vidar | 0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc

Analysis

max time kernel
99s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
Size

1.1MB
MD5

12860c8f39570ea1a7256b7ed9dabccf
SHA1

b57be17b3b1797c933c3187829f6e24cf0fd9b83
SHA256

0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc
SHA512

5945c0a71c12422d964b892944e234f6a04d7d30cc730dd4aa4c6607bd73232dad48d29c12256ed41d6dc2d9d19a7e55afc783ea5f6b88ca8168e962fc55074d
SSDEEP

24576:i9X3iqR+jmjhtHquFUn8dCHELjS6PhZsNrelZ5dwSzhR:itsmfVin8QWS6vUeD5dwCR

Score

10^/10

vidar 23278afe687d1f8637a185abd507382b credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

23278afe687d1f8637a185abd507382b

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/3296-32-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-33-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-34-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-47-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-48-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-63-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-64-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-80-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-81-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-103-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-104-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-111-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-112-0x0000000004BA0000-0x0000000004E15000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Opponent.pif

Executes dropped EXE 1 IoCs

pid	Process
3296	Opponent.pif

Loads dropped DLL 2 IoCs

pid	Process
3296	Opponent.pif
3296	Opponent.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1588	tasklist.exe
1188	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RepresentationsFootball	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
File opened for modification	C:\Windows\CoverRestrictions	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
File opened for modification	C:\Windows\CrowdNamespace	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
File opened for modification	C:\Windows\ComingAngels	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
File opened for modification	C:\Windows\FearsDental	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
File opened for modification	C:\Windows\CestPublicity	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opponent.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Opponent.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Opponent.pif

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4612	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	1188	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3296	Opponent.pif
3296	Opponent.pif
3296	Opponent.pif

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4004	3368	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe	82
PID 3368 wrote to memory of 4004	3368	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe	82
PID 3368 wrote to memory of 4004	3368	0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe	82
PID 4004 wrote to memory of 1588	4004	cmd.exe	84
PID 4004 wrote to memory of 1588	4004	cmd.exe	84
PID 4004 wrote to memory of 1588	4004	cmd.exe	84
PID 4004 wrote to memory of 900	4004	cmd.exe	85
PID 4004 wrote to memory of 900	4004	cmd.exe	85
PID 4004 wrote to memory of 900	4004	cmd.exe	85
PID 4004 wrote to memory of 1188	4004	cmd.exe	89
PID 4004 wrote to memory of 1188	4004	cmd.exe	89
PID 4004 wrote to memory of 1188	4004	cmd.exe	89
PID 4004 wrote to memory of 1108	4004	cmd.exe	90
PID 4004 wrote to memory of 1108	4004	cmd.exe	90
PID 4004 wrote to memory of 1108	4004	cmd.exe	90
PID 4004 wrote to memory of 5044	4004	cmd.exe	91
PID 4004 wrote to memory of 5044	4004	cmd.exe	91
PID 4004 wrote to memory of 5044	4004	cmd.exe	91
PID 4004 wrote to memory of 5016	4004	cmd.exe	92
PID 4004 wrote to memory of 5016	4004	cmd.exe	92
PID 4004 wrote to memory of 5016	4004	cmd.exe	92
PID 4004 wrote to memory of 1392	4004	cmd.exe	93
PID 4004 wrote to memory of 1392	4004	cmd.exe	93
PID 4004 wrote to memory of 1392	4004	cmd.exe	93
PID 4004 wrote to memory of 3296	4004	cmd.exe	94
PID 4004 wrote to memory of 3296	4004	cmd.exe	94
PID 4004 wrote to memory of 3296	4004	cmd.exe	94
PID 4004 wrote to memory of 1300	4004	cmd.exe	95
PID 4004 wrote to memory of 1300	4004	cmd.exe	95
PID 4004 wrote to memory of 1300	4004	cmd.exe	95
PID 3296 wrote to memory of 4128	3296	Opponent.pif	102
PID 3296 wrote to memory of 4128	3296	Opponent.pif	102
PID 3296 wrote to memory of 4128	3296	Opponent.pif	102
PID 4128 wrote to memory of 4612	4128	cmd.exe	104
PID 4128 wrote to memory of 4612	4128	cmd.exe	104
PID 4128 wrote to memory of 4612	4128	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe
"C:\Users\Admin\AppData\Local\Temp\0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Ceo Ceo.bat & Ceo.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:900
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 212475
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5044
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "FACEDRESULTSSESSIONSIMPLIFIED" Activation
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Sp + ..\Encyclopedia + ..\Klein + ..\Sequences + ..\Telephony + ..\Resolution + ..\Ecology + ..\Avoid j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\212475\Opponent.pif
    Opponent.pif j
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\212475\Opponent.pif" & rd /s /q "C:\ProgramData\CFHDBFIEGIDG" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4612
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\212475\Opponent.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\212475\j

