vidar | hxxps://mega[.]nz/file/n7hgFbTB#0P3vn58q-WXoc-En6zZ5Y8Lolmqfrjf5JPhUOLGT-j4

Analysis

max time kernel
185s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/n7hgFbTB#0P3vn58q-WXoc-En6zZ5Y8Lolmqfrjf5JPhUOLGT-j4

Score

10^/10

vidar c0f701b124b29a9e188f7796b890e60b stealer

Malware Config

Extracted

Family

vidar

Version

7.9

Botnet

c0f701b124b29a9e188f7796b890e60b

https://49.13.32.193

https://t.me/hypergog

https://steamcommunity.com/profiles/76561199642171824

Attributes

profile_id_v2
c0f701b124b29a9e188f7796b890e60b
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/2660-1333-0x0000000000410000-0x0000000000B58000-memory.dmp	family_vidar_v7
behavioral1/memory/2660-1364-0x0000000000410000-0x0000000000B58000-memory.dmp	family_vidar_v7
behavioral1/memory/2660-1387-0x0000000000410000-0x0000000000B58000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 5 IoCs

pid	Process
904	Full_Activate_Setup.exe
4556	Full_Activate_Setup.exe
1264	Full_Activate_Setup.exe
1972	Full_Activate_Setup.exe
864	Full_Activate_Setup.exe

Loads dropped DLL 8 IoCs

pid	Process
1972	Full_Activate_Setup.exe
1972	Full_Activate_Setup.exe
1972	Full_Activate_Setup.exe
2660	PsExec.exe
864	Full_Activate_Setup.exe
864	Full_Activate_Setup.exe
864	Full_Activate_Setup.exe
864	Full_Activate_Setup.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 4196	1972	Full_Activate_Setup.exe	118
PID 864 set thread context of 400	864	Full_Activate_Setup.exe	122

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	2660	WerFault.exe	120

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Full_Activate_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	Full_Activate_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Full_Activate_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	Full_Activate_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Full_Activate_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	Full_Activate_Setup.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1824	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
4560	chrome.exe
4560	chrome.exe
1972	Full_Activate_Setup.exe
1972	Full_Activate_Setup.exe
4196	cmd.exe
4196	cmd.exe
864	Full_Activate_Setup.exe
864	Full_Activate_Setup.exe
400	cmd.exe
400	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
452	7zFM.exe
2900	7zFM.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1972	Full_Activate_Setup.exe
4196	cmd.exe
864	Full_Activate_Setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: 33	1136	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1136	AUDIODG.EXE
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeRestorePrivilege	452	7zFM.exe
Token: 35	452	7zFM.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
452	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
2900	7zFM.exe
5056	7zG.exe
1304	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1920	1304	chrome.exe	23
PID 1304 wrote to memory of 1920	1304	chrome.exe	23
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 4988	1304	chrome.exe	88
PID 1304 wrote to memory of 2464	1304	chrome.exe	89
PID 1304 wrote to memory of 2464	1304	chrome.exe	89
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90
PID 1304 wrote to memory of 4420	1304	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/n7hgFbTB#0P3vn58q-WXoc-En6zZ5Y8Lolmqfrjf5JPhUOLGT-j4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5d789758,0x7ffe5d789768,0x7ffe5d789778
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5092 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4172 --field-trial-handle=1892,i,8941829688625536303,15453103695214462787,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3468

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4560

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_!Files-PAsw0rds__5656.zip\Setup-FIles-Here\@Files-PAsswrds__5656.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:452

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_!Files-PAsw0rds__5656.zip\Setup-FIles-Here\@Files-PAsswrds__5656.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2900
- C:\Users\Admin\AppData\Local\Temp\7zO45BD0F08\Full_Activate_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO45BD0F08\Full_Activate_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:904
- C:\Users\Admin\AppData\Local\Temp\7zO45B074A8\Full_Activate_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO45B074A8\Full_Activate_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:4556
- C:\Users\Admin\AppData\Local\Temp\7zO45B3AC98\Full_Activate_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO45B3AC98\Full_Activate_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:1264

