stealc | bfc9270ed3a31492f2d720aef6d2c13c00cd33f7db59f844c9be0f633bac4c26

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f.exe
Size

858KB
MD5

7aec38c6f23f36dbf2698d116efebca5
SHA1

7094d6969973a686765978a661845078bbbf04c3
SHA256

efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f
SHA512

ad598d8b5b23971677c352729b479fe51a04c722b97ea3869f374498030936329ba4e5b36e2713b72d0aeb382d6e05698dba044367106e277d695cb461bae419
SSDEEP

24576:FPgnJI9ACUvVBQWnNYMFm0ykNNcw0xGJWW45:EQUvzQWj7ykNNcRxGv45

Score

10^/10

stealc vidar discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Signatures

Detect Vidar Stealer 12 IoCs

stealer

resource	yara_rule
behavioral2/memory/4220-360-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-361-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-371-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-372-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-388-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-389-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-405-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-406-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-420-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-421-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-422-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7
behavioral2/memory/4220-423-0x00000000003F0000-0x0000000000638000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	Refugees.pif

Executes dropped EXE 1 IoCs

pid	Process
4220	Refugees.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Refugees.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Refugees.pif

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4568	timeout.exe
1496	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1676	tasklist.exe
3876	tasklist.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	tasklist.exe
Token: SeDebugPrivilege	3876	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4220	Refugees.pif
4220	Refugees.pif
4220	Refugees.pif

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4080	2432	efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f.exe	85
PID 2432 wrote to memory of 4080	2432	efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f.exe	85
PID 2432 wrote to memory of 4080	2432	efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f.exe	85
PID 4080 wrote to memory of 1676	4080	cmd.exe	87
PID 4080 wrote to memory of 1676	4080	cmd.exe	87
PID 4080 wrote to memory of 1676	4080	cmd.exe	87
PID 4080 wrote to memory of 1628	4080	cmd.exe	88
PID 4080 wrote to memory of 1628	4080	cmd.exe	88
PID 4080 wrote to memory of 1628	4080	cmd.exe	88
PID 4080 wrote to memory of 3876	4080	cmd.exe	90
PID 4080 wrote to memory of 3876	4080	cmd.exe	90
PID 4080 wrote to memory of 3876	4080	cmd.exe	90
PID 4080 wrote to memory of 3756	4080	cmd.exe	91
PID 4080 wrote to memory of 3756	4080	cmd.exe	91
PID 4080 wrote to memory of 3756	4080	cmd.exe	91
PID 4080 wrote to memory of 2892	4080	cmd.exe	92
PID 4080 wrote to memory of 2892	4080	cmd.exe	92
PID 4080 wrote to memory of 2892	4080	cmd.exe	92
PID 4080 wrote to memory of 724	4080	cmd.exe	93
PID 4080 wrote to memory of 724	4080	cmd.exe	93
PID 4080 wrote to memory of 724	4080	cmd.exe	93
PID 4080 wrote to memory of 2252	4080	cmd.exe	94
PID 4080 wrote to memory of 2252	4080	cmd.exe	94
PID 4080 wrote to memory of 2252	4080	cmd.exe	94
PID 4080 wrote to memory of 4220	4080	cmd.exe	95
PID 4080 wrote to memory of 4220	4080	cmd.exe	95
PID 4080 wrote to memory of 4220	4080	cmd.exe	95
PID 4080 wrote to memory of 1496	4080	cmd.exe	96
PID 4080 wrote to memory of 1496	4080	cmd.exe	96
PID 4080 wrote to memory of 1496	4080	cmd.exe	96
PID 4220 wrote to memory of 408	4220	Refugees.pif	100
PID 4220 wrote to memory of 408	4220	Refugees.pif	100
PID 4220 wrote to memory of 408	4220	Refugees.pif	100
PID 408 wrote to memory of 4568	408	cmd.exe	102
PID 408 wrote to memory of 4568	408	cmd.exe	102
PID 408 wrote to memory of 4568	408	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f.exe
"C:\Users\Admin\AppData\Local\Temp\efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 820565
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "StudiedForeignTitansCircles" Eos
    3⤵
    PID:724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Bind + Dow 820565\n
    3⤵
    PID:2252
- - C:\Users\Admin\AppData\Local\Temp\820565\Refugees.pif
    820565\Refugees.pif 820565\n
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\820565\Refugees.pif" & rd /s /q "C:\ProgramData\BFCFBFBFBKFI" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:4568
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\820565\Refugees.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Temp\820565\n

