vidar | hxxps://www[.]dropbox[.]com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1[.]13%20%2B%20Zafiro%20EA%20FTMO%20v1[.]13[.]zip?dl=0

max time kernel
51s
max time network
194s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-06-2023 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0

Score

10^/10

vidar 2ca19830ec2c67b5159166c89d3ebb74 stealer

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

2ca19830ec2c67b5159166c89d3ebb74

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
2ca19830ec2c67b5159166c89d3ebb74
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
432	300	WerFault.exe	74

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	chrome.exe
2000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1720	2000	chrome.exe	28
PID 2000 wrote to memory of 1720	2000	chrome.exe	28
PID 2000 wrote to memory of 1720	2000	chrome.exe	28
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1388	2000	chrome.exe	30
PID 2000 wrote to memory of 1780	2000	chrome.exe	31
PID 2000 wrote to memory of 1780	2000	chrome.exe	31
PID 2000 wrote to memory of 1780	2000	chrome.exe	31
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32
PID 2000 wrote to memory of 1132	2000	chrome.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f29758,0x7fef6f29768,0x7fef6f29778
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1240 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:2
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1684 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:2
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3716 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3912 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4508 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1216,i,10286525243905684780,16478566971300002899,131072 /prefetch:8
  2⤵
  PID:2632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1200

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2312

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2320

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2336

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2352

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2368

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2088

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2440

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1924

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2280

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2380

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2256

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2388

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2412

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2416

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2588

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2532

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2432

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2024

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2396

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2484

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2980

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3032

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:536

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2684

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2708

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2680

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2736

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2740

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:980

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 1348
  2⤵
  - Program crash
  PID:432

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:316

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87b94921fa7177a3e4ac32488920f2ad

SHA1
1769f59ecf96242acd00b71839d7136bae37c562

SHA256
250e2a8a75690da5da2a7bbe89bbdf5a83d2f8fe627d16f916d9f6714120386b

SHA512
ece8fa00747d7daaaab7928ef863bad623c533a8f71dafe2e73ca766b89ef99c3b195d2070e7433a838c113f7d2ed49f15c35a0f4b27287967996354480e9b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0245eea1155f3ac1e5eb93fc0fdd0c09

SHA1
9e33fdd903d66f1f74d1b1c66464892f0f492c59

SHA256
ebf5300b25291d41217e7ed4f3147cfcde89002da0ab71d1df90da04eeeb929a

SHA512
98ccb33bca360e1fb4db254cb3c44c6c4abe2b6e7636e83c6ef80b98a393441ccb80e3c14fe98a7428334d5ea9090ec909ea382b514360160ad75c2ef92255c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d5593c1b3c86d1e008bc3b2e3f83eda3

SHA1
db6f31636ab577d9fba74bd045ff5a5a1b4fe565

SHA256
ab9e2dcfa54294798fdb11fabb47e183c401fadb4fc389fde26c33b9f1473dce

SHA512
a2cf3d9ea782703ca1c913505e99e873f4d8f3e31f46b445e59eb3537bd7a0318f3c09b6f93e401ce946709eb7a8a43ca98d574448d94dd983f65d0ea668fcdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4e67b6d1-3b58-48bf-92fd-9a58f1600e9a.tmp

Filesize
4KB

MD5
b7f0c2fd44016c749ba6895d9546b416

SHA1
e507c1ce59522f36d3bc6ab177edf76adb631a45

SHA256
6ee6a5d606bc6e6095b81d346a3c84a627afa42fbbffb804bc76664f0d7c19bd

SHA512
189e0593c0446a06589c6ab89ac82ac370f5c9060141d1aada11851689655fef24bd42e1a3efe02b348edb4e9da2dbfdbaa58fda7ed02be8ee806956700e6074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
718f87af5943751da889b51030d5180b

SHA1
f0a6d75be7e8b6411c22eb6e0ec9d28672208de9

SHA256
429a66323847e6af0208b6584cf122748047b9ecacc4fd63dbfc61f648533564

SHA512
a3b3096649d7b3e567c1342db34101a2ca8b39521563bab2b4cf31e2cc4ebde8e9202d69cb2eaaa087b7853177aed1c35743c98251db0bb8939958c642ba3ab5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.dropbox.com_0.indexeddb.leveldb\CURRENT~RF6c3ed5.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
02f3cebb26d15d736f9cad6036ec92e5

SHA1
890eeab8575bae5e47195c1194d030c42bff91cb

SHA256
2564284bb4e37799205c50e94463c20d8e16719b7035b02c487f1373f621ef75

SHA512
cf40426ffefb2466fe8e2042ca3c0fc4a6cac88a6dbb5db588cb53cd6811909991163d4b542697125b58e76101985ecdf34e77e160c585649ba3144d366eb26e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2823ec983b180f0b8ca35b1da95486d9

