vidar | hxxps://www[.]mediafire[.]com/folder/v6itahr4p07b1/Files

Resubmissions

11/08/2024, 18:12

240811-wtfr3a1dkj 10

11/08/2024, 18:09

240811-wrnpws1cml 8

Analysis

max time kernel
134s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/v6itahr4p07b1/Files

Score

10^/10

vidar credential_access discovery stealer

Malware Config

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199751190313

https://t.me/pech0nk

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 34 IoCs

stealer

resource	yara_rule
behavioral1/memory/5392-643-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-645-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-659-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-662-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5956-672-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/5956-671-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-688-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-694-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-705-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-706-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-711-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/3988-712-0x0000000000C90000-0x0000000000ED3000-memory.dmp	family_vidar_v7
behavioral1/memory/3988-713-0x0000000000C90000-0x0000000000ED3000-memory.dmp	family_vidar_v7
behavioral1/memory/2980-715-0x0000000000870000-0x0000000000AB3000-memory.dmp	family_vidar_v7
behavioral1/memory/2980-716-0x0000000000870000-0x0000000000AB3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-721-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-722-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-726-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-727-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-736-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-766-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-778-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-792-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-794-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-793-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-795-0x0000000000E60000-0x00000000010A3000-memory.dmp	family_vidar_v7
behavioral1/memory/2980-820-0x0000000000870000-0x0000000000AB3000-memory.dmp	family_vidar_v7
behavioral1/memory/6136-821-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2980-823-0x0000000000870000-0x0000000000AB3000-memory.dmp	family_vidar_v7
behavioral1/memory/6136-833-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2980-839-0x0000000000870000-0x0000000000AB3000-memory.dmp	family_vidar_v7
behavioral1/memory/2980-850-0x0000000000870000-0x0000000000AB3000-memory.dmp	family_vidar_v7
behavioral1/memory/2980-851-0x0000000000870000-0x0000000000AB3000-memory.dmp	family_vidar_v7
behavioral1/memory/5448-857-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4128	S0FTWARE.exe
3476	S0FTWARE.exe
2560	S0FTWARE.exe
5356	S0FTWARE.exe
5848	S0FTWARE.exe
5228	S0FTWARE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
261	bitbucket.org
262	bitbucket.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4128 set thread context of 5392	4128	S0FTWARE.exe	142
PID 5356 set thread context of 5956	5356	S0FTWARE.exe	145
PID 3476 set thread context of 5448	3476	S0FTWARE.exe	146

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3808	msedge.exe
3808	msedge.exe
852	msedge.exe
852	msedge.exe
4068	identity_helper.exe
4068	identity_helper.exe
3852	msedge.exe
3852	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
5392	BitLockerToGo.exe
5392	BitLockerToGo.exe
5392	BitLockerToGo.exe
5392	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	756	7zG.exe
Token: 35	756	7zG.exe
Token: SeSecurityPrivilege	756	7zG.exe
Token: SeSecurityPrivilege	756	7zG.exe
Token: SeDebugPrivilege	4128	S0FTWARE.exe
Token: SeDebugPrivilege	3476	S0FTWARE.exe
Token: SeDebugPrivilege	2560	S0FTWARE.exe
Token: SeDebugPrivilege	5356	S0FTWARE.exe
Token: SeDebugPrivilege	5848	S0FTWARE.exe
Token: SeDebugPrivilege	5228	S0FTWARE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 3616	852	msedge.exe	84
PID 852 wrote to memory of 3616	852	msedge.exe	84
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 4012	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	86
PID 852 wrote to memory of 3808	852	msedge.exe	86
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87
PID 852 wrote to memory of 3496	852	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/v6itahr4p07b1/Files
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff904ef46f8,0x7ff904ef4708,0x7ff904ef4718
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,7630284240248985947,13931813108206226970,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6044 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap12961:74:7zEvent8919
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4128
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5392

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3476
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:5448

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:3988

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5356
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:5956

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5848
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:2980

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5228
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GIEHJKEBAAEB\KFBGCA

Filesize
114KB

MD5
c3311360e96fcf6ea559c40a78ede854

SHA1
562ada1868020814b25b5dbbdbcb5a9feb9eb6ba

SHA256
9372c1ee21c8440368f6dd8f6c9aeda24f2067056050fab9d4e050a75437d75b

SHA512
fef308d10d04d9a3de7db431a9ab4a47dc120bfe0d7ae7db7e151802c426a46b00426b861e7e57ac4d6d21dde6289f278b2dbf903d4d1d6b117e77467ab9cf65

