bazarloader | 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9

Analysis

max time kernel
192s
max time network
160s
platform
windows7_x64
resource
win7-en-20211014
submitted
12-11-2021 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
Size

58KB
MD5

1cc5b508da9567f032ed78375bb45959
SHA1

c31a0e58ae70f571bf8140db8a1ab20a7f566ab5
SHA256

315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
SHA512

cef3bdf76e94904e0d170d3d208accef9ff8e50b85403130b12914ee6b20f0e49f58aa840757c7855b656cffa4400b83cd81fc5196fea66045a5724886970d61

Score

10^/10

bazarloader dropper loader ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2955169046-2371869340-1800780948-1000\BackFiles_encoded01.txt

Ransom Note

[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Your ID: rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D Your support onion(TOR) url: http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D

URLs

http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\browser\xul.dll	BazarLoaderVar5
\Users\Admin\Desktop\browser\xul.dll	BazarLoaderVar5
\Users\Admin\Desktop\browser\xul.dll	BazarLoaderVar5

Executes dropped EXE 2 IoCs

Processes:

firefox.exefirefox.exe

pid process

2000 firefox.exe
1832 firefox.exe

pid	process
2000	firefox.exe
1832	firefox.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	ioc	process
File created	\??\c:\users\admin\pictures\mountdeny.raw.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\users\admin\pictures\syncrestore.crw.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\users\admin\pictures\userevoke.crw.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Loads dropped DLL 12 IoCs

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exefirefox.exefirefox.exe

pid	process
1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
2000	firefox.exe
2000	firefox.exe
2000	firefox.exe
2000	firefox.exe
1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
2000	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 47 IoCs

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	ioc	process
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-2955169046-2371869340-1800780948-1000\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\freecell\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\spidersolitaire\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\cc9lyj78\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\recorded tv\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\dataservices\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\videos\sample videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\mahjong\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\links for united states\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\solitaire\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\b30t6pba\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\pictures\sample pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\recorded tv\sample media\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\chess\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\purble place\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\music\sample music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\76wfqhvb\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\ejujzxd4\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft games\hearts\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows mail\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	ioc	process
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\bin\server\classes.jsa	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\africa\tripoli.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0099153.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\forms\1033\scdrests.ico.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0150150.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\outlookautodiscover\yahoo.com.mx.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\meta-inf\eclipse_.rsa	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\sports\previousmenubuttonicon.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jre7\lib\zi\europe\brussels.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\media\cagcat10\j0196374.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\themes14\network\network.elm	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0099204.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\bullets\bd21434_.gif	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\windows sidebar\gadgets\calendar.gadget\images\calendar_single_bkg.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\resizingpanels\panel_mask.wmv	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\america\managua.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0239943.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0241077.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\templates\1033\salesreport.xltx.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\desert\header.gif	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Uninstall Information\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jre7\lib\zi\america\argentina\mendoza.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jre7\lib\zi\america\noronha.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\7-zip\lang\en.ttt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\dd01628_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\1033\quickstyles\thatch.dotx.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\templates\1033\equityletter.dotx	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0216570.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\bullets\j0115864.gif	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bdcmetadata.xsd.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\calendar\calendartooliconimagesmask.bmp.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\mset7db.kic	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\videolan\vlc\locale\tl\lc_messages\vlc.mo.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\media\cagcat10\j0183290.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\fd02161_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\na01069_.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\forms\1033\postit.cfg.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\pubwiz\dgcal.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jre7\lib\zi\america\grand_turk	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\an00914_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\an00965_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\7-zip\lang\da.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\resizingpanels\bandwidth.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0318804.wmf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\bg_country.gif.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\google\chrome\application\89.0.4389.114\default_apps\youtube.crx.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\security\trusted.libraries	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windows sidebar\gadgets\mediacenter.gadget\images\gadget_star_half.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\sl00256_.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\whitebox.jpg.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\toolbmps\taskbariconimagesmask256colors.bmp.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jre7\lib\zi\cet.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\reader 9.0\reader\plug_ins\annotations\stamps\words.pdf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0187835.wmf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1236 notepad.exe

pid	process
1236	notepad.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

description	pid	process	target process
PID 1552 wrote to memory of 1236	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	notepad.exe
PID 1552 wrote to memory of 1236	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	notepad.exe
PID 1552 wrote to memory of 1236	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	notepad.exe
PID 1552 wrote to memory of 1236	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	notepad.exe
PID 1552 wrote to memory of 2000	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	firefox.exe
PID 1552 wrote to memory of 2000	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	firefox.exe
PID 1552 wrote to memory of 2000	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	firefox.exe
PID 1552 wrote to memory of 2000	1552	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
"C:\Users\Admin\AppData\Local\Temp\jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\notepad.exe
"notepad.exe" C:\Users\Admin\Desktop\BackFiles_encoded01.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1236