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\" -an -ai#7zMap16306:182:7zEvent3263
1⤵
- Suspicious use of FindShellTrayWindow
PID:5056

C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\Full_Activate_Setup.exe
"C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\Full_Activate_Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\PsExec.exe
    C:\Users\Admin\AppData\Local\Temp\PsExec.exe
    3⤵
    - Loads dropped DLL
    PID:2660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 2056
      4⤵
      Program crash
      PID:1892

C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\Full_Activate_Setup.exe
"C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\Full_Activate_Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\PsExec.exe
    C:\Users\Admin\AppData\Local\Temp\PsExec.exe
    3⤵
    PID:4940

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\rhizome.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2660 -ip 2660
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
428d073a0655085723b3d8a590d430ae

SHA1
aa3a6b2adbdb572816a942e2e6db90b1b92e5307

SHA256
63a4bc8b51e61f9aec1f796cbaf95ad9cb9018171ed0b401a13ea92131e2810e

SHA512
6a73c3dc3b2dc3e12e48d157975b77851ad2a71e8ca430205658557f5471c8dbd6bd675020439160b17f87e4836170ae5996260eaef0088f38ea2f8352d66f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e7d83352c22d540aff76b11bf1d9e13c

SHA1
620922a22b4f1a7facc17d0f5b150a7890ce4556

SHA256
65fa4e3b73b886b7d7e9163771c31ea48ad3cee0b5d2c1ebb095b945ed10a084

SHA512
f2d3a37f8e5c65e3e0af6a33aeb54a272d5f80f88756196636c78b258383469a4b327e7be0e663e78dbd7e7577682886b47c5818ee785e0c34dafc94b9d1ba2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
0e3bd727cec9e9be5f8450f072d41056

SHA1
56f0e95709d8d90169736b07265e900e6f70d6d4

SHA256
c9e154f8e32631ae8e9ec8413fa2e0aa7cba33b0b2cf09b23c74182cc514d808

SHA512
1aa28dc73e20c906854bb8d282147628daf78b994514fbb6a81eba1c02a201e0f36e65722dee474705dc85f7eba9b4ce554576f42e00488e2d0f4bcfc084f06a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3d25b32e99104052bec8af810cbf8d0f

SHA1
8402c95797fa9a922f314e2b244c592a03956cd1

SHA256
51f8dd9700c7ef926d753fd65e234b30166026cb76dac3f4045eb9c322f868db

SHA512
7e9d6b097c2236bd21b1cbf19832f1b778955d45b666829c14f49b999812ab23b17db11bddc1d7de7c4082377eb7cedac7ec17a47e441ba82b45ec82fadf3d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
26a5beacff7b12b40595751157857e03

SHA1
5c6bc840100c4f9a177f599cc6d6b3bfefc749e9

SHA256
9406492850acab2ff7a4ac66e43a3e6bd06f2ec50e3b34dac36588663be507c2

SHA512
51e85f3600ce13367a157661eed7c7089133a5212090e38cc0ee0768643d04d1124674933c4e33f7bb2cb30f58a7245c679fad538bc42274c09a03473de61f02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
57b9b4585ba2044880371d6e8b26a3ca

SHA1
02bb3874d959f96f566e534bebcd3a79e632b26d

SHA256
58c01c9250da0fa73d013c7647711c2121630b7f2d4202fd18a7ecde0d4527fa

SHA512
4e69aaac03115853e1cfc82292b6ecc41dd9fbdbb20be4d84b9d72715532278df88e46fc4897e3c0696a3817c1818ba5b2fed83c9ab9ee25fdb513ccabab5d76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
74bf8efeb3df520e8595574dab612c4e

SHA1
e889737740a2927d197ef609e4584148b7f0558b

SHA256
7ec923cf87bca243196867b93db46dc677ac51174229bd569cc5eb142cb00f5b

SHA512
9bcc77965c29a5ef45f933aad17bf0daa5988020939e3eba20e92653945d3eeb28b5c6328c6e2873caa37d1444faa2b02b975392b090fed32f3fc1a90ac59a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c4d6.TMP