Filesize
310KB

MD5
8a1a61c380b69ad62ef10671966ab7d5

SHA1
6067400e4e12981b8d14ae16382d360c0de07260

SHA256
587a5e7f9f5a49c3a0b5793096224488ea1f78e17d872c8623a5b9afe0c0c05e

SHA512
f6ef688f8514d8628cc2cc2c92a6ef95ca6cc5241898158779b492d8b716cb0273627d28cec685440c8ca989a273774c4e522215c4fbd321772421dbcd2b1b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bbs

Filesize
11KB

MD5
8ac8c706c4684c18f197c30070c124c2

SHA1
a07521dc17273a281f8fda7e2981624aa957caf1

SHA256
4bdf7a2a03c7838c0a1fa3801289f44e5a23af4e633e462748eb6c02e8b5fd38

SHA512
b8cca2976ddade99c770d6221f2ce6f71502d18a1b2784945b2696ea2475ac8dfbe2d11d9307858d9904e87dbe4e5895331f19cd233d7b3fc1853c756b48a5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bind

Filesize
138KB

MD5
04b1a5a5e29697cb473ef97f25c4b326

SHA1
6ad56924b67b6ff6990e2b55e45bfa2f95990acf

SHA256
b3d3e654662389a26572efc5503b27f05cd0b0c0f24ed9926f3a4a2169ea8f62

SHA512
fee61ec5a06261533b8c2ab004152ec9060e998f231832bd02829432b9d2570a1a7eccf93bce79704190b3728544ea1cf670254c934a434d07e700f9974e6ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butler

Filesize
42KB

MD5
8dc490c7c1f7643956fd2fee5f5a5574

SHA1
b412643ee2e574330a5f7706249a7b7b6bc7fac2

SHA256
119dde8aa763954ba6634a3fcf609291337e3ce7d5c8ae94190133aae9ee3b71

SHA512
7f649af65e68aa5032c0086d2dce8882d495dc4c1f79f586b8d9d6f7625b075449adfb5906bb8a31cc153b443d088876c2fb22e6c1c10f214fbd395da6351598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Darwin

Filesize
53KB

MD5
05c38cf6f8d52d2166b0ec2e19b5952d

SHA1
1e68455b73e2ea8593b2e1e5d7df47907c6f4ef0

SHA256
60555fc678ad0d7684d74763f8136e14fcbd967af26105da6fdeedb516664fd6

SHA512
256a911a1898e0405ce246dd641436ece680c7f5bb59447987b40906572aa9727bd310e662c8a24ac9229d12f41fafe4305d20e3b76c3645a81ea465163d1ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dow

Filesize
172KB

MD5
daa015a1f21c7a4894d033627bf130bf

SHA1
2fcbdfbec1cdeb213ec8cf28f1d040093cf436b2

SHA256
c8f6037f9e31c27d5759c623e3daf3f401b2741cbbd2560a703e0ba8df0a309d

SHA512
fcc4ee2f23ebcee327e705684cade08f558d301e356ced7f1393ddc5ae4ebbbbcaed70178a4b437a042e8aacd8bc7319e03f18e0db9f0656508e342848276cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encounter

Filesize
16KB

MD5
e169484f61ee7f91a48e9950369b0c19

SHA1
9a7a13bc99e6075e3ccaced9aef73928e911982e

SHA256
f0b5fdc6317e21f5e78904e3833521c656c13ec715353c2185985fd158349c9f

SHA512
cdfa5b2731268753b2ba549e8336ff1d3ac68bc83d7e61a21b2e34461bda1617ab1961a2938841e5b479b3d3ea792c8785eb2bba1d70ca273e20b663eb28c6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eos

Filesize
104B

MD5
893f66656d1ae71c271437adfaa8b2ab

SHA1
d6891a291d5be87144fd7726b6057a650a43eb67

SHA256
d7da3bf12721cd0a5b168319c7dd3378e166baafe9897059cb3677be40e817ec

SHA512
ee17760000f587b5c1b1f0a9cacaa16b0ac51ddc1221fc041dc272c04f0d9e425c8b303c26fa64b1c7e23a3c69d244af73ad4aea6709dec18c470ce43ac1ea3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Essential

Filesize
45KB

MD5
9f06d5e95df19b2da82d9a7efc94d66e

SHA1
c09f6dd987a9f9a625c18c61bc43d69694d8275d

SHA256
ee5ea03416921826638d490975b7b1a7491d14616714bfae919bc5c11dced2fb

SHA512
434aa56b6480defdf42ed601c51827b403fb6eedf88ff6c7c4789e8035084e4d197d66b2fe246abd9c1c5b313a80bfb8accdb56606d7a64ff7cd560b1ccabd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Framing

Filesize
26KB

MD5
2a4ac5ee8e094168c874cd3431735a92

SHA1
00a5983d45de5074a9fcca66b1006447a14c7930

SHA256
3f36ffb3dcce7f4f33ddd3e56cbb5ca825736fc926ce67e3aa927f39fa8d80d7

SHA512
fd1ae8f47dc9e628822caadba032b860012ab2836c5818881011b19e227f7e3d37f02370d99c0e4ccbb121038678a2cae8471173f334f37ddf4acc42651b1acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hierarchy

