vidar | 9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
Size

348KB
MD5

bea49eab907af8ad2cbea9bfb807aae2
SHA1

8efec66e57e052d6392c5cbb7667d1b49e88116e
SHA256

9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
SHA512

59486e18be6b85f5275c19f963d124f4f74c265b5b6dfa78c52f9243e444f40a7747a741ccb59bf1863ffb497321324c803fc967380900a6a2e0219eb99f387c
SSDEEP

3072:oh2eRgJtqxVRGKf8OGiLOnXChCrmqSOLMKTJGlRayuEpZTPckmRmVfL:URRgJtqpGO8OUnrpbMKT0lXZT3p

Score

10^/10

vidar credential_access discovery evasion execution persistence spyware stealer

Malware Config

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Signatures

Detect Vidar Stealer 9 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3932-2-0x0000000002640000-0x000000000266F000-memory.dmp	family_vidar_v7
behavioral2/memory/3932-3-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3932-5-0x0000000000400000-0x0000000002470000-memory.dmp	family_vidar_v7
behavioral2/memory/3932-40-0x0000000000400000-0x0000000002470000-memory.dmp	family_vidar_v7
behavioral2/memory/3932-61-0x0000000000400000-0x0000000002470000-memory.dmp	family_vidar_v7
behavioral2/memory/3932-63-0x0000000002640000-0x000000000266F000-memory.dmp	family_vidar_v7
behavioral2/memory/3932-71-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3932-75-0x0000000000400000-0x0000000002470000-memory.dmp	family_vidar_v7
behavioral2/memory/3932-84-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BGHJJDGHCB.exe

description pid process target process

PID 620 created 612 620 BGHJJDGHCB.exe winlogon.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	pid	process	target process
PID 620 created 612	620	BGHJJDGHCB.exe	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe

Executes dropped EXE 4 IoCs

Processes:

BGHJJDGHCB.exeBGHJJDGHCB.exes36kioozlxqo6krv99rmb4x.exemain.exe

pid process

620 BGHJJDGHCB.exe
1716 BGHJJDGHCB.exe
2136 s36kioozlxqo6krv99rmb4x.exe
2408 main.exe

pid	process
620	BGHJJDGHCB.exe
1716	BGHJJDGHCB.exe
2136	s36kioozlxqo6krv99rmb4x.exe
2408	main.exe

Loads dropped DLL 12 IoCs

Processes:

9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exemain.exe

pid	process
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
2408	main.exe
2408	main.exe
2408	main.exe
2408	main.exe
2408	main.exe
2408	main.exe
2408	main.exe
2408	main.exe
2408	main.exe
2408	main.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3976 icacls.exe
4132 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

209 ip-api.com
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

948 sc.exe
2844 sc.exe
2028 sc.exe
3924 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3888 3932 WerFault.exe 9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe

pid	process
3976	icacls.exe
4132	icacls.exe

flow	ioc
209	ip-api.com

pid	process
948	sc.exe
2844	sc.exe
2028	sc.exe
3924	sc.exe

pid	pid_target	process	target process
3888	3932	WerFault.exe	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.execmd.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4220 timeout.exe

pid	process
4220	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exeBGHJJDGHCB.exe

pid	process
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
620	BGHJJDGHCB.exe
620	BGHJJDGHCB.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

BGHJJDGHCB.exeicacls.exeicacls.exe

description pid process

Token: SeDebugPrivilege 620 BGHJJDGHCB.exe
Token: SeRestorePrivilege 3976 icacls.exe
Token: SeSecurityPrivilege 4132 icacls.exe

description	pid	process
Token: SeDebugPrivilege	620	BGHJJDGHCB.exe
Token: SeRestorePrivilege	3976	icacls.exe
Token: SeSecurityPrivilege	4132	icacls.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.execmd.exes36kioozlxqo6krv99rmb4x.exe

