vidar | 1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe
Size

4.1MB
MD5

4f3ddd6692d604ecf2bd37d93d0f2387
SHA1

78a00b190d88eaf514b5bf2af754681795de9e44
SHA256

1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
SHA512

2e1720baf9ad49781d224ac23ebe25aae6073465e7e962bde9759941373ec0109176be8d7a1693b0196b6ac1912d84b96422b2758e2e3143dec76de1154f4153
SSDEEP

98304:9BkNhx7tr/K0pB+km2inP8I0zJDd0TfuBUR8/Rg:9BkNVbiP8fDd0yBUy/q

Score

10^/10

vidar 8804a4f27e22750a8baa49e881ddca35 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

8804a4f27e22750a8baa49e881ddca35

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 10 IoCs

stealer

resource	yara_rule
behavioral1/memory/2120-120-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-122-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-267-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-286-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-315-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-334-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-463-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-482-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-525-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7
behavioral1/memory/2120-544-0x0000000000840000-0x0000000000AB6000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
2676	Fly.pif
1016	Fly.pif
2120	Fly.pif
900	Fly.pif
1144	Fly.pif
1636	Fly.pif
2188	Fly.pif
2168	Fly.pif
1760	Fly.pif
1064	Fly.pif
1584	Fly.pif
1740	Fly.pif
1944	Fly.pif
2316	Fly.pif

Loads dropped DLL 16 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe
1016	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2120	Fly.pif
2120	Fly.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2108	tasklist.exe
2852	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1016 set thread context of 2120	1016	Fly.pif	45
PID 2676 set thread context of 2316	2676	Fly.pif	57

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\FunkLeague	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe
File opened for modification	C:\Windows\OrganisedFreebsd	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe
File opened for modification	C:\Windows\LovesGrows	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe
File opened for modification	C:\Windows\TechnologyThousands	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe
File opened for modification	C:\Windows\ApparentlyCollectible	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fly.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fly.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fly.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fly.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Fly.pif

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1512	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Fly.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Fly.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Fly.pif