Filesize
37KB

MD5
43b9b743afc3bafcdce0de5c02e5435b

SHA1
4312cf695167dbb0d06dc0fcfcca0e1f03b94692

SHA256
b53daaabd96f059f26bb48f90953288f33977f046c22623b9fec40d7c77a13fa

SHA512
a8c41b42c6b14be2f540b24305eb91e5797f4493241676055bb8b66754a2f13be2a03007ee345b24399127787bbd162f4bfaefb8e756dbc749b0e704eb5a78e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ignored

Filesize
46KB

MD5
6ef485e669e927fa4424c224ed0be4fd

SHA1
57f788bbb8cffb7e35dfe5425c191df3d9041d5f

SHA256
1d352c3fccf7c4cc937478327cebdb1e11fc6bc91c4279efe87bfe258e665880

SHA512
81a609b9116c0cbb6a7db3df4101085964f801a691b319719accf27d5ae65a7db9ba2376b779519c372e4cadd8f33f9c1645d839acc35f1b163736c6e5d29736

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inappropriate

Filesize
65KB

MD5
8b72724be50be4c02d108e13ba1f03ac

SHA1
64c19a356548a6d21fdf5bf156a945021a2fa3c8

SHA256
f649deb8a84c55f8f16ff7b5f4f0db9f01e1bf64929479cac712f7a0b8d65994

SHA512
37c9a4048c101dbdb51d390c5eb51b85b6c0a502f327dd2d9c173d9a3dace21534d1dee2f1e8fcc204d20607d2e1211bce88599543d4862a1915f6e6b82eb6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jim

Filesize
38KB

MD5
936df0a9731f06346cf5faebf2185309

SHA1
7940b59ea5ff316d60f77e244a7faaee0d16087b

SHA256
c24354439c40bd14d14e14e10b8b0d4385d8189719ccbc6f174d827467dc2bb1

SHA512
01a53e1dd1db533af086ed274a5f7d165490e9c5bcb472d487edea8d1dd9966500157625ed27fd70f9f8190e1a738b9b1a6086261558510280d3fa54d48e9e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parker

Filesize
25KB

MD5
4c873e5a7fddcec3d3397ed0fa1d7979

SHA1
95d9594e55a569345d2bc142f5a69b749b1d0177

SHA256
d6b057c834f42e8b447871680336dc4039b327eebbc33db85e2847da6aa8a8e5

SHA512
492f02b31c8d0c48b7dbf42b3cc0ad73d0ced1bb7484a3f83b59c6c507649fabbe57ae5eef9322c67431d0c38203f7a19374e0212652cf0c6870ed069b785daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patterns

Filesize
66KB

MD5
5c109ad97b8502c27805d64bfde91d4b

SHA1
3df3b449e42b1bce015473de53378951d99c9102

SHA256
8308c234de3f18053e52b48e83bd3bc69b3e6d9632fd2a1fe09059ff47754d49

SHA512
ff410d4962695ff11547dfffe71d7b32583b6da9a978dd9476e94339e778c7ad346ed80694c3f01296cca98873eccd28fbf929cf52778168590dd5a3704854bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pork

Filesize
69KB

MD5
de7debcf02e6312441ed6f77d8fb0ff7

SHA1
b887f109443cd46e1b125b74a24468e02fb97406

SHA256
7649067870bf2ebb47d8d3dee1d634d052902353a9ea4a27a2b171e4caa2b677

SHA512
8938d2e542a4836c11e61cf33b590f916e9fb00d40b2f8dfdb61fb26aa1aed8d90b1b873989787cc8b90a3a48255e2f3da35ebbd6b325a3bde90591306cfc3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regards

Filesize
34KB

MD5
c0fbf0cfda8b9e1abd0758c522a8802c

SHA1
72695440df9037b3ab984cbf67842c68ea27aaf7

SHA256
55f815e67c0679ac0f2db488cd2436974b6a845bea9da243c7d80f97695a3456

SHA512
167859c756d96220e20f2164bdb1986384d39e334bda4dc3968f97475d9e58826f4aa0f8e17c13ddb371f9573c4a3b3da1a6d65741ca846f691cde9e441b8492

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rh

Filesize
58KB

MD5
f99e527e596bbb5f2a9703dc97b639ba

SHA1
eb6e493fc6ed954afd4f01cc00509b076fcbe022

SHA256
f7fcd12eaa99887eb2bd44ed05e90d056ac3a43e5bbaba127b5e157600e355fc

SHA512
facca0b2e2d93513d729cab9dcbe48ace825f14ecef7ed146ece5ccf95f5704ef174697287633b231f2459dc93f28d7f95ab850fe64ac5ee96180176cac0ade8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scheme

