Malware Analysis Report

2024-11-16 13:46

Sample ID 240628-sb53fsxgnj
Target !!fUlLSetup_22334_P@ssKeys!!.zip
SHA256 8506cac9dd95d8779ddbfe185f0f81d0357223724ea4ad8fadeb136c01a82ef8
Tags
stealc vidar stealer discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8506cac9dd95d8779ddbfe185f0f81d0357223724ea4ad8fadeb136c01a82ef8

Threat Level: Known bad

The file !!fUlLSetup_22334_P@ssKeys!!.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar stealer discovery spyware

Vidar

Detect Vidar Stealer

Stealc

Reads data files stored by FTP clients

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 14:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 14:58

Reported

2024-06-28 15:01

Platform

win7-20240220-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2916 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2916 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2916 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2916 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2916 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2492 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2492 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2492 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2492 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2492 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2492 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2660 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2660 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2660 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2660 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2492 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 148

Network

N/A

Files

memory/2916-0-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2916-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8896f4a0

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/2916-7-0x000007FEF70F0000-0x000007FEF7248000-memory.dmp

memory/2916-8-0x000007FEF7108000-0x000007FEF7109000-memory.dmp

memory/2916-9-0x000007FEF70F0000-0x000007FEF7248000-memory.dmp

memory/2916-10-0x000007FEF70F0000-0x000007FEF7248000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8b2be16a

MD5 d7798dd6e7d47a1678cc2233e22c31ad
SHA1 2c2970092407739f8e0ffd7b5e5cc70f8c3ed62a
SHA256 a30cb8880ab28cffd55d76c46475006eea2dda1483374ac0de6b285162a9bbdc
SHA512 1df57fb0e32bbd7327d91fe8fb44c52b22af49ebd3e267652a93633b95d6b17d4f9bb0dc9661027c9d0cb2f667c1b9208c48423acef4e5b0f46293a06024ecdc

memory/2492-14-0x0000000077230000-0x00000000773D9000-memory.dmp

memory/2492-17-0x0000000074A7E000-0x0000000074A80000-memory.dmp

memory/2492-16-0x0000000074A70000-0x0000000074BE4000-memory.dmp

\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2492-21-0x0000000074A70000-0x0000000074BE4000-memory.dmp

memory/2660-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2660-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2492-25-0x0000000074A70000-0x0000000074BE4000-memory.dmp

memory/2660-27-0x00000000006F0000-0x0000000000939000-memory.dmp

memory/2660-34-0x00000000006F0000-0x0000000000939000-memory.dmp

memory/2492-36-0x0000000074A7E000-0x0000000074A80000-memory.dmp

memory/2660-37-0x00000000006F0000-0x0000000000939000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 14:58

Reported

2024-06-28 15:01

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3864 set thread context of 4080 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3864 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 3864 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 3864 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 3864 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 4080 wrote to memory of 680 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 4080 wrote to memory of 680 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 4080 wrote to memory of 680 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 4080 wrote to memory of 680 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 4080 wrote to memory of 680 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 680 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4000 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4000 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\VIDA.au3" & rd /s /q "C:\ProgramData\JJDBAEHIJKJK" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp

Files

memory/3864-0-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/3864-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cf1d5b24

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/3864-7-0x00007FFBB2560000-0x00007FFBB26D2000-memory.dmp

memory/3864-8-0x00007FFBB2578000-0x00007FFBB2579000-memory.dmp

memory/3864-9-0x00007FFBB2560000-0x00007FFBB26D2000-memory.dmp

memory/3864-10-0x00007FFBB2560000-0x00007FFBB26D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d1c0f6a4

MD5 4777d27b188547acbe2023526397a0cf
SHA1 dfc80667cf640a689cc3a82d070698708dbf781f
SHA256 c25298face614477e01d7d2f22d22ecbe5f3cf4ff235fbc0232c2eb3d60adffb
SHA512 1df6820c50e19a4bf9098fec7fe58bb7ceff79abab54e7fb96666b3e235c82afb819ae4eaf7a9086f046807e3589872d45b7ba49f6b4e7a3836d1a37549ea3e9

memory/4080-14-0x00007FFBC1170000-0x00007FFBC1365000-memory.dmp

memory/4080-17-0x0000000074F7E000-0x0000000074F80000-memory.dmp

memory/4080-16-0x0000000074F70000-0x00000000750EB000-memory.dmp

memory/4080-18-0x0000000074F70000-0x00000000750EB000-memory.dmp

memory/4080-23-0x0000000074F70000-0x00000000750EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/680-26-0x0000000001200000-0x0000000001449000-memory.dmp

memory/680-27-0x00007FFBC1170000-0x00007FFBC1365000-memory.dmp

memory/680-28-0x0000000001200000-0x0000000001449000-memory.dmp

memory/4080-29-0x0000000074F7E000-0x0000000074F80000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-28 14:58

Reported

2024-06-28 15:01

Platform

win11-20240508-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3192 set thread context of 2808 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 3192 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 3192 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 3192 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2808 wrote to memory of 768 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2808 wrote to memory of 768 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2808 wrote to memory of 768 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2808 wrote to memory of 768 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2808 wrote to memory of 768 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2808 wrote to memory of 768 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 768 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3140 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3140 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_22334_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\VIDA.au3" & rd /s /q "C:\ProgramData\JKJDHDBKEBGH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 tea.arpdabl.org udp

Files

memory/3192-0-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/3192-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d3ab184d

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/3192-7-0x00007FFD1A2D0000-0x00007FFD1A44A000-memory.dmp

memory/3192-8-0x00007FFD1A2E8000-0x00007FFD1A2E9000-memory.dmp

memory/3192-9-0x00007FFD1A2D0000-0x00007FFD1A44A000-memory.dmp

memory/3192-10-0x00007FFD1A2D0000-0x00007FFD1A44A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d62f3fad

MD5 97c78eb55c69a2d232bd48e3cc26a930
SHA1 0e83a03ff63144205c5c7089f43c8299181c7973
SHA256 da6078a7f21190a1aecdd60b671c17630f7d1aba45afe6b05e2dd93da4a53eb8
SHA512 2d50e47a80703223027df00c293643c65fa85e7b0f2f0ef0a0ca55cd8f5c6aaf077e70ac005065f93cfd9203156707ab20b1245f2c1d7959767e24a32e3e783a

memory/2808-14-0x00007FFD29240000-0x00007FFD29449000-memory.dmp

memory/2808-17-0x0000000075A1E000-0x0000000075A20000-memory.dmp

memory/2808-18-0x0000000075A10000-0x0000000075B8D000-memory.dmp

memory/2808-16-0x0000000075A10000-0x0000000075B8D000-memory.dmp

memory/2808-23-0x0000000075A10000-0x0000000075B8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/768-25-0x0000000000C30000-0x0000000000E79000-memory.dmp

memory/768-27-0x00007FFD29240000-0x00007FFD29449000-memory.dmp

memory/768-28-0x0000000000C30000-0x0000000000E79000-memory.dmp

memory/2808-30-0x0000000075A1E000-0x0000000075A20000-memory.dmp

memory/768-31-0x0000000000C30000-0x0000000000E79000-memory.dmp

memory/768-32-0x0000000000C30000-0x0000000000E79000-memory.dmp