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2676	Fly.pif
1016	Fly.pif
2676	Fly.pif
1016	Fly.pif
2676	Fly.pif
1016	Fly.pif
1016	Fly.pif
1016	Fly.pif
2120	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2676	Fly.pif
2120	Fly.pif
2120	Fly.pif
2120	Fly.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	tasklist.exe
Token: SeDebugPrivilege	2108	tasklist.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2676	Fly.pif
1016	Fly.pif
2676	Fly.pif
1016	Fly.pif
2676	Fly.pif
1016	Fly.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2676	Fly.pif
1016	Fly.pif
2676	Fly.pif
1016	Fly.pif
2676	Fly.pif
1016	Fly.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2820	1984	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe	30
PID 1984 wrote to memory of 2820	1984	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe	30
PID 1984 wrote to memory of 2820	1984	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe	30
PID 1984 wrote to memory of 2820	1984	1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe	30
PID 2820 wrote to memory of 2852	2820	cmd.exe	32
PID 2820 wrote to memory of 2852	2820	cmd.exe	32
PID 2820 wrote to memory of 2852	2820	cmd.exe	32
PID 2820 wrote to memory of 2852	2820	cmd.exe	32
PID 2820 wrote to memory of 2856	2820	cmd.exe	33
PID 2820 wrote to memory of 2856	2820	cmd.exe	33
PID 2820 wrote to memory of 2856	2820	cmd.exe	33
PID 2820 wrote to memory of 2856	2820	cmd.exe	33
PID 2820 wrote to memory of 2108	2820	cmd.exe	35
PID 2820 wrote to memory of 2108	2820	cmd.exe	35
PID 2820 wrote to memory of 2108	2820	cmd.exe	35
PID 2820 wrote to memory of 2108	2820	cmd.exe	35
PID 2820 wrote to memory of 1924	2820	cmd.exe	36
PID 2820 wrote to memory of 1924	2820	cmd.exe	36
PID 2820 wrote to memory of 1924	2820	cmd.exe	36
PID 2820 wrote to memory of 1924	2820	cmd.exe	36
PID 2820 wrote to memory of 2760	2820	cmd.exe	37
PID 2820 wrote to memory of 2760	2820	cmd.exe	37
PID 2820 wrote to memory of 2760	2820	cmd.exe	37
PID 2820 wrote to memory of 2760	2820	cmd.exe	37
PID 2820 wrote to memory of 2660	2820	cmd.exe	38
PID 2820 wrote to memory of 2660	2820	cmd.exe	38
PID 2820 wrote to memory of 2660	2820	cmd.exe	38
PID 2820 wrote to memory of 2660	2820	cmd.exe	38
PID 2820 wrote to memory of 2340	2820	cmd.exe	39
PID 2820 wrote to memory of 2340	2820	cmd.exe	39
PID 2820 wrote to memory of 2340	2820	cmd.exe	39
PID 2820 wrote to memory of 2340	2820	cmd.exe	39
PID 2820 wrote to memory of 2676	2820	cmd.exe	40
PID 2820 wrote to memory of 2676	2820	cmd.exe	40
PID 2820 wrote to memory of 2676	2820	cmd.exe	40
PID 2820 wrote to memory of 2676	2820	cmd.exe	40
PID 2820 wrote to memory of 2880	2820	cmd.exe	41
PID 2820 wrote to memory of 2880	2820	cmd.exe	41
PID 2820 wrote to memory of 2880	2820	cmd.exe	41
PID 2820 wrote to memory of 2880	2820	cmd.exe	41
PID 2820 wrote to memory of 1016	2820	cmd.exe	42
PID 2820 wrote to memory of 1016	2820	cmd.exe	42
PID 2820 wrote to memory of 1016	2820	cmd.exe	42
PID 2820 wrote to memory of 1016	2820	cmd.exe	42
PID 2820 wrote to memory of 1688	2820	cmd.exe	43
PID 2820 wrote to memory of 1688	2820	cmd.exe	43
PID 2820 wrote to memory of 1688	2820	cmd.exe	43
PID 2820 wrote to memory of 1688	2820	cmd.exe	43
PID 1016 wrote to memory of 2120	1016	Fly.pif	45
PID 1016 wrote to memory of 2120	1016	Fly.pif	45
PID 1016 wrote to memory of 2120	1016	Fly.pif	45
PID 1016 wrote to memory of 2120	1016	Fly.pif	45
PID 1016 wrote to memory of 2120	1016	Fly.pif	45
PID 1016 wrote to memory of 2120	1016	Fly.pif	45
PID 2676 wrote to memory of 900	2676	Fly.pif	46
PID 2676 wrote to memory of 900	2676	Fly.pif	46
PID 2676 wrote to memory of 900	2676	Fly.pif	46
PID 2676 wrote to memory of 900	2676	Fly.pif	46
PID 2676 wrote to memory of 1144	2676	Fly.pif	47
PID 2676 wrote to memory of 1144	2676	Fly.pif	47
PID 2676 wrote to memory of 1144	2676	Fly.pif	47
PID 2676 wrote to memory of 1144	2676	Fly.pif	47
PID 2676 wrote to memory of 1636	2676	Fly.pif	48
PID 2676 wrote to memory of 1636	2676	Fly.pif	48

C:\Users\Admin\AppData\Local\Temp\1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe
"C:\Users\Admin\AppData\Local\Temp\1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Minolta Minolta.bat & Minolta.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 159317
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "THOROUGHLYSURPLUSABILITYSOMEBODY" Vii
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Plants + ..\Computers + ..\Lbs + ..\Analyze + ..\Examines + ..\Dc + ..\Doc + ..\Dam + ..\Senator + ..\Dump + ..\Reading + ..\Advantages + ..\Contributed + ..\Hamilton + ..\Detailed + ..\Baghdad + ..\Investigator + ..\Percent + ..\Opt + ..\Ext + ..\Premier + ..\Sony + ..\Profession + ..\Candidate + ..\Detected + ..\Los + ..\Innovative + ..\Temporary + ..\Constitutes + ..\Downloads + ..\Mysimon + ..\Publication + ..\Judges + ..\Kitchen + ..\Beverly + ..\Empty + ..\Freight + ..\Prime + ..\Glance + ..\Mai + ..\Gr w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
    Fly.pif w
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:900
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Breaks + ..\Brad + ..\Patricia + ..\Implied + ..\Payroll + ..\Coins + ..\Promotion p
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
    Fly.pif p
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      C:\Users\Admin\AppData\Local\Temp\159317\Fly.pif
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAAAKFHIEGDG" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1512
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcb9fc7a8e92af9b65080a3b797bfcb4