SHA1
0dbf06304afa067804413dc851313d0cdb8afece

SHA256
3bfc888a77c69f9e4dafe3953260c65d58ebe4b4efd97f81fecac8cc6a087894

SHA512
023f0df549818a51ca46144f81c14251188175e68799a7f0572431a60d2a2fd0b21cd5155dc5047b3812c69f73706a15f44ede8abd60bc264779810288065614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
852B

MD5
0de7ef08b8166895f0f9c7c226c666ad

SHA1
80234a5100ad2224be34fcd63b9a87956104e11a

SHA256
5586a5be467e1d75495ddf139475230e6186ec878c81f04e8970a97dd7171047

SHA512
b5896de091b1872071ebd1b349117178a7702940a037889a59bfad221bc64fa5e7a878d719d302ca5b1af03ad4160823d8333684c20d5633d636e018f4f27c76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1382cb4b62520469df45c65611ded1f6

SHA1
da3c0232452503beb9ba4995953d63050cfad5cc

SHA256
5dff64a8f21306bcaade93e84b132216f6baaa44fba9638a77eadf31bfcefe6e

SHA512
4fcffec01ab5e9fb2a24f0a69929e36191dbb3d3a879a29c76eecb6043d2c1b5270b1d80931079bde5046d48b35507655a028c955d3683c0c0a0f36e68e1ffb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
329d39cf45d961a7e3d1e1da417dce65

SHA1
e0098afbd3e210ba89642c9350ae2d56804cee20

SHA256
51113a85e81e2687efd8ea1d02f9e0824fd66cf1b804bcf2fe41cc9d125632e3

SHA512
82fe219f4ae795d7aa90e3a41afe979462afdf54d259077ff61ac6d3f7892534b6309fa33b34150e03ed8e9a5b9ac1e7a10e405d25feccce7a4b98060282a68a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2e245afa0d3dcc7098dbb7ef33626b49

SHA1
eb941e3f4af1c1f411af027b86826cffb54327b7

SHA256
521effef418a43c3b48b658791422c1baa36d61e7c28316eea5f376d17dcb23a

SHA512
0b1fe9e5f7cb8f75eb6492562efca20f91d77290c0de70111efe0c4b8b1ac210cba23fa06e1d61fbf25413e20153249ea00fe659d1174a40409b4c6f0b06d141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
33513245edd7fb3bcbccf39ebd117446

SHA1
7f904e87751c97e5e5685e14db873357e071e81a

SHA256
761dc6a39f920ea30dae2f24d37b55619fe4b2b98a3831a367e9e799f87134e5

SHA512
b1d97ff6ae18aaeb11d32ec1bc5da85a21907f494d19b5a643d3cb18aa9fc10ecafa0050f646c6c19141667d39be56aa9c0e4cde4d8dd38bde0e9d8944f2af9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a5c768604aea6d2cca7a2617e9c830a3

SHA1
4a48031b2a3221b3bf9d680da9aab1007e646e82

SHA256
4f5525e9cf4ca346a7c710d29249552b7fe885b747dd067abe41795ba8e42dc1

SHA512
2b37e83bf4c0e6c2dbc7a97642cb16b8bd99bdb1ecde9e52c6d0b446e70b2265cfd3271bc9bd1d8429a368d04f9dd316f70b3d46d3561e501a9367eb29c08f24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
de7b8acb88e595b536da4bfb00a68999

SHA1
838608c33b0a28beff7238818dcfb1d3629db9fb

SHA256
6bcb90824c83535d2f4e8528cb6e36d3b9b76d81178c94e57fd0b99645a82992

SHA512
56ca10978705fe6c35000d4c57aff72681c7eff90adf2332363d360b2fb53e9aa1627dad51c2f4a1b7a4ee2185b977f914f04228a81a4f4f373f204b569de97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43AD.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\Downloads\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.zip.crdownload

Filesize
7.9MB

MD5
a0638548ba0b039ef86cab79b7d6a925

SHA1
e6b84bc5eaf1e7a505e2bd34536e3cd491422a15

SHA256
a063e4a346ef47f4c739515e005fe1bb2d3f887e093408775f0479c29c5bfbea

SHA512
e863f8b4a20e5cb7f91d33b41ca1356e2fcf3bca50b252a23902a208284b5c5c05e65b7f1977220766ae7440944f908b156f58edf4b6354ebffcb192fbee17e5

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/1924-550-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2024-570-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2088-444-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2256-559-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2280-553-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2312-422-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2312-506-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2320-424-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2336-430-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2352-428-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2368-429-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2380-561-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2388-556-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2412-568-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2416-574-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2432-575-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2440-447-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2532-565-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download
memory/2588-573-0x0000000001210000-0x0000000001961000-memory.dmp

Filesize
7.3MB

Download