Filesize
552KB

MD5
1ef109a71c3995dd5badf0f4a539d4a9

SHA1
06557f5d76fab502f8058669fcfa92fc87cbed82

SHA256
bade49216519e8d82c45664e46b6255feaf866a848ed3b1df5ada342ed195712

SHA512
0e0926ad6d3527d2012c627c4cebbabb60f3d0ab970050f0115c535c1ae0785b54dc0d617905313213dadf9c94262b68779b044cffc34de222fe640bf6be87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Activation

Filesize
7KB

MD5
8b0e5b5564040244b7fe987f12c957e7

SHA1
ea193a80e11c4608a9c72d9bb63022688e470862

SHA256
e3f4fbcfa7a3d8e44e82a4b28a38724eb86b46f5599be2a0f1fb9880d0a1eb47

SHA512
7b3328773c503992cb39c6e00583a6452dae33041f22f2964b028914783b28cc15cd87308cc385580dd1ea4c9f5a08258d7d8b6d37de6024133fcc0863ff20c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Avoid

Filesize
5KB

MD5
f14eaeb195d643f4fc9971f78b828491

SHA1
d918494734a26061b7eef0bf8dbbdc3c7bca70bf

SHA256
02f710cb82f8d38f9e99e1be712d9c70552f6175f024e4a035c56a630b3ff066

SHA512
fcb11f07118529e32d44653a6280b1a6fb95daf66025036766a247636e46049300be82c1d0441535ab043b22ec997fde0d04fea4983e671d5ee9862e8d068e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ceo

Filesize
9KB

MD5
81a3e6cbd7092474a997336697873d61

SHA1
c3332238a09567de8acb1f938f960ffd81e13215

SHA256
695e778b876ea0312ad0014ea3ec8940139aa0033e4ec5e6e6da9c836fbc7086

SHA512
812cdf35a082a22a0b3157dd285fd1daa5a3f3ffe48aa79aed92f3fe62108a1bc646380ff60ebdd92600f78b58df59fe74c8956e2d6c5efafd715e092b1e989e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecology

Filesize
62KB

MD5
6ae59a460e37c2486894b1ca8fa2dd87

SHA1
1954f743f6cf5953ff2ebdf0d51204a3e23bd6ec

SHA256
903f19bbcbc63f39726365060e05841b1f85746f78d7a0ae51392a824a97a7bb

SHA512
2c62e9551317d5a8d0e543a5ec760e8d6c7bdf89fc2262b9e21f5ba1b56c00d669b47b281857c2d0a4747f64abb4dc1cfdff1ac7e36cc646432f0c32f708b19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encyclopedia

Filesize
99KB

MD5
10131cf263fe9e86e86fe75276d0a918

SHA1
7dc521b107deaba391232335161fc5c5c2e69ccd

SHA256
94715e887f132abf53cdc3d33022aa22063e1887f56a38a27e48aa21364d195a

SHA512
b87613833fbc0fc1bc3a45266a0240aa7bf121771754f57baef839eb4279c5cf944a62163dda4ff5869ded4dfc939d1119a6552074b51cab5de345660b99c037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Klein

