vidar | 5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
Size

858KB
MD5

02edfdc2fb2ff2725436b7646b7f06ad
SHA1

6b6f8ce5a57d18284afd2f819a713b1066fd6660
SHA256

5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5
SHA512

62130603d4a276d5b2f19e14519e4a28c592646602a36a80cfbf4b6e3c5daa191c04a165165985940f4c1b0376fb34dd7253586d44042f4883bdb395f486b0dd
SSDEEP

24576:gICXIncUD5fti6zrGgfF/4l2CxeE6ivsT8FTTnW:DiC5tiol4lrPvsUT

Score

10^/10

vidar 2e711c8b5340db8e327be6ebd943b70a credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

10.6

Botnet

2e711c8b5340db8e327be6ebd943b70a

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral2/memory/2076-70-0x0000000004A80000-0x0000000004CC3000-memory.dmp	family_vidar_v7
behavioral2/memory/2076-72-0x0000000004A80000-0x0000000004CC3000-memory.dmp	family_vidar_v7
behavioral2/memory/2076-71-0x0000000004A80000-0x0000000004CC3000-memory.dmp	family_vidar_v7
behavioral2/memory/2076-74-0x0000000004A80000-0x0000000004CC3000-memory.dmp	family_vidar_v7
behavioral2/memory/2076-75-0x0000000004A80000-0x0000000004CC3000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 1 IoCs

pid	Process
2076	Nipple.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1708	tasklist.exe
1388	tasklist.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MpegMag	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
File opened for modification	C:\Windows\VictorianFt	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
File opened for modification	C:\Windows\EngageEligible	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
File opened for modification	C:\Windows\ReferencedSimilarly	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
File opened for modification	C:\Windows\ZoloftUnable	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
File opened for modification	C:\Windows\LabFluid	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
File opened for modification	C:\Windows\PipesBras	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
File opened for modification	C:\Windows\ProblemThanks	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nipple.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Nipple.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Nipple.pif

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4928	timeout.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	tasklist.exe
Token: SeDebugPrivilege	1388	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2076	Nipple.pif
2076	Nipple.pif
2076	Nipple.pif

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4872	3480	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe	80
PID 3480 wrote to memory of 4872	3480	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe	80
PID 3480 wrote to memory of 4872	3480	5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe	80
PID 4872 wrote to memory of 1708	4872	cmd.exe	83
PID 4872 wrote to memory of 1708	4872	cmd.exe	83
PID 4872 wrote to memory of 1708	4872	cmd.exe	83
PID 4872 wrote to memory of 3428	4872	cmd.exe	84
PID 4872 wrote to memory of 3428	4872	cmd.exe	84
PID 4872 wrote to memory of 3428	4872	cmd.exe	84
PID 4872 wrote to memory of 1388	4872	cmd.exe	86
PID 4872 wrote to memory of 1388	4872	cmd.exe	86
PID 4872 wrote to memory of 1388	4872	cmd.exe	86
PID 4872 wrote to memory of 2240	4872	cmd.exe	87
PID 4872 wrote to memory of 2240	4872	cmd.exe	87
PID 4872 wrote to memory of 2240	4872	cmd.exe	87
PID 4872 wrote to memory of 4828	4872	cmd.exe	88
PID 4872 wrote to memory of 4828	4872	cmd.exe	88
PID 4872 wrote to memory of 4828	4872	cmd.exe	88
PID 4872 wrote to memory of 4996	4872	cmd.exe	89
PID 4872 wrote to memory of 4996	4872	cmd.exe	89
PID 4872 wrote to memory of 4996	4872	cmd.exe	89
PID 4872 wrote to memory of 2448	4872	cmd.exe	90
PID 4872 wrote to memory of 2448	4872	cmd.exe	90
PID 4872 wrote to memory of 2448	4872	cmd.exe	90
PID 4872 wrote to memory of 2076	4872	cmd.exe	91
PID 4872 wrote to memory of 2076	4872	cmd.exe	91
PID 4872 wrote to memory of 2076	4872	cmd.exe	91
PID 4872 wrote to memory of 4556	4872	cmd.exe	92
PID 4872 wrote to memory of 4556	4872	cmd.exe	92
PID 4872 wrote to memory of 4556	4872	cmd.exe	92
PID 2076 wrote to memory of 3888	2076	Nipple.pif	93
PID 2076 wrote to memory of 3888	2076	Nipple.pif	93
PID 2076 wrote to memory of 3888	2076	Nipple.pif	93
PID 3888 wrote to memory of 4928	3888	cmd.exe	95
PID 3888 wrote to memory of 4928	3888	cmd.exe	95
PID 3888 wrote to memory of 4928	3888	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe
"C:\Users\Admin\AppData\Local\Temp\5404b9605d8226e51c5a2e9d4f63b31dc96539ecbff11c14138016e7838da1e5.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Itself Itself.cmd & Itself.cmd & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3428
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 171314
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "UNCERTAINTYBASESHOUSEWARESSTRIKE" Accompanying
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Vid + Fever 171314\c
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Users\Admin\AppData\Local\Temp\171314\Nipple.pif
    Nipple.pif c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\171314\Nipple.pif" & rd /s /q "C:\ProgramData\CBFCBKKFBAEH" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4928
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 15
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\171314\Nipple.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\171314\c