Download Submit
C:\ProgramData\GIEHJKEBAAEB\KJEHJK

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\IJECAEHJJJKJ\KJKKKJ

Filesize
244B

MD5
82d0a343d06f3aaa16c594284d6b1f6d

SHA1
9294bb014a3a8be3fc5c533f525ac7270b09bf51

SHA256
1a0655b5aa5b6d037e25893bd191323091025f1df92e6f8b4392b1889171da10

SHA512
de024359f7c3e247dfd61b3ef3be0f3bc65855e4863966345bfe99a9e7c21659e2d0e08ba50ee46cccd0e569633b4edf68e30050c8956005adb56500d263ad53

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
f37157705a5fec01fbcd31c8600310c0

SHA1
fb1855342308648f14a66ef314daf620d2d09239

SHA256
592f46cb0fc59600cfc246c890a4e19a6dd324beffdf104c332ba0db8cd9a010

SHA512
677eb24f9b4f2b08dffd7eeb34cdf46519b7faab2581a7a2ccd05102f08725c6d21146186b41ae33568bac56923175698262ba7aaf9745733b9e0d58ad12f722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
1078c24aaebab15f8d007ff29bc48ae1

SHA1
c3016d49f2c6e5641a69305e4176de51bcd4eb20

SHA256
aba2a6652bcd10bfbf28e4b8072fec7ce52290f72087cffb88f7c440547d73e5

SHA512
cf51d0247445bf82c6bdccb5baab6d8b9859cb6ea259cc8f322d502ddd76a718a2b0bb057cfff782762717e1af82ce2f4bb10eccadaacfe30fc791f5620a698c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
31a6c85df44e400e12ee251ad7e31136

SHA1
cc130c7b7892846ebfbaa58240dae6c1abac3274

SHA256
8022797088e95967537e4d6cd75447ef7698021598ab6fb480ab7c8ba5b13ca4

SHA512
0003fe7951660d9eba7d73ea1cd753a0c0b1d1761487f60c07d9bf2679bce5700020a420f39510549d086670093f75c9d50037ef0f5b79f90036f4ac368328a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
c6bd50ea2bab62a9f6d10ac52a394d4e

SHA1
1f5bb01897774ee9f51055b6c7cc63a6224c6162

SHA256
3b5efc29477a3fde8bc9115ac6a3d36c20b29e029d3ed27ed384a32543151de7

SHA512
f91289bcfdf57ad82ed11db9885a91aab1d926af270b42649c73b44924cb146f304b6dc06c82e347eaebcb8f5998e1817f3ee8d45bcefe6308f8acb0cb13c32d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
1b9f42b1a59279ed6c33cf8f79f55228

SHA1
f3c813192ae05f257cf4fad0e95c8153cee89b87

SHA256
fa82505b0c3ec2a84806d96ec6270605caa790259222d972df07e8fca051666e

SHA512
ad9ca8323bb39941ae911a1ebedee12abece5e869a57c32bfae3d2a8a0f03246414b65d4e626b07b8e141a9244865942c4f4a165dfe81f08161efa03ba6fbe41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
132KB

MD5
84076950540df07e9e299c3530999cef

SHA1
ade84ee86c62b2dc8d0bb9f943b15e25092d0b29

SHA256
64325b43896ac9dc28a19b6580be0971b4c3b67b24717c9a62c66f8056b2040e

SHA512
86670e9a7bf8c6f78b4f18766717e6ba67b189333f5234b5b4f8ec7f6048efbf8c53290527ccd030461021d10bfb12ca3c601b354b6039957200cc92853164d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
df252c4dc61f3eea9faa8eba270af13d

SHA1
5c123b86f572fab729d9d468e4f988d3324ab35b

SHA256
83dfd333d92dca471dc8b3932b4ce5293e96b037ecca2550ce06f23054dab3b4

SHA512
75f233e2b49b43ca4b18ba97c58f4bd1e3000bf793bc84d76ccf7d3412a9d5c3f2ad99de3460fc4d9d0ce918cd2a228c4883a46e520bf31f5222b5c2065bc003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6847564ec297a2051ccdb6eb509fcef1

SHA1
a4d16e58b3ad0a967ab75d6901a4929d1b4dff19

SHA256
440d307cc779302acb6f24b79c0f40252801f2839961a3e1616d442890a0ee46

SHA512
ac69eb893db5dee061d7255216f981b548396e73be0c141c7e429ce066f8faaf604486c66965e91f12a80bdb6e727df162e945d870c568a7317e17cbbfc7bbe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4c358bb13192841143319769d754a6cc