C:\Users\Admin\Desktop\browser\firefox.exe
"C:\Users\Admin\Desktop\browser\firefox.exe" --allow-remote http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2000

C:\Users\Admin\Desktop\browser\firefox.exe
"C:\Users\Admin\Desktop\browser\firefox.exe" --allow-remote http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\BackFiles_encoded01.txt
MD5
482206352af1be0e8e9232548776668d

SHA1
0b2b8b47bfbb15496e509a9a07f14ca46dd4de01

SHA256
d21ac98962de41dcc72c99e300f6fa950eb1ee27f0d80c351fc28c6667aeec64

SHA512
2887033ce6f0b30791c44db21a5ceaec1e207837ef643917bf638226229dd3c85bf8e653be20b5615652e5656be9a73f4a28d0ce3a8a845b7a252fd3fd93e3b2

Download Submit
C:\Users\Admin\Desktop\browser\TorBrowser\Data\Browser\profiles.ini
MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\browser\browser\chrome.manifest
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\browser\browser\omni.ja
MD5
9c804185751c533439d1b4b040fa1aea

SHA1
cf87d2cd611d8f813bbe893626a9ca02e5f567fe

SHA256
4dc914e8b8e36794550f38414d45a3147e354c0d09b1c68e3d81b09d159808b9

SHA512
af6728700781301a3f29c7f563a4fd26e099cc3d10c00bd110e3a459b7b83f58d03117781fb5219b1860e77fe7c46aa0b5d62a2a795c600d1f2bfec81d866beb

Download Submit
C:\Users\Admin\Desktop\browser\chrome.manifest
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\browser\defaults\pref\channel-prefs.js
MD5
c13b7ffae99396fdbcba2f8eb6c90826

SHA1
26cddfcf6ee1d7231749df6d86f3d82ce49cdd21

SHA256
f2d608eafcddee87986419d5f987490efcfbe83f53cb300a67ba28085f625e08

SHA512
a6ce770b66e08ac417c550a062aacec9f195d6347ed56a7686096a3f819f0eac31e59c61005233357cfb9ad82b038699c3426635a7c9c431604e43c5fe0b2a21

Download Submit
C:\Users\Admin\Desktop\browser\dependentlibs.list
MD5
f2986058d6ee186d6d446f817859c242

SHA1
7984a1afacbe080bae20371d8109936ee5fc0e33

SHA256
3b4bfc3e8cb35aef1b97d0d20860b85f6c7466e77fc5bc5a6ab9d7b741700e87

SHA512
99b47691154322146be0f9e6a542d0303c0e9ab9e783e611d7e4535cebcc1bb6dd632f8af9d89ff012e45406f701c7ce352704d09749d2cfbde5b8f708a8a045

Download Submit
C:\Users\Admin\Desktop\browser\firefox.exe
MD5
40731fb4b78fc0d8ba2ab9852cb6ce0e

SHA1
7d3934873e378a090023a9b1a0f011fee523aec9

SHA256
764eff480ceb85a4e16661b406dcbe2e050e888406c310adb713ba2113eb988e

SHA512
8010064d5eb2c04d691a438928b591bd245076b677fe3e3a1c1ffaac851f9a8c429a8bfa0dd5f1b7784d29c9596cfd18e625a2b46025bfe5a2a302ae65cca178

Download Submit
C:\Users\Admin\Desktop\browser\firefox.exe
MD5
40731fb4b78fc0d8ba2ab9852cb6ce0e

SHA1
7d3934873e378a090023a9b1a0f011fee523aec9

SHA256
764eff480ceb85a4e16661b406dcbe2e050e888406c310adb713ba2113eb988e

SHA512
8010064d5eb2c04d691a438928b591bd245076b677fe3e3a1c1ffaac851f9a8c429a8bfa0dd5f1b7784d29c9596cfd18e625a2b46025bfe5a2a302ae65cca178

Download Submit
C:\Users\Admin\Desktop\browser\firefox.exe
MD5
40731fb4b78fc0d8ba2ab9852cb6ce0e

SHA1
7d3934873e378a090023a9b1a0f011fee523aec9

SHA256
764eff480ceb85a4e16661b406dcbe2e050e888406c310adb713ba2113eb988e

SHA512
8010064d5eb2c04d691a438928b591bd245076b677fe3e3a1c1ffaac851f9a8c429a8bfa0dd5f1b7784d29c9596cfd18e625a2b46025bfe5a2a302ae65cca178

Download Submit
C:\Users\Admin\Desktop\browser\lgpllibs.dll
MD5
1ce12b7e17df910821934c0ca88e327e