Filesize
319KB

MD5
587de72653f6b289f039fa2865c0d64c

SHA1
7d5d20166f5e26f48d91b6475b1beb05cb8f05f9

SHA256
085a2f429634c4f509d733f81f2878f4b49c9da20ef4dbf70fb4943fdc0ae170

SHA512
fd118b05e86dab3b4c1cf14986cef33d573c3a8531c1cfa4aff8a4698f57f48ef42c23ca5c80a03ae4be2f1d6f05953aed875b20f19e478cfee19fd43be21216

Download Submit
C:\Users\Admin\AppData\Local\Temp\Accompanying

Filesize
177B

MD5
bdc036b55334578eac4b217f69da1683

SHA1
9451a579739dc9014097a241342aaaafc971d78b

SHA256
6fc36603b0e8ba1600662c9ca541c936f724f2396c0ca5e898e235a10ea9e339

SHA512
4218de2fa66de11b246b3f16646975631f36270fc2a20872c438b61942882fe5ee21fbe93425a9cb64d703b882b8d21684cf378ff23fcca32810d85341992c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Andrea

Filesize
33KB

MD5
7ee772d42a7fcadf3c27ec8f3f6977f4

SHA1
3653a5cc5e97415633f4296fa42d0f1dabf9a0e1

SHA256
22571ae701b1b067d5f45490293e5a13c4e93a0758e5564d45b68031c3820fa5

SHA512
3f3aa7752ca1d1b052a69c013f47458b627d4fe76e126ddd5f273731a8c086a591afb5e1762cb5db6e6556c0c3bc76e01253af1a783127d4f84f5709ff1e7dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Appreciated

Filesize
38KB

MD5
39be572cf70526e1594555dd5b7abda4

SHA1
259e4954eccb0ab2df9949da423c273ba5a36d69

SHA256
300d7a45187652159de45379bb6b4b727309d24d6756f38940572b5134b1021d

SHA512
1911eabdf1e55e58fafd27c1a455360e914828ab6afad169763d05d91d55fd50ce1f4568479f9363f085580db5c60f7fb6bc8902a802078f97c61318033b7f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blue

Filesize
50KB

MD5
28af503cf2b71441f30a7b0bc7f6d5d9

SHA1
31dc75a1b8212845fe7acdbf133d8c4de8e638c1

SHA256
c5a901ceaa1d90edcacf3be7826aa5a9962c2ce0bb5a896a2a5405c1f7f4084e

SHA512
2890d4d86edba1de2b9b5509665e7ba3681f2b30c4538eb2fcedb26fa5018ae6e4de8a82df39f8b6ced0ad74ffaa55f360fda43896154ce6b8202291dfa534ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bored

Filesize
29KB

MD5
07abb928cb05f03347ef0d03c8b7e4cf

SHA1
fb1dba21e369a19dd7f499917df376e664cfc507

SHA256
3124fb0bcf1ff62792dece40d3192a1b4aa193f5be1207c4a523b37539d25b9e

SHA512
988c25b0f8ba0e4a5e3b1fdf3138818b77476f23dd147f85dfd3e6c46fa02dca323b3897abf2219d81114520f6e4cc051702f6f8d5fc6de6cf0314f0fc13b251

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confidentiality

Filesize
51KB

MD5
e313c90b4830d31e9a334f715d5749b7

SHA1
378ba486fc3e81c18f05eff42da727975f41b6bb

SHA256
423b55bb63564d1b8c23f8fbe40091810c9caa640be597d786be27aa338507c2

SHA512
96259f357b9f1a58c5c31d361b82b0d56372e4dc63cb88b09e975ad24183797b9b3bf39628a1546d481c2f68e898317cea9d74de190f9dfc7238f5d2b7d7b1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Device