SHA1
a2f623dd568a7bbea3496edb32fc49a94dbcb572

SHA256
7d0bc87b88d317cd27bc93fa0aab3e3d9426e826c744acb36f057eed95370c73

SHA512
ca04d90122393c7acc0c699a68b6d3e9740a3d08a6ce06a5dd34e88b39e982c9c04d5072bc9da89de9f1cbdfd08d7cd6f3ae6c395129c19093ca48d8c1d454c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4208a73af49c2f159ebb8381f26c6218

SHA1
7e71d3e47c8a7e65aa91367dfc26afccec8d9526

SHA256
cef7ebf00f8fd66f9e9e0b21f6e482445670d1dc9c80bb61749f49c5b122e477

SHA512
b0b3fc28ba8149950195376734f258fd8652f4f4c749eb087e908c0a4885cb23d5ec95780cd4b6f39c82e2680bec4e03cc99311b591b9f463c42cddc03818797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
159907b5b48b012bad0f07d169fda3be

SHA1
f190b6ff784dfe90f77c09b3b125406fd6546e6b

SHA256
d36c86f4664d606c4c5a5d68ed668b9b872d8a4e0dc47fcde650ea9c46eec5e3

SHA512
5518915ec00604895ef90cca35a03ee825f5b43300af224e00a63973fc36a3c39590fc27ab0bbfed6a7e7746b88f0f8c9a4b60c6cc095df1192dc158a433b7de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
5320903dd6280a727baecb78464fb461

SHA1
db4beeb90207bd999829fc53b7611ef5e87207c8

SHA256
0e968ad1f4bac77c102636a0264085cf21a2a53fb3a66df5ef88ecfa2fc17b08

SHA512
e4dd5f2d7cb4efb9543ab4821470dc87715259356495b144cf5f0dc5af68e61cdfd4d1a2e5d60733509def845bf09f1259ab7922f4887ab9036c35348f97e4a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b8cda472-f767-49d4-86a2-b1d8316f372b.tmp

Filesize
5KB

MD5
367bbe7c0ea82ae39621e7f7a55b3c27

SHA1
59356baf81ef40370f6792e2d6fc03cba6cbb32c

SHA256
71698c03b094b902c73d6cdfd26403f650ad544e981bf2bc428ff39b9104378b

SHA512
4fa38267aed8722693d387d51c524b226901a6a94679a6ed30337e7f018bc979f52667dc609dc59a9dc09fe1e1ce48e08d5e88a9194bd21767ff7cd02b9f87a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd8f14c3fff9f66a3d948c4f2a10c41d

SHA1
e50e60408c0860459455cbd9c8086784723119cb

SHA256
70f4a192728b7ce1af8ccf135cf8bac1af9cfcd4b74b4a6d579c33f8aaac1fd2

SHA512
48348d96a22ed739f9aad4d8d6bdfe1849201febd3155ec78cddd4b898553ce8a0c7564faebf72fa736474360e4a641b9144ec539d1c384a410e8dee117da4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b20b39887bb4419f293f5aed517c0689

SHA1
c93dad40789f03eda9572dc394e5929157653bc0

SHA256
7980b6adc954b69f2d61a64986880c1e7911b8aa51056fb55c13c4cb227e246d

SHA512
3b2a558cc65270f76fdf2fd888e5fbc7c5c8b92b428c4bd707557e3fb3a9c6137d25171d0768955049bb9f08f7712ca0ac36292ac666272f62b3f9b2e16abc3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f16105399224f13a3fb4378dbfe3f048

SHA1
b4a5dd68859ff745d4aac0691e18b1a1a07f7a06

SHA256
fae9ea8bc1ca8ff61a7757becb67f4d7a42c7ffcd67e9d00c74bae5b107c0449

SHA512
e63aa453df347155f7e5423470a3b9ceeb7595155e358dad02685cc37acb44c78f8676763a5d4a5c1f7d369f698a66cac06b309cedc488fde4b752c8b8b1a39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3660ca9eed3605f250f6377526f924a2

SHA1
9bd5c9b9a4082cd467db306dbfc27ae5eb0de467

SHA256
8bd82850e1b183f05735b6e87cde1828b000312fe80089a4c847682cd037dc9b

SHA512
d27dfbdf776f0260f06222b95d42dc55057713258147d6e1b9fd6bb02ddb4d4ff7538ad96e1e9cbf3f15521fc09634b971d92ecd4453f6ab770a6c37a03e21ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\76561199751190313[1].htm