Filesize
48B

MD5
cb920fb0fc09adc172ae4732b3cde6c3

SHA1
1e655a5ff46bed81e051ec760c16c906992bb5a3

SHA256
bca79cff0a870a94b2a77fd2b084fcc2378bb20bcd5ee29535bc901ec9bf55ef

SHA512
ddff1a5efcac7d0001f8fab23302a08ed7d617568ed34ad15541e66e6a11b59722b36a284a37a37d95820903345891dd6276d108a10995f36f98610bd56c84fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
a380bd170b423ad2a4c5d4794a34fbb1

SHA1
aeceefbcfac963f715dadb5ddee1a27c261d72ce

SHA256
8d5934046d302b1756d7f990119add2510ebcc00d04224794b88fa41a01d7ee7

SHA512
a4da355df3e45ee75d6892c8540d20c81765d7b9186f5263924f5b296cece6cb45f447fc267f6443e540469f581525ce05f6fc1722cd48f7fb60af263069a2c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
bb8f15651d844ad0c7827ffab4321c6f

SHA1
8ba250ca762bde24d8313437b3e7775e923985f7

SHA256
3d696b161eb4a2467446ab6ab302d950ec1657a50af81f516116f8c8222bfffe

SHA512
cc1874b2ad0c093605a353fcfb1083662186f1fdccc6ba91a6dba50b1c9da4acd5ef0adccd39530f3ad36973888e485aa3d3eb415d8c004cad87151280420a60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
4f56c59793656543f42fc2d2755bdd1d

SHA1
51ee5313d718ccd8f3a38a10d209cae1258cc917

SHA256
fc459dc72fac41ee84e59040847f5d565cc887398c20e0e98b2e3d8c8f459f0a

SHA512
bc07504a637d7631e4e13df9951cf51ed843dbdddb724faff4c6ee403f10244e411041a44d18d11c54a0e1d35a6beec2a9693b9a5524f8c1737c07a036399a66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e08c.TMP

Filesize
97KB

MD5
b2e24ea40f59a7c92da86f2ec9504f52

SHA1
94fb5702240b8a9c8f4b6ae0cbad66fe8d3d1c30

SHA256
bf9a9657e40681e8303bd524f3e7a73bc104192b75f56972c52b8e7201274a7b

SHA512
3350a9be69d52e79a54e5f72d59922cd1bbbbb696c5fdc5686335fcbc7122c3e6c3a630b8853c246758fbb3d0eaf3209fd26eece9dc3f705c2cb8e19bed7aebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
de117376e31bcc11b13c01e6ffddc025

SHA1
8465b28a5202890f3ba1ec75b9c8b54d1828bd0e

SHA256
d342e1aa2fb74dbed9c218727f198c3f7910db048f8acc369d31b4a46a1d9579

SHA512
e631db9e299f628f3642c04f8395765e0712ef61ad30c5a913af46be3ae1acd9de75236392e6e0c6164c2b25cb847e26c1e1e132e6f2536a42897e56d8684d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\61444198

Filesize
6.5MB

MD5
49f0e562777bbc3648aa0e44060913e6

SHA1
4af8442a236f7b7f885ce90cd903c65304aab770

SHA256
cfcc8bff1a428398f703bd58b9040996f287ba0f1018b58ece6bc16cecbbb3d0

SHA512
c715be6b937cf4814621428b1ded6827bc6dd858dad3a781bca960b0433824f19c31c0863383a924a6787f998cc285326e6fb9ba13b82e9dedc059a2b2b0d4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\753ae568

Filesize
6.5MB

MD5
9907f92b91530f98a73183f2229e27be

SHA1
248d86699048b34462e86b3b72e0c009afbaf292

SHA256
15c5a3cea92ee8772fb0d3d357de8801439d987d510faf557d596b4f7ef19fbe

SHA512
270b93d2341f7c6099337b4b0e009bff7b40f313c4e4ff054b946bdead34fa9706f313c573fa5b6cee8453d41521ae7a36bb46fb9038f130a6a0e95c38170e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE45B45268\info\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO45BD0F08\Full_Activate_Setup.exe