description	pid	process	target process
PID 3932 wrote to memory of 620	3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe	BGHJJDGHCB.exe
PID 3932 wrote to memory of 620	3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe	BGHJJDGHCB.exe
PID 3932 wrote to memory of 412	3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe	cmd.exe
PID 3932 wrote to memory of 412	3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe	cmd.exe
PID 3932 wrote to memory of 412	3932	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe	cmd.exe
PID 412 wrote to memory of 4220	412	cmd.exe	timeout.exe
PID 412 wrote to memory of 4220	412	cmd.exe	timeout.exe
PID 412 wrote to memory of 4220	412	cmd.exe	timeout.exe
PID 2136 wrote to memory of 948	2136	s36kioozlxqo6krv99rmb4x.exe	sc.exe
PID 2136 wrote to memory of 948	2136	s36kioozlxqo6krv99rmb4x.exe	sc.exe
PID 2136 wrote to memory of 2844	2136	s36kioozlxqo6krv99rmb4x.exe	sc.exe
PID 2136 wrote to memory of 2844	2136	s36kioozlxqo6krv99rmb4x.exe	sc.exe
PID 2136 wrote to memory of 2028	2136	s36kioozlxqo6krv99rmb4x.exe	sc.exe
PID 2136 wrote to memory of 2028	2136	s36kioozlxqo6krv99rmb4x.exe	sc.exe
PID 2136 wrote to memory of 3924	2136	s36kioozlxqo6krv99rmb4x.exe	sc.exe
PID 2136 wrote to memory of 3924	2136	s36kioozlxqo6krv99rmb4x.exe	sc.exe
PID 2136 wrote to memory of 3976	2136	s36kioozlxqo6krv99rmb4x.exe	icacls.exe
PID 2136 wrote to memory of 3976	2136	s36kioozlxqo6krv99rmb4x.exe	icacls.exe
PID 2136 wrote to memory of 4132	2136	s36kioozlxqo6krv99rmb4x.exe	icacls.exe
PID 2136 wrote to memory of 4132	2136	s36kioozlxqo6krv99rmb4x.exe	icacls.exe

cURL User-Agent 1 IoCs
Uses User-Agent string associated with cURL utility.

Processes:

description flow ioc

HTTP User-Agent header 210 curl/8.4.0

description	flow	ioc
HTTP User-Agent header	210	curl/8.4.0

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\ProgramData\BGHJJDGHCB.exe
C:\ProgramData\BGHJJDGHCB.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\s36kioozlxqo6krv99rmb4x.exe
C:\Users\Admin\AppData\Local\Temp\s36kioozlxqo6krv99rmb4x.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SYSTEM32\sc.exe
sc.exe stop RDP-Controller
4⤵
- Launches sc.exe
PID:948

C:\Windows\SYSTEM32\sc.exe
sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
4⤵
- Launches sc.exe
PID:2844

C:\Windows\SYSTEM32\sc.exe
sc.exe failure RDP-Controller reset= 1 actions= restart/10000
4⤵
- Launches sc.exe
PID:2028

C:\Windows\SYSTEM32\sc.exe
sc.exe start RDP-Controller
4⤵
- Launches sc.exe
PID:3924

C:\Windows\SYSTEM32\icacls.exe
icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SYSTEM32\icacls.exe
icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\Temp\9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe
"C:\Users\Admin\AppData\Local\Temp\9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3932

C:\ProgramData\BGHJJDGHCB.exe
"C:\ProgramData\BGHJJDGHCB.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEBKECFCFBGC" & exit
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 3360
2⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3932 -ip 3932
1⤵
PID:4036

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BGHJJDGHCB.exe

Filesize
11.5MB

MD5
190e4ed7759276e78d16398673996b2b

SHA1
ce5bb936ab809356d5b0bc29b6be2e0d07d3dc0a

SHA256
d4e965deaaaa9d84359fbce89a2cb1966bca6bf525df8bbfb1ad9ed08df1daad

SHA512
99cf79aba0afc528341c3ef474ba4ab71e50faf497536e74f8d985c39e85d5e145fb86262bac3e95e4c7752c3c0294751d4a988c2f4fbe5bcfcd3c6d19ef9c70

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\s36kioozlxqo6krv99rmb4x.exe

Filesize
10.1MB

MD5
1455f96a3552bffcbd01fb90a2a4447b

SHA1
a0beb097fb0f3fd1a83ef3d01bff8706a40b32c1

SHA256
ce82112e8b4476b65b09fccd1cff9f2f088fe4837c9129de3d82caee138e6d7c

SHA512
d2d8f7667cc44f136f34c30a8759c38aee3ffbbdafd1eb6329bf725f3c5cfcd1a0b2f64f9c12feee88680719cb4e3498bfc3d96927ef1f14ca6b4f1c79b52290