Filesize
7KB

MD5
3dd2b0fbae678f43a5bd3bf9d3c59aa5

SHA1
e2b70db4e46e96357a54e55cd556d1fe03cfc47d

SHA256
6e1033a047b06a37ebde5cd7aa86d91561c6e7aaf4f84b1d7fe846984cdfd886

SHA512
fe09006854d98825a09aeb2288fd01a2c80ef5ab0e95a83285c4bd5ad7f0cef4c77a05b32792748b61626bdf071b4638ca63867ad1caaa62c6980a696f31a414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expanding

Filesize
14KB

MD5
658c25de010f9f9fa099a6980892d3cb

SHA1
213d77c605416a66fd9ebdff20fc358fcf4446ec

SHA256
f942c71345e4149052763fc5c467708846110f60a4bcca527f1bc1b4460b5417

SHA512
322eb0e86a86ff8f829aad28ec1d5ca32281c1a2fcb81d18b7be787b745b16d62d6f28d1533380ccc00fdd793385369834db36050b6504a97e03dbe8ac2bcd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fever

Filesize
122KB

MD5
47e1289319e57a3bfc5de4b7b6660a2d

SHA1
6ac1845d227eff4bee4c9c114037d021526a0bac

SHA256
a6dad9e234bf0782d7d927d758dff000c7a9d8f77a7e6b3fa6fa82da1687b7a1

SHA512
b37fcb12260d2df49730db3853631fac08f1ec1478bf32aef59a8ad0a4e7580fa1905b60290ab545c3894a1ba4c234a9bf2821b2c6fb1751a7cdc9605d3518f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Finger

Filesize
67KB

MD5
60669d6d31200efed150448c9f734275

SHA1
6c1e5d8db1a508ba19e25361c1430e1dc3132828

SHA256
c67f7e94abf765d2a87649ee467aff0fe3d8dc46548aaf3abaf03ae10c221e52

SHA512
cf7be74e658054d9feb3e13eef6a496f4c52886d1a1a1c7ec0bd68228b7499f3287a0ca3981d375bf4ec9d108b60d3d602d151690027a682e4adb59bbe58847f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Glucose

Filesize
69KB

MD5
819e127a2bc24f73edd7a77b0213033f

SHA1
9c484d025356e91985bb7ffb28ae628e49d81880

SHA256
bb55ea1ea16eed3db5c9a83b9bd2d6f64bc540220ff1765f788e778b0feb8c0f

SHA512
5d59748c68602eb28f4f320ca842faceb4524783b49f633ae5f2d4440d95a8906b1be60993574fe6b863f27bf43bf590f9268ae4eb37a340eceead5d6bda5253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hereby

Filesize
26KB

MD5
3b44979512a6505f0eb5f8fad79f5a60

SHA1
b8fbec4af12b60915f345811b2fbb18ed0f6cd3e

SHA256
dc94fec331b9ed64c10f979ce3a1548db33e68a56bc4ce7ed00228824ab15f4a

SHA512
1b9bf2a6406aac760fc780b59efa1997661511bc99bb5a6f430f0c95fcec8cca209eca778934a1b726d0caf13589baca93a114dbaa2391561b08d49336f851eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Identification

Filesize
12KB

MD5
0593371dcb9ee24adb3b6f179bbb23fe

SHA1
9f6be532dc20cfe850f24f143e4b86d21c6e050a

SHA256
356cbf956075e7ffd105ec905ad0405b2f358df4f8c39703e51897e0822e60a8

SHA512
e5f0cd0fadfd6c8718009147971f496b7920b2743b896618514025a481d24b85ad2866bc710623b0249dd2f9bd085da73f86ea8a5ce9c98f9c7522517ab56002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insert

Filesize
56KB

MD5
b852380037e7f44725dc843945e2cdd5

SHA1
3e1bcfe278e080c7033ac6c89d1b3a4568dd9bed

SHA256
44eefb3d796217a6f49f8fa757f80d685fc728c7457da69eb33c6b956a396291

SHA512
f0e60c9b848a3cc2608f59307aa2a159623aacbd64e1d1426c59836dee3107d41d080737ccca24122bd23ae17bc19cb5b52e906f1b86d6e3e0199bc06ce3c87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Itself

Filesize
23KB

MD5
9b4084d4758232c04174baafea0519a4

SHA1
a80a8528dbc21a6d68ac8477043c41267db19bb8

SHA256
9788c6a400807dc158152fa945379d957ddc2cf9cdf65e47f42a0365169c1e49

SHA512
597416da21f174ee6a32e6885811d4a7ecd5d71c3ff7b1ba69ee5c0eb2c7dbd4a75b6f2bf6987013b5a695cbe8443bf4605bc9b8c9020487f14afbb79fe5a9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs

Filesize
23KB

MD5
1bcac3f7bc40aff498a176db7cea41a7

SHA1
c3ceee1d90ad8d860a86722b55313c9e851d33da

SHA256
68b07a5ba702ef333cd5961461a3cd5abe6954e2f17b726152b79b7d39ac3961

SHA512
6ecb2154963c65d5476ca7b3dec8f981c239ac18c7b1e0d604bd2bdae9f7eac6f78abe19c0afd2070a0a65454bfe93a6e76fa48204f3535d1f1fb77b28c095bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Magnificent

Filesize
49KB

MD5
2e4f491afcf72493bcc4c6f7cf5c943d

SHA1
c87c9e28afc6116a7a34487dedc861160e519d84

SHA256
38f78e10b49932d02cbbd0e090c7967986a3840c3a80d7deb281dd9766c18032

SHA512
437ab39e3331f2d5e70f01ef3badb11b6e7905446b84b85e157bbaf4b7afe6ef22bd0ba529a2325625b57410fe2d1ec591d5bf1e0e9afd8e06db11e46c836ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Make

Filesize
66KB

MD5
400bdda3d93a9e37a4b037d64f2b478a

SHA1
8df9d16c108e373d5d0a9ede49041944e471cd47

SHA256
de237bfae0b57283c72960f4263238a42bae8c83c451b033c729b39c63fc011b

SHA512
a84d2b959d2509ad412ff78c40f50bcf5b8111f4abe8cb3e40d404fa903284de06495862b1c5ab02722e8603a55bf1884e445d3d50d82117df571fd9dd78d8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mall

Filesize
40KB

MD5
972fa00ff8f508a95e781d8470f3b4a6

SHA1
206ab003daf63b7e5edf9a514f0080be8defcf02

SHA256
470b73302117c3dca2b893380a6fb67255c77d96328d0c9ed7fd61bf1924d7d1

SHA512
040626b1a31b5b197dfe186ed4516530ccf6981c4fc807b934d96c97971db4426ff3a838b4700a3761f060afd139e139a552994e6c6c474e0f6a028c9f800a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nothing

Filesize
14KB

MD5
04dccce77a4ab74b66002d9f7e74ade3

SHA1
795b6ef6291e0ef064c2b1be5d0d011377da7793

SHA256
6b374e24f0e3e68c4b566e6482b5b2de3eb1949b78315282bb5ac9b51d618ade

SHA512
0bb6ef13fad5ccc88a3985195fcdf9830fcb16ebdbbb566c9a98f8541fa0fcf8c85ea2f32902c7ff9f8166f57fc647de20f4d13562c9170190015d523f09352b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Optimum

Filesize
24KB

MD5
adf7e56c3f7a0de955802634fa29b6ac

SHA1
cd7fd4d1e906ff5da16be975517e1012d3bc0d83

SHA256
07929ee4f0f08704d9efe0852de35aefbe2b9a4507a98f41c2185c2a46b4f2b5

SHA512
481bcf37c4bb897bca61a27d795c5aff1bba90dc349b0e9b4cf5b11a672d9743562d3f3d8f64b6c9df0806d9903b08412b0bc9ae6f08153d8ea719216591b47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Please

Filesize
11KB

MD5
97684b2f31f4e490ca80fca3e5cb0196

SHA1
5b31b140bda0b3c0f5e50cafa49aca33146eba65

SHA256
cd88464f8c0b37ac93488a31875969446eee7ed6e1cf8d556647f836fdd99bf9

SHA512
3430b926cfcf8c0c9642d0956e128a09bd14f1d84a4b7cc394430db8bcab7ab246795365092b3e11ac1fb142a09b3d53b4f1c022bb587e2284c361db08914d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Presentations

Filesize
45KB

MD5
8faebb94c5dbe2cc3efc24faf55dd735

SHA1
9414b903bb57af30490a9ad6f2818def69d0bfc8

SHA256
4fc279d8e01412940d59c706a9e4e4afae56de2ca81ad515964b1ddd95063b89

SHA512
dd4c7838f6b49edba6eb484e3656bfbe80fd814d3bdefd3a735a4227d6b9e04051bc1bdc5e9a9209f119aa29e0b227eec5d56831506498c03cd8cc12d2bfa569

