue.dll
            Filesize

            593KB

            MD5

            c8fd9be83bc728cc04beffafc2907fe9

            SHA1

            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

            SHA256

            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

            SHA512

            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

            Download Submit

          • \ProgramData\nss3.dll
            Filesize

            2.0MB

            MD5

            1cc453cdf74f31e4d913ff9c10acdde2

            SHA1

            6e85eae544d6e965f15fa5c39700fa7202f3aafe

            SHA256

            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

            SHA512

            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

            Download Submit

          • memory/516-462-0x00007FF7BD100000-0x00007FF7BDE1B000-memory.dmp

            Filesize

            13.1MB

            Download

          • memory/2016-461-0x0000000000400000-0x0000000000AFE000-memory.dmp

            Filesize

            7.0MB

            Download

          • memory/2016-393-0x0000000000400000-0x0000000000AFE000-memory.dmp

            Filesize

            7.0MB

            Download

          • memory/2016-394-0x0000000000400000-0x0000000000AFE000-memory.dmp

            Filesize

            7.0MB

            Download

          • memory/2136-452-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2136-399-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2136-379-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2136-349-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2296-406-0x0000024D23CB0000-0x0000024D23CD2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2296-409-0x0000024D23DE0000-0x0000024D23E56000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2296-283-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2296-279-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2364-486-0x000001F2FF440000-0x000001F2FF45C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2364-492-0x000001F2FF610000-0x000001F2FF6C9000-memory.dmp

            Filesize

            740KB

            Download

          • memory/2364-525-0x000001F2FF460000-0x000001F2FF46A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2840-630-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-632-0x0000000000B60000-0x0000000000B80000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2840-627-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-628-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-625-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-626-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-631-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-629-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-633-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-634-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-635-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-637-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2840-636-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2896-296-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2896-290-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2896-287-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2896-286-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/2896-285-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/3164-271-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/3164-281-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/3164-278-0x00007FF752B80000-0x00007FF753E20000-memory.dmp

            Filesize

            18.6MB

            Download

          • memory/4252-385-0x00007FF6FA900000-0x00007FF6FB61B000-memory.dmp

            Filesize

            13.1MB

            Download

          • memory/4556-614-0x0000000000C10000-0x0000000000E85000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4556-451-0x0000000000C10000-0x0000000000E85000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4556-641-0x0000000021BE0000-0x0000000021E3F000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4556-638-0x0000000000C10000-0x0000000000E85000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4556-455-0x0000000000C10000-0x0000000000E85000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-317-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-342-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-305-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-293-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-306-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-307-0x0000000022390000-0x00000000225EF000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4648-355-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-318-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-341-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-297-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-354-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-357-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4648-356-0x00000000032F0000-0x0000000003565000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/4964-624-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4964-620-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4964-619-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4964-618-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4964-617-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4964-621-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download