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl

Filesize
456B

MD5
40ab00517f4227f2c3c334f1d16b65b4

SHA1
f8d57af017e2209b4fb24122647fd7f71b67c87c

SHA256
4baf4b78d05a28af7dee7dbbce2b4edf6053d9239c1756c932be9f2feee4ef85

SHA512
75d74306f043b864295f09a60c19a43494c226664733c99318989ce5c22cb9395bb407fb5c8c0268ad9184a79813304ed5fc943a6b53db54f5f225cda31650e3

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

Filesize
214B

MD5
91d86e531fece0d34ad78d947fc7331c

SHA1
52c9a7c16634637e9db31a6ce63850dfb170b44d

SHA256
a885c71096995389df3015b194b9ad10ae24c4328f4322932d6455398b2fc653

SHA512
1ee4ed0f8045670dbee2c5c4f8100c362b84c1ccc1a2e7f4fd1e97ec057055f1a8dc75a0ce349cc01dbffa2b18e7c7c2288845641358ca3a609b0e6fbd9f49b5

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

Filesize
102KB

MD5
7d37ab1e97bbc8593665ff365d8c96b7

SHA1
b42a6717f91a4c538a4979ab1f0a9cc58485061d

SHA256
1da31243257b0ebc79ba57ca98e6a3a1996cc4e2641e96098561cdcb1fa3ee46

SHA512
60b3683fa7bca42932e02aed4615e67264f31d6f85bebcd3ea7187b9f7a9f79270341496432c07f7e9b10a3172af22d636206fa5b89514a693405ec9d61f678d

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

Filesize
90KB

MD5
fb3bdb27d9c479148f3545ed99e65980

SHA1
a5860563de81d8b74a1c842647e8f4ac7655842a

SHA256
2b5dc45e89700d4b991added1aa097641d60932b7bbe2c12fc8536b9d46f15a6

SHA512
a26d4b169c4061fc7a2a5fefaeb4aae0e9a28211fa28f42b929eaac3721dcbdd17a17ed6e77a79c17d93355cf85e4c46118e42d4f527adf054ab1cc79c8b4d74

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

Filesize
8KB

MD5
1256da672b8f39a275fe17e6c716f822

SHA1
b156c2186056cc5bfca84549dd53f796936b2f6d

SHA256
44dc1f938213e09a6ef6a64a9f14804530ae53f41e71813efaf651d9516e246e

SHA512
956d431c83ed0dd59d6f1f3101dcbcad0c6bc1e06031141aaa236f7115a6cdaf95ccea09e42cf1047d2205e8b37f87ea17bebaabfb9c85b96d6fa12de1c7f403

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

Filesize
64KB

MD5
166c6727028bd4f428e411ed225117c6

SHA1
d08cb3e69ea6cf633349f990229e87cba4bcd72a

SHA256
63a0993b931dad9dccf08ea48a0d8e8ba94652eda5bc84f787e640cdd0fc800a

SHA512
90edf532080c61e9fee3b8c884e8894b8a52955410489bbcba3a53ab7a2e291ec2d382a2cb1f5b304762207cbc1971f4a440281a5653257e7223ce171b3646a0

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

Filesize
720B

MD5
996cbecf2d2fbb3fb7b91c899722aa53

SHA1
16a5d1b5b2895c25f559a7a3ddce9939938fe774

SHA256
a3b31d62f385d5824d4445d3a2e37629b2367234d13635ea2760ff9a3ade4242

SHA512
96338277aab6c1b0009e3e48b8692c7583b8c75fa1aafd99c2ee73f878c6b7938f0abe568a06c852f3199c3e8baf64d4182bd8227516cc14cb32c86b1f216e99

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

Filesize
8.7MB

MD5
fe7ed803a7f672faee4587732b2c6e0f

SHA1
df209d1b055044abf4c0a6d4de3ebfcd8d7784e1

SHA256
154c3dca584bb1f78c7ae7688d70998f2b62bed8884267e3fcf150bfefe2c9d8

SHA512
06e185f1689e7b5dfef6625d99ff14dfcff6c2203e9be323fed3b6a9684c5179964969546d42f4639db878903981bb15e0a8f62a1c5b2b0a47fa3496e05fdd3f