Download Submit
C:\Users\Admin\AppData\Local\Temp\Price

Filesize
13KB

MD5
48049fcc42ec5f3210a10e4b2f842ace

SHA1
1ee595cfc3621950f9f315a0ad540f52f321d665

SHA256
c425c4b05944d297ff409fc7fe7ed3fe1a8a83cbd85a54381f4db42a6090b1d7

SHA512
631f1f1210d4225b39a403c707e74af80eef2d54d0a9ffcc9a52a837d6011b60bcfc61e4d277f71ff3d73a423d57a7095f97ef39dcaf976958beb0e5160e83a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pubs

Filesize
42KB

MD5
1db516b1e32807553bc2732ae2f8af5b

SHA1
414ac6bf66e36610bdbf34f0f2fe7d5820e4a79c

SHA256
cb2506824945395768899536476f01f46ed94455c589d88a95575c4a24f4cfd1

SHA512
fff01a1baf0739fac47f346f07e39ae78006abde92f5ab7d4c28d7b7d461802e933bca114117a5355b682be1443058b620874609e82aedf2d72e34d79786fbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shepherd

Filesize
8KB

MD5
58866ad57d2b7a597482d9e63a40506e

SHA1
0d9217bad3b465d598813741c9dcb60d2390e51f

SHA256
6a43dcb071256626c606de890101f17d2e1ac241833a17e6b6ceefa49cc154b5

SHA512
e3d8d56b27a5930683d3f4e954580b903d7f0a26250bb1abbd20b72203ab3b453c552b478efd5a3e8608bcdda23ed91ae64176feecb5b20ffb846feff65b38ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Significance

Filesize
49KB

MD5
a47979544491bcb69850574d56577d89

SHA1
7dd735b0138b3aeaea52c776c2bcf0fbf3d779e6

SHA256
b2a841da6477b9dab621b3721c1a7ccf8d60620c88a090f99e11f94d1164861c

SHA512
7677527db58067f1db8c3e33e761c1e2d0f1530f4c4e8881c78e6710ce931eb1f0b40b71e67c6fdb45003fc9e2cd5a6ca6e158eaeb3ec21ee1a72f17b2771984

Download Submit
C:\Users\Admin\AppData\Local\Temp\Surf

Filesize
19KB

MD5
5aa7f8445adfa5e495793236d41e334f

SHA1
2f86f38ddf4b9ad036a3a74eceb6a3085b11b5f0

SHA256
aee3f9819aa491efa6e7d3e532ac67ea36cd5046dd5bcff5ac949395b1458023

SHA512
9488814888afefd2cea946af65f5c210bf77484056d4645a044c265e8945373767239d007946abb660d8d9d4475771fd31997641634b10e2096ef6440cffd7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tex

Filesize
69KB

MD5
ceba571e70a6cb3aeee9f2c12bfb7b92

SHA1
580ecc48b429af90131db9f3d618b419bf382ac1

SHA256
47e22c13acd6f759cec18a31e2e347c32e17be7c5c238f0c4c0ba20caa4e079c

SHA512
f925e2a82ab2da8b8186dc39afc2fa06d80f8ae9324fc156fff1a393dc7350b05683aa1b542ecad2c2f283232fef276c9fb89d44444986c099d9f527a33f5434

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vid

Filesize
197KB

MD5
44dcd8a33daecf463a4eea23dcc032c9

SHA1
209f5ba5cddd9ba8116af65cba8636fff71482a8

SHA256
ea1e04abbed2af595391a1e4f109db117827b9194a290cc5dd84ade46c250006

SHA512
9738190ceabbb7a53699058565666d20b8370597246f3b1481b9262a86b26eaf4533cdd7db6e6e1edd772f676e183223c83408c086f55a03651d121044f66497

Download Submit
memory/2076-67-0x0000000004A80000-0x0000000004CC3000-memory.dmp

Filesize
2.3MB

Download
memory/2076-69-0x0000000004A80000-0x0000000004CC3000-memory.dmp

Filesize
2.3MB

Download
memory/2076-68-0x0000000004A80000-0x0000000004CC3000-memory.dmp

Filesize
2.3MB

Download
memory/2076-70-0x0000000004A80000-0x0000000004CC3000-memory.dmp

Filesize
2.3MB

Download
memory/2076-72-0x0000000004A80000-0x0000000004CC3000-memory.dmp

Filesize
2.3MB

Download
memory/2076-71-0x0000000004A80000-0x0000000004CC3000-memory.dmp

Filesize
2.3MB

Download
memory/2076-74-0x0000000004A80000-0x0000000004CC3000-memory.dmp

Filesize
2.3MB

Download
memory/2076-75-0x0000000004A80000-0x0000000004CC3000-memory.dmp

Filesize
2.3MB

Download