Filesize
29KB

MD5
8d1e059ad293bbae83321e46ab27cb35

SHA1
fd7cc899d7531cf20ac6c2f133e9d6429e73a4b3

SHA256
80ef276fbe7bd300cb570295b879c5009fe8e7843d3f752f1ea8d197667bc589

SHA512
8782aed80d32f3143256bbefe1a005b30edecb59b7172d23dab13e391e8de4d7eb70668311b593bcc8ba3bac4515f38c34d230519add84421da9201240090cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Son

Filesize
12KB

MD5
b35a7678f2ace72e53fdfcd3b182a809

SHA1
1795052b1751ca6a5587c76f36d6e8dd989c2545

SHA256
b6af7026b87607244bc3501cffaa3be14dc657fc298bd72eebddec80cf1ae27d

SHA512
27404a98232ae1ffb8902120dca801e6a7174fb112c75b4d217b4ec7b2224c10fe2db9c869e6ffa003771634429744c576de2aab6b45dbc5c99272b7740523bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Specialists

Filesize
40KB

MD5
979283ddcd0ac50fcee85cb33efe32a5

SHA1
0094676f4770dfa6fd8325b0ca1eca631e417ede

SHA256
ef22eb20475d15aaad1325b794ef3ca7705329fc659fb68f62d6cf22558eb915

SHA512
0e94297d02324f2323ebdf4883f004f8133448f4edf14539637d02d196a8dc621afd89e5a203c45bdfd2d4ac705630b774bcc88e7c61d1743b2f7fe973e69abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spyware

Filesize
27KB

MD5
5f1a35b3f44e3bf44a8fb705323de274

SHA1
b0947eef74cead1a377f201c23f58cfc625bc09a

SHA256
9ece0b230157698fcaccd55a8cde992d471a31906147607cbcae654c3474ce3c

SHA512
cf4b1c30085855a9a02980f21f422a59f0ac5d3f7d05382c3a1e27a25c82a17409fa9e53fb313078ca210ffa432d525eee1315f2e9df23261c751c9910755df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Story

Filesize
50KB

MD5
17a40b97e496af296aaa0e9fdc1170c9

SHA1
4fea4bf72c1be106ad6eb9274d322005a9c85bc6

SHA256
61862afab4b586692a55c95b625305162fa5bd0559380d99a0e4c08797636955

SHA512
b6a0ff7dad07fbaf9d9a91f427775f3d1f293d56bd36e0972d60ee4423dffb8b5e67da69497505e34b2f1cab93c737d35b0ad2c82ca834dff968e45b288211bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tags

Filesize
19KB

MD5
8b18b5b19625040af0acd3e289e8f5ee

SHA1
cd86d5de5ed1f23f288ede6f07eaee499655abc4

SHA256
1e24d91bfd58f1576460250e55a8f08b2c3dc349fc1311e3080b95f18a802396

SHA512
d8cdd20980cc59b7223bee2234ce343b3dc7fa03519db9f70c4ca7e26118ecb14277f9a1c9187644369aea1bffb6ef414231b7916ce01c40678d0b32e889eda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teams

Filesize
67KB

MD5
29cb38f95a85eac953f55fbb66846288

SHA1
963cd51ae652d58e6dfe2498e4ba8427148f1d9c

SHA256
38c5dcc4cc3d454fae7e607ee72a536ac01fd9f349b4fc20b2b02519dcabcbf8

SHA512
5a2d63c608bce69829a3f851211656c4b6796d7bd404d4c3f51e31d968507937ed736e96251ac72a35095648f8ace06eac664c41eb999ca5b6433eddcaa242e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Translation

Filesize
52KB

MD5
8942096633510a8f6c2ba6398a67417d

SHA1
fe2cfe87af1482d33c824d59d6b2509bf8af58ad

SHA256
c9eac22d2711a6c9d7a5664c7dd286529f645ef0d19c8d0855e52dc8c637c6a4

SHA512
e6627d3e559f7f5aa4afd33c84516337d9fa1c614be4e6f2321f26924c342558399424620a61b821fe1e58d1b0e1fbcef77370796a68379781c69e8193019fc0

Download Submit
memory/4220-372-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-375-0x000000000CA90000-0x000000000CCEF000-memory.dmp

Filesize
2.4MB

Download
memory/4220-359-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-360-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-361-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-371-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-357-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-358-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-388-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-389-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-405-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-406-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-420-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-421-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-422-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download
memory/4220-423-0x00000000003F0000-0x0000000000638000-memory.dmp

Filesize
2.3MB

Download