Filesize
202KB

MD5
64179e64675e822559cac6652298bdfc

SHA1
cceed3b2441146762512918af7bf7f89fb055583

SHA256
c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

SHA512
ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsExec.exe

Filesize
699KB

MD5
24a648a48741b1ac809e47b9543c6f12

SHA1
3e2272b916da4be3c120d17490423230ab62c174

SHA256
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

SHA512
b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a

Download Submit
C:\Users\Admin\AppData\Roaming\WerEnc\WCLDll.dll

Filesize
590KB

MD5
9005812bebfcc98db95def5b1c9b96f0

SHA1
d85f085c59fe8cca75352399ebc8510e2799bf68

SHA256
8acf6eea851ccd43a33eee9840794b9944eed61e5be0a7c403b79d3baa48940c

SHA512
c25c4eaef2d40d5294fcd2b15f3065cb3c6cad19cc5c32da4a81b20d99023dbfcccfa5fbc2d79f45892f7d858c04d956f1734d0359054fae9e609a5d604ab0b1

Download Submit
C:\Users\Admin\AppData\Roaming\WerEnc\ptMgr.dll

Filesize
2.2MB

MD5
c33bfc7cb32a61340f12ed1f6fabb9d7

SHA1
1762e50a09fa14435d03b1e45d00d11260c5794c

SHA256
87019efb5713fe078e4a3d2e0b2090deeec91b07ba60421a5fc47d0385e5fbf1

SHA512
370d5c99dc35b7b1d26fb71b09d1c53cb6eb39a32dc4b6ff05679ee00090a5b5caf72a58c22f83f5636712a8e18853a75ece753d9492e35edf11bee0cfc6a7e3

Download Submit
C:\Users\Admin\AppData\Roaming\WerEnc\ptMgr.dll

Filesize
2.5MB

MD5
2087eb2d3fb639933ebe0a0614fd5218

SHA1
c1a1b75c8e76e000b7045092bd11100904a72840

SHA256
725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f

SHA512
3390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e

Download Submit
C:\Users\Admin\AppData\Roaming\WerEnc\teazel.aspx

Filesize
2.2MB

MD5
4783db799e6e833643a76bc21742d0e3

SHA1
2fcee6ddfcda36f239e6ee9e9685c60df17c537d

SHA256
936c7329ed9b0daa3fefdda5398e79aab468cae13c2430b049157f502f2f58d9

SHA512
b865ab7a156d0e40142e88bcf73dd214c76dfc89d8515c97dfd765449727df8178524368b28d1c9dcfb8a7e18e49e956c0cfa4bdfa13b311b02b1072d76fc144

Download Submit
C:\Users\Admin\AppData\Roaming\WerEnc\teazel.aspx

Filesize
3.6MB

MD5
2f5621ee9ba2b49ad90f0675592b83ff

SHA1
7b80068755495f5c1ea4f0582988c5416c6b14d3

SHA256
dec14c88c4f59e6804813c29594d19a26c99d03c2d3b57332833a09dee3d531c

SHA512
912f7deb4222c8399467fa13ea13c3622ab506cec8b8b6621b5048a6d77b7d792c7efde10fb21a7969212ca5bf4f8a1ac06c5ea21b9b4f69b52e7abb9743ad5a

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__5656.zip

Filesize
128KB

MD5
e3bdda286c3c9cba60ed93067307f72c

SHA1
5d5e43c6bc30b09885106c5387f0a904779546ee

SHA256
11643f218cc9eb561cfe885ffa7d5689b5ad392ff8aef5868e1cdc2e71588296

SHA512
dba0c75101e1401e2ac2f52fcd5ed88453fd1fd9e184fb040bbd86bb18ca08e806d1c90ff766974d854d4e4d9fbc3e5075077c6a0c03ddfa946666e29efc3ba9