SHA1
1c893ad79efc78ea0bc55a4e77e370aeb2b170a4

SHA256
a45423180152db88acb7aa2b3c4214a473a767ce575e1efbb4dcdf215538dea4

SHA512
1b27ad5534168ec5775ce0368185e6e44ef062be140b2cbc4fc7bdc1eb0fcb7f2c34a2820a93f91bb0a5616f63a1c5aca3be443ff54b699a0cc171db42db3a3f

Download Submit
C:\Users\Admin\Desktop\browser\mozglue.dll
MD5
c39597b497337ce44c85d532ae11e806

SHA1
0d974df8bb2b1f18b044031a74ba8f6c99c16a86

SHA256
6ac9cc7ab4bbc433583c37ae7d5f2501b643725bdd4b2c6d0ed24d95aa76c088

SHA512
2575486ddb8ed5180eeb22e878800d9372d9ec474a6e20034fed320b03258e063296ab2d3ab6f4301d82593d80b517e3145a7076b62be9529542b5565758546d

Download Submit
C:\Users\Admin\Desktop\browser\msvcr100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\Desktop\browser\nss3.dll
MD5
4f0a1859062c3bef38347c64d1269ac9

SHA1
339419554949249b34e823c84582856e41fe3d4b

SHA256
85c3d1920a5b8954fb123fb578442ac7ceb2dac24b167b715071c78f4898f580

SHA512
1aeebafb49b6c5be4d5b41b3d85eb000b1f3fdafc1b05cfebc61c4786c3c6698a651f1fff675e6731f4c2f1c0d8be19a6f194984ea0218ee1a3603260a3fa94d

Download Submit
C:\Users\Admin\Desktop\browser\omni.ja
MD5
1dc2c39a6a6f604193578b67c75ae667

SHA1
1e960b6eff7ca7192a52bf19638529335bd6b3f7

SHA256
8e5df882204d56aaca9fbdf4e21eeb8e7b473dea152a53256283504266d3107d

SHA512
ce4d25b40bd237149d3948ac774941abdc8b491baef58e7037a4c5befb028b6fb8dc5af6afcaba9309ccb8bee4bab3e70d0a32aa7cc220f2545d93fed97eaf6e

Download Submit
C:\Users\Admin\Desktop\browser\xul.dll
MD5
3e234c4dd915cc5fd54b1898da5a8154

SHA1
012f86d8955f5d57acef592e49af280a78627519

SHA256
aec295ca435ffc83c72eabbc4c9e59d030c28f8c724113e2d625f451433acdd1

SHA512
0a41e55da0a2a4d49d7f7eca76b13dc381cf64b7faf2dc09420c540db719e7323ee775e5a42c6e692c7f7f8bc354c7805440d5d59afd3e700ea1967be77ccfe3

Download Submit
\Users\Admin\Desktop\browser\firefox.exe
MD5
40731fb4b78fc0d8ba2ab9852cb6ce0e

SHA1
7d3934873e378a090023a9b1a0f011fee523aec9

SHA256
764eff480ceb85a4e16661b406dcbe2e050e888406c310adb713ba2113eb988e

SHA512
8010064d5eb2c04d691a438928b591bd245076b677fe3e3a1c1ffaac851f9a8c429a8bfa0dd5f1b7784d29c9596cfd18e625a2b46025bfe5a2a302ae65cca178

Download Submit
\Users\Admin\Desktop\browser\firefox.exe
MD5
40731fb4b78fc0d8ba2ab9852cb6ce0e

SHA1
7d3934873e378a090023a9b1a0f011fee523aec9

SHA256
764eff480ceb85a4e16661b406dcbe2e050e888406c310adb713ba2113eb988e

SHA512
8010064d5eb2c04d691a438928b591bd245076b677fe3e3a1c1ffaac851f9a8c429a8bfa0dd5f1b7784d29c9596cfd18e625a2b46025bfe5a2a302ae65cca178

Download Submit
\Users\Admin\Desktop\browser\lgpllibs.dll
MD5
1ce12b7e17df910821934c0ca88e327e

SHA1
1c893ad79efc78ea0bc55a4e77e370aeb2b170a4

SHA256
a45423180152db88acb7aa2b3c4214a473a767ce575e1efbb4dcdf215538dea4

SHA512
1b27ad5534168ec5775ce0368185e6e44ef062be140b2cbc4fc7bdc1eb0fcb7f2c34a2820a93f91bb0a5616f63a1c5aca3be443ff54b699a0cc171db42db3a3f

Download Submit
\Users\Admin\Desktop\browser\lgpllibs.dll
MD5
1ce12b7e17df910821934c0ca88e327e