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Filesize
87KB

MD5
cfcbc15615ffc698507d32c0a7d21134

SHA1
f6dacce59f78ca4ee6622c4a340923282ec3adde

SHA256
a653f5dbeb0ddecbc16c70b0b8c9471abb30c66032c2ee951dc36265f899d7d8

SHA512
0ae08c2a2d56b976cbd748273a7ab8011f3eb82a22d58ebf44b73602ffa808e9a111a60ae250d441d11196522fd4c1aa6ec79193375effdc0207ffe7bbab61db

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

Filesize
9KB

MD5
55256f7fddef8d71d83e74074281f863

SHA1
ea58a2dc071f5b175714ec109285a3b9a842a2c4

SHA256
f7a7068b159db196762f723de936ba1a30b673ea82412af97a835a2882be0a02

SHA512
1b36663a8aa80a611e63af539fb0652dfa861d3ba19f5a5c95c21eeec51b2c617edfd62729e9ebd12aecfff9a3934248bf3be75ae83f394a038b9f9311d0c2d9

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

Filesize
103KB

MD5
b85fecc5e81d0cfbc3750c06e4a11412

SHA1
0f57603db18bfe0a5ee50d618184e9ed4fcafd7f

SHA256
9fd76374c6e19923f99411d6f9bbf6614c94d81cd47630314c2ae21a94df40a8

SHA512
97d553317bb4d276e7f5f3c5808dcb8717319047512def6b96da17d57248ffd5e374833a98f767f14bd8f3059de464f7829d47c65d969be868431faaf6a61c1d

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

Filesize
126KB

MD5
fef8651f5f797f30a37d7cd36bea31ac

SHA1
8e85d22fb5247a69c1298d703d629dd46bc44c74

SHA256
4083f67d11e7df827bff6c665b29f39fb197b4ba608d5c39ecff46ea9a0b61f0

SHA512
9c69d66690080a341c25eeb9e258fde4dd4e94b80af0085753e758378c1e1790faef48c7384ad5171c63be156c68d0f207ecabf78d8ab5f367e04d5a34828851

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

Filesize
36KB

MD5
e3e4492e2c871f65b5cea8f1a14164e2

SHA1
81d4ad81a92177c2116c5589609a9a08a5ccd0f2

SHA256
32ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30

SHA512
59de035b230c9a4ad6a4ebf4befcd7798ccb38c7eda9863bc651232db22c7a4c2d5358d4d35551c2dd52f974a22eb160baee11f4751b9ca5bf4fb6334ec926c6

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

Filesize
113KB

MD5
d44fbd8760e79f5d950db5bc6e86a398

SHA1
2175264673a9a5b7af024d8e8f28879b1758abc8

SHA256
ad38977d88e19c24793c6aee42b6389536b6879faa50e2438350f140247a9df2

SHA512
9fd106939bf686d53676669755272cb59b2ccb7909be27b40c7261988264e801cdc94503f3ed70b95cb0980c65153aa0cc66ca764c053846c4626fde86e122e0

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

Filesize
89KB

MD5
bf5d5ba471ab0266f991095fdcf74140

SHA1
42e890322966b7f2f9802c9e22269ed339c2969b

SHA256
91db57a2b77ac18b9605b08d7b926f9dc32c7e7d6f4047fba0270a4403c288bb

SHA512
b9f0113802c113f9ff5975989cc6cb9735cbe62d881e009fe853938604837996412332679c7eb7022b734401b2580d116566f7ba51ca62f787cf1d617b9ebc96

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

Filesize
10.0MB

MD5
b19dd73939f4d3249e87008653bfe5f5

SHA1
936a1de5275e0ea2e4bc9be7b724736b135b5be4

SHA256
7403bf80da0910e3279fa603ae2d573b06f11d3d72585664965e593dac92a0b6

SHA512
103918920927c6e8bac17293ab24e2e543b69fe3455e345faa8a43c0b10f00827f4310552611ec349a1e3b6b02bea8416a5db52fb7a86a55d9e3d4dcf5fbf7f3