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\MSVCP140.dll

Filesize
427KB

MD5
71a0aa2d05e9174cefd568347bd9c70f

SHA1
cb9247a0fa59e47f72df7d1752424b33a903bbb2

SHA256
fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

SHA512
6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\VCRUNTIME140.dll

Filesize
81KB

MD5
16b26bc43943531d7d7e379632ed4e63

SHA1
565287de39649e59e653a3612478c2186096d70a

SHA256
346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

SHA512
b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\ptMgr.dll

Filesize
2.3MB

MD5
fe7209112b6bcc78e907ae6877bb7c2b

SHA1
fd074c8791674fb278784b6d3e9782686475f97f

SHA256
ec1c55761ba9a87ed6572c51e95da29da308c5d826f2ded89462f9336efaf13d

SHA512
b47fbd19c89cbd32f0977b9fe9197703645878380f5c91682e07012e4980c37cfe6e95481c2fc682c7ff6ad36be7e5770f68956f2c8430d1007a8e1a9bbfced3

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\ptusredt.dll

Filesize
165KB

MD5
3c3e960d59cb413791fee1e944b6df72

SHA1
4aa6c90d81692642ca8266bf0d8e249ff3e3ad54

SHA256
88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67

SHA512
85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\rhizome.xlsx

Filesize
80KB

MD5
328ca2ae719d671a5c0011d1acc1131c

SHA1
afe1f91087eaabbea068071345bfed64acfbc3f3

SHA256
0acb3f17267b9b0f325fd410c8b0310d0f57a0328e87c626dfcf9c58d6523050

SHA512
29ad6c9a2df9debba43a01d4cc11216e517d9d5efa8099a6add993fad94e77acb6f3abe24c8f3de1c7744724f01039155a58ab5b6d5cadbecb077757d6e20bc6

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\teazel.aspx

Filesize
6.0MB

MD5
8f3851caabd351e02bc83fa990d79fc3

SHA1
6325c07463b95897d63e80a3cb8668a08363ed18

SHA256
552ebce8ae6ea65c761ce8bb3690d4f7625f1044ae1524a38682cc438c14a542

SHA512
b682f24fc1be6a6047c38ce4f8d5301cca19617e3efca47adffe7f0c43c9f25df8da60d08946b8f9e5a25b835a76d64aaeab18621f61be624913c968e741777a

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__5656\Setup-FIles-Here\wbxtrace.dll

Filesize
103KB

MD5
8f74dbff3b47109a88a809fce56fd4a6

SHA1
761d60ffde15609e57dcc8b5c294bb1de1f2cee6

SHA256
813f7cbfb2accf6b1dc34d3855e0adefad488d21306e2872b25e8c21b0e8e65d

SHA512
ad7f5ec733398b15be6bfb9e1d506c2ebff81951f4ceac3798541835def6b93f40ef0b85f261272221faf2d74bec8c6c42ef96803de63c43daa55d8c6ea64b57

Download Submit
memory/400-1386-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/864-1357-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/864-1360-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/864-1340-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/864-1339-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/1824-1370-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1380-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1406-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1405-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1402-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1403-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1404-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1383-0x00007FFE25870000-0x00007FFE25880000-memory.dmp

Filesize
64KB

Download
memory/1824-1381-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1382-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1377-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1363-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1379-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1365-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1366-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1367-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1369-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1378-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1371-0x00007FFE27A70000-0x00007FFE27A80000-memory.dmp

Filesize
64KB

Download
memory/1824-1368-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1372-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1373-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1374-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1376-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1824-1375-0x00007FFE25870000-0x00007FFE25880000-memory.dmp

Filesize
64KB

Download
memory/1972-1219-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/1972-1220-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/1972-1207-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1972-1206-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/2660-1333-0x0000000000410000-0x0000000000B58000-memory.dmp

Filesize
7.3MB

Download
memory/2660-1364-0x0000000000410000-0x0000000000B58000-memory.dmp

Filesize
7.3MB

Download
memory/2660-1332-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2660-1359-0x0000000000280000-0x0000000000353000-memory.dmp

Filesize
844KB

Download
memory/2660-1387-0x0000000000410000-0x0000000000B58000-memory.dmp

Filesize
7.3MB

Download
memory/4196-1222-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/4196-1325-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/4196-1326-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/4196-1329-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/4196-1227-0x00007FFE679F0000-0x00007FFE67BE5000-memory.dmp

Filesize
2.0MB

Download