Filesize
96KB

MD5
726700550ac2d42e80a6d3a7405b8c22

SHA1
7d4f9b127505d70c675882485545503d18b4c9b9

SHA256
b92acf55b4f00ae18fb10765fd1bd0115529d0e492b1bf163f7a5ab2e0d367bc

SHA512
2ac52f2c7a186ae3856ef5620f9976504981712622ceb5c07ac128b1fbc02dad056f1296fd512acf4e71262ac2869f6a13e8b7a448f002f6c5031648ed6e8a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resolution

Filesize
63KB

MD5
b110bbafcf6cfb0a8ae2f122ddf20ede

SHA1
a62d46e158a5ac193b6d2631510e67c35d448a15

SHA256
b0fd86c3a4b267d8706d7ae36b4a19eddb8fdb81fcb363c18174be45e64d9cc7

SHA512
3327f6f5fe655f0693694e8ce58e2e4d6e1fedd3f1f93203b359aec3dcc3478757bf1ed178721e519938af73b13d6c380aca6e90a59df60eaabff103e0455459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rings

Filesize
865KB

MD5
25055baf9907ffe607bd6cfc3f6d30ff

SHA1
3c77f48211fb315980d89ecafab8a74c5025aaa6

SHA256
e4a175bd91a15df2f47e2e65c2ad7ab8cd350425c8dafb072e479c1a4d6c4be8

SHA512
926d4a1af7a71ceb9b0752cadd17831059917db7bcf2d67c82e6b2b3b034f2d50219c5351bc4a5bcf610386778b24257c68797bf581a7c57e695a1607a68974e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sequences

Filesize
52KB

MD5
42d99c39171ea35a6ecf889749965fd4

SHA1
1021a1ad9ecf4549d71b83cb0ee7bacc4469517d

SHA256
fdcfb94acca7a22919f6e2cb66e7290a336bdddb87525dc15f84e9ccfc048feb

SHA512
ede4aef51c613348b9c7310a844ee1135b4c7bb6794a4026ed02ad29d476502bd7682e650aba5af15637a466ffdf781768d29e9bd544e56587e09858bc94d15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sp

Filesize
79KB

MD5
b217e014693974adfe42c627953b8263

SHA1
4f2b8d085c5f0b9e80ee650d7016f4f423570989

SHA256
4a22f73997cba0fe3b1ecf506bef6f26ca0a84d964a5450396854502f6983fb5

SHA512
25e1726ee322adb04f7f3adc911525ff88632d48d9fb516a3047747e45346f02a463761ec8abb2da2a6696aebc29e48efe69d0e08e07d02db35f02a195ee79f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Telephony

Filesize
96KB

MD5
3405b6274e73d544802fffdcd585b905

SHA1
1d03437ae18c199cc66cab1b716031952e096068

SHA256
3f15bffc2b8590d4e959cebd7c30ecc4fedcbb0907f0f7860b5bef19433aaf40

SHA512
aaa25bb57ad965044a8c188bfb3aca20b1ee8986c823c672f7dd36eaac31a32b0036beb9ea64fa13b8dbeeb5960c583c51d1f4f75ed662de34bcf1ceea5a561d

Download Submit
C:\Users\Admin\AppData\Local\Temp\delays.tmp

Filesize
1023KB

MD5
43a1b333a5d6f6c84e6f6a4f28b5c2c5

SHA1
02c7cdb94be185efc03954c2e24738cfaa691c2d

SHA256
9c3f7ad82d80541327fb6987168f02d9160a4a737f67101da2123e9a4ebeb4aa

SHA512
049be239a5c3de5df953a8f6a42a2c9dd8d388a7d9ba0277cb0f46f7e23dc8d8b88d2a337f00091bcc0d10ab0ed0c1da8f73b7d40b99d319e9a4d17b72652bbe

Download Submit
memory/3296-32-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-80-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-34-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-31-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-47-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-48-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-50-0x000000000D300000-0x000000000D55F000-memory.dmp

Filesize
2.4MB

Download
memory/3296-63-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-64-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-33-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-81-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-30-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-29-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-103-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-104-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-111-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download
memory/3296-112-0x0000000004BA0000-0x0000000004E15000-memory.dmp

Filesize
2.5MB

Download