Filesize
33KB

MD5
0e2dd637771c9ed8d1a4319809d4fc1c

SHA1
5a573afc075f6cc1e22ba44fa789961364888c87

SHA256
6aa22d1b64a6d8884cec7199f9253c0a60effbd825566be65760baa51edc57ce

SHA512
aa41b65ee1f42994156334610e2d7b1d7d1aac7f443180685a0f36f682732e34dc42560c7ef33dae8fd6959a6a6a005c2d74af41a105cc79ff89731ddd7bc153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\76561199751190313[2].htm

Filesize
33KB

MD5
3e3766eb9fb9b5b33365ebebe137fd36

SHA1
ca869f3c77bcce04c6dd969163cf5fecd86e5244

SHA256
679b43518f8d6e2c7070c1ed102e111ae03bd49d933d217495670787d1982794

SHA512
a65949e4f0ca90972c4f94abe95bdfd272b64c64d7154213fc386946e58667aa83713b251e793b580342c944694883605f4f8a62fbe652912f688197347ba2ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OD2FK6XO\76561199751190313[2].htm

Filesize
33KB

MD5
40f99f954e5e570f1263d9ab2127c574

SHA1
24bd4250e8fe430f2d204f6b15ce6940c122fbf0

SHA256
b2c07daa82ab05d6088165f2bd50922dddb69c65a884f99720258d7538659fd6

SHA512
2734de21bfb8dc37ddbd954102c17e607e9a70f3566d0cd60d49dd6ef31b0e1f1e6e6fcfc2c9964886fc106791cc9d6e3768a400a94634fe48746d51b3e48b4e

Download Submit
C:\Users\Admin\Desktop\S0FTWARE.exe

Filesize
21.9MB

MD5
1b71e6b24ef5af362800674173fdd70a

SHA1
c1a3c341519111125bf7023f8fc33a1ae556057d

SHA256
06f6de001e64611fe8443bab7e400e65d0336fdaf54e1cb57a36c742710ea716

SHA512
c600714781c501c0a6352acfbdcb0c072e06aaef89bac81902848fded89a2c4c3904dfc3271be25d631d91c63c8b79e757c1a6616f6cca2c6593a4fd2ceb8d63

Download Submit
memory/2560-668-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/2560-714-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/2980-823-0x0000000000870000-0x0000000000AB3000-memory.dmp

Filesize
2.3MB

Download
memory/2980-716-0x0000000000870000-0x0000000000AB3000-memory.dmp

Filesize
2.3MB

Download
memory/2980-820-0x0000000000870000-0x0000000000AB3000-memory.dmp

Filesize
2.3MB

Download
memory/2980-851-0x0000000000870000-0x0000000000AB3000-memory.dmp

Filesize
2.3MB

Download
memory/2980-850-0x0000000000870000-0x0000000000AB3000-memory.dmp

Filesize
2.3MB

Download
memory/2980-839-0x0000000000870000-0x0000000000AB3000-memory.dmp

Filesize
2.3MB

Download
memory/2980-824-0x0000000021A70000-0x0000000021CCF000-memory.dmp

Filesize
2.4MB

Download
memory/2980-715-0x0000000000870000-0x0000000000AB3000-memory.dmp

Filesize
2.3MB

Download
memory/3476-693-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/3476-667-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/3988-713-0x0000000000C90000-0x0000000000ED3000-memory.dmp

Filesize
2.3MB

Download
memory/3988-712-0x0000000000C90000-0x0000000000ED3000-memory.dmp

Filesize
2.3MB

Download
memory/4128-644-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/4128-638-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/5228-748-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/5356-676-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/5392-643-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-711-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-727-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-766-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-778-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-792-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-726-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-794-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-793-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-795-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-722-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-721-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-645-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-736-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-659-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-706-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-662-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-705-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-694-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-688-0x0000000000E60000-0x00000000010A3000-memory.dmp

Filesize
2.3MB

Download
memory/5392-673-0x00000000221A0000-0x00000000223FF000-memory.dmp

Filesize
2.4MB

Download
memory/5448-857-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5848-717-0x00007FF789BD0000-0x00007FF78B255000-memory.dmp

Filesize
22.5MB

Download
memory/5956-671-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5956-672-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/6136-833-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/6136-821-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download