SHA1
1c893ad79efc78ea0bc55a4e77e370aeb2b170a4

SHA256
a45423180152db88acb7aa2b3c4214a473a767ce575e1efbb4dcdf215538dea4

SHA512
1b27ad5534168ec5775ce0368185e6e44ef062be140b2cbc4fc7bdc1eb0fcb7f2c34a2820a93f91bb0a5616f63a1c5aca3be443ff54b699a0cc171db42db3a3f

Download Submit
\Users\Admin\Desktop\browser\mozglue.dll
MD5
c39597b497337ce44c85d532ae11e806

SHA1
0d974df8bb2b1f18b044031a74ba8f6c99c16a86

SHA256
6ac9cc7ab4bbc433583c37ae7d5f2501b643725bdd4b2c6d0ed24d95aa76c088

SHA512
2575486ddb8ed5180eeb22e878800d9372d9ec474a6e20034fed320b03258e063296ab2d3ab6f4301d82593d80b517e3145a7076b62be9529542b5565758546d

Download Submit
\Users\Admin\Desktop\browser\mozglue.dll
MD5
c39597b497337ce44c85d532ae11e806

SHA1
0d974df8bb2b1f18b044031a74ba8f6c99c16a86

SHA256
6ac9cc7ab4bbc433583c37ae7d5f2501b643725bdd4b2c6d0ed24d95aa76c088

SHA512
2575486ddb8ed5180eeb22e878800d9372d9ec474a6e20034fed320b03258e063296ab2d3ab6f4301d82593d80b517e3145a7076b62be9529542b5565758546d

Download Submit
\Users\Admin\Desktop\browser\msvcr100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\Desktop\browser\msvcr100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\Desktop\browser\nss3.dll
MD5
4f0a1859062c3bef38347c64d1269ac9

SHA1
339419554949249b34e823c84582856e41fe3d4b

SHA256
85c3d1920a5b8954fb123fb578442ac7ceb2dac24b167b715071c78f4898f580

SHA512
1aeebafb49b6c5be4d5b41b3d85eb000b1f3fdafc1b05cfebc61c4786c3c6698a651f1fff675e6731f4c2f1c0d8be19a6f194984ea0218ee1a3603260a3fa94d

Download Submit
\Users\Admin\Desktop\browser\nss3.dll
MD5
4f0a1859062c3bef38347c64d1269ac9

SHA1
339419554949249b34e823c84582856e41fe3d4b

SHA256
85c3d1920a5b8954fb123fb578442ac7ceb2dac24b167b715071c78f4898f580

SHA512
1aeebafb49b6c5be4d5b41b3d85eb000b1f3fdafc1b05cfebc61c4786c3c6698a651f1fff675e6731f4c2f1c0d8be19a6f194984ea0218ee1a3603260a3fa94d

Download Submit
\Users\Admin\Desktop\browser\xul.dll
MD5
3e234c4dd915cc5fd54b1898da5a8154

SHA1
012f86d8955f5d57acef592e49af280a78627519

SHA256
aec295ca435ffc83c72eabbc4c9e59d030c28f8c724113e2d625f451433acdd1

SHA512
0a41e55da0a2a4d49d7f7eca76b13dc381cf64b7faf2dc09420c540db719e7323ee775e5a42c6e692c7f7f8bc354c7805440d5d59afd3e700ea1967be77ccfe3

Download Submit
\Users\Admin\Desktop\browser\xul.dll
MD5
3e234c4dd915cc5fd54b1898da5a8154

SHA1
012f86d8955f5d57acef592e49af280a78627519

SHA256
aec295ca435ffc83c72eabbc4c9e59d030c28f8c724113e2d625f451433acdd1

SHA512
0a41e55da0a2a4d49d7f7eca76b13dc381cf64b7faf2dc09420c540db719e7323ee775e5a42c6e692c7f7f8bc354c7805440d5d59afd3e700ea1967be77ccfe3

Download Submit
memory/1236-57-0x0000000000000000-mapping.dmp

Download
memory/1552-55-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/1552-56-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1832-139-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1832-138-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2000-99-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-115-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-93-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-94-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-95-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-90-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-96-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-98-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-97-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-91-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-100-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-101-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-102-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-103-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-104-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-105-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-106-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-107-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-108-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-109-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-110-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-111-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-112-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-113-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-114-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-92-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-116-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-117-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-118-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-119-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-120-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-121-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-122-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-123-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-124-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-126-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-125-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-127-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-128-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-129-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-130-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-131-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-132-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-133-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-89-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-88-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-87-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-86-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-85-0x000000000CA20000-0x000000000CA30000-memory.dmp

Filesize
64KB

Download
memory/2000-69-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2000-68-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2000-61-0x0000000000000000-mapping.dmp

Download