Download Submit
C:\Windows\Temp\sR92JZPq

Filesize
112KB

MD5
e6cac6acd18d0bbad9c2384b1dbede84

SHA1
63004a83ff18cce911bc74d27c1a2b7bea9cf4c3

SHA256
9bc6edd286f4dcd83e57b541bc99038f7e902de943a6fd528ba485df1187ffa8

SHA512
43c745d49ab82809c24e5ee62e11406b12b695140117eb1012111eea3b73f9b34b5ade21a1db3aa1fead982f266b05646a08a4813cba2ea950c59a73ab069fb3

Download Submit
memory/620-82-0x0000000000400000-0x0000000000F9D000-memory.dmp

Filesize
11.6MB

Download
memory/620-76-0x0000000140000000-0x0000000140033000-memory.dmp

Filesize
204KB

Download
memory/1716-90-0x0000000000400000-0x0000000000F9D000-memory.dmp

Filesize
11.6MB

Download
memory/2136-203-0x00007FF675A60000-0x00007FF67648C000-memory.dmp

Filesize
10.2MB

Download
memory/2408-212-0x00007FFCEDD00000-0x00007FFCEDD28000-memory.dmp

Filesize
160KB

Download
memory/2408-207-0x00007FF6A9370000-0x00007FF6A938F000-memory.dmp

Filesize
124KB

Download
memory/2408-250-0x00007FFCEDD90000-0x00007FFCEDDB5000-memory.dmp

Filesize
148KB

Download
memory/2408-245-0x00007FFCECA00000-0x00007FFCED2C5000-memory.dmp

Filesize
8.8MB

Download
memory/2408-241-0x00007FFCF52A0000-0x00007FFCF52C0000-memory.dmp

Filesize
128KB

Download
memory/2408-236-0x00007FFCECA00000-0x00007FFCED2C5000-memory.dmp

Filesize
8.8MB

Download
memory/2408-232-0x00007FFCF52A0000-0x00007FFCF52C0000-memory.dmp

Filesize
128KB

Download
memory/2408-230-0x00007FFCEDD90000-0x00007FFCEDDB5000-memory.dmp

Filesize
148KB

Download
memory/2408-223-0x00007FFCECA00000-0x00007FFCED2C5000-memory.dmp

Filesize
8.8MB

Download
memory/2408-219-0x00007FFCF52A0000-0x00007FFCF52C0000-memory.dmp

Filesize
128KB

Download
memory/2408-208-0x00007FFCEDD90000-0x00007FFCEDDB5000-memory.dmp

Filesize
148KB

Download
memory/2408-209-0x00007FFCEDD60000-0x00007FFCEDD83000-memory.dmp

Filesize
140KB

Download
memory/2408-213-0x00007FFCEDCD0000-0x00007FFCEDCF5000-memory.dmp

Filesize
148KB

Download
memory/2408-214-0x00007FFCECA00000-0x00007FFCED2C5000-memory.dmp

Filesize
8.8MB

Download
memory/2408-210-0x00007FFCF52A0000-0x00007FFCF52C0000-memory.dmp

Filesize
128KB

Download
memory/2408-211-0x00007FFCEDD30000-0x00007FFCEDD54000-memory.dmp

Filesize
144KB

Download
memory/3932-1-0x00000000026B0000-0x00000000027B0000-memory.dmp

Filesize
1024KB

Download
memory/3932-2-0x0000000002640000-0x000000000266F000-memory.dmp

Filesize
188KB

Download
memory/3932-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3932-84-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3932-5-0x0000000000400000-0x0000000002470000-memory.dmp

Filesize
32.4MB

Download
memory/3932-8-0x0000000016F40000-0x000000001719F000-memory.dmp

Filesize
2.4MB

Download
memory/3932-40-0x0000000000400000-0x0000000002470000-memory.dmp

Filesize
32.4MB

Download
memory/3932-61-0x0000000000400000-0x0000000002470000-memory.dmp

Filesize
32.4MB

Download
memory/3932-62-0x00000000026B0000-0x00000000027B0000-memory.dmp

Filesize
1024KB

Download
memory/3932-63-0x0000000002640000-0x000000000266F000-memory.dmp

Filesize
188KB

Download
memory/3932-71-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3932-75-0x0000000000400000-0x0000000002470000-memory.dmp

Filesize
32.4MB

Download