SHA1
8d0d7bb37d18eff51f3b12945f57a177a516286d

SHA256
1074e6f423a06d651c267849ff92ae48b14d6beafa50b59a1d80b32465b5d9fa

SHA512
bfcae161206e1a413f1608e2c635ec384c8af5fe2d2a9518113ee57f967ac29d117e443da8b43d9bb80f3f6d62ef0a650427e5e4dd150aed21f05d0de5688a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\159317\p

Filesize
591KB

MD5
9f2a02d3b5a627d80d7b24d820232c80

SHA1
fec45a5845778da079d0ed6fa72b674ab722b7f3

SHA256
261e1196eb1b2489e697641ad8e9e7796563ea48523691bf031ba4bccc71b201

SHA512
d2d65dbddc61aae163e5faed14a432a78fd5d39d5fb77e41085c4fef51e1743ff871f1b80a342921a77088e5481a0130728aa098f9b0b1448c585066cf35426b

Download Submit
C:\Users\Admin\AppData\Local\Temp\159317\w

Filesize
2.9MB

MD5
ec15ad868421401f26f979c273fa127f

SHA1
cabcec24bc6eff3bfc62129295642a058909591e

SHA256
6f65df42085b5497672602a3c36b774a3a1f5afada3e10ba2d3a241564a964da

SHA512
3ba56f8d30bddc8a0c131eb775c8006fcb58d5704b20e1971ddd2cd6e642695ca095f22446637ca55903e74584097675ca69fb2d1583468197eb397f64eb2ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advantages

Filesize
97KB

MD5
580a7a19713d7abff5c9dd4d2063911c

SHA1
146556873367aa5e50556d218c8902c41fa82c08

SHA256
d70f8217864f2a45d1c7c56a3cb9189b1119c4707f7516569b460909874feae0

SHA512
2ced33870252f247663df61adb84a8354214419c6f241323b31a5c9d3c7903944c52168e619d61bceb958d73b9bfa1278237454482c09adaac9836e9c7c7b30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Analyze

Filesize
67KB

MD5
b06f47c013469a8799111e54016cb8c5

SHA1
01f47777d4b47e88564079f939751f9fe1fd490f

SHA256
3e286eb67105d7ddcae8065f741f057f4881d31a1d17811a0f4dad6dcbcaebad

SHA512
72dca03efd85174ab23a770a087fdd1c4708d566529d5886ab79e7c35aafb03d751e3918f94af023115a077f9be60241911b37ab2830c78ab41cf320e585ba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Baghdad

Filesize
78KB

MD5
4014b7236512b1a393568aebd0a018c4

SHA1
8ebdc4af7955f408cc872475ba9cec0bc84506b8

SHA256
b0cf64b7921e18abe7944b8c8f0ae58726804a793f1ff467fb765a4fff59f33d

SHA512
a10f170cc88753c34bb51b5d4ea11d61d3ba0a10bb6887eefaa0044de4d1dc797e8953b8808e18e1a4fb4c1b79f7d5883c48c3e973b0847a703bb7f3a4796e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beverly

Filesize
56KB

MD5
581c3d948bf002949ebf7e50d03049ac

SHA1
19b5e6fa5bd7f1fd3ac0eb5690d259257b9be1ce

SHA256
ed4e31662fb0602cbba88465a525ecd4e4fdaeb735ebbcab2c33b4a2552be86e

SHA512
2ed95e28944757201055e7330b62c892fae7e1bac61259a9a9580874c0054bd6840d8f70b1a6a134b28dd50451f7104f73fc8e033e12c9c5e2fc8caac2c0e6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brad

Filesize
96KB

MD5
f561721eeedddb41c4880a8a5bef7e4c

SHA1
4f6fb263f677310280b4b5629a48cb62d02b70e8

SHA256
0ff3c029a75b1d65c6dcd1106a939eb8878c518df55d6c9e76d3fe94afd8a77e

SHA512
a010944c6c9aa9e14f73eb1aa73fcfa2434bdba2d1e5a87b17609753dc889ae36ce1f602a21125ac3bbda45ea8056fcf23f5cbb770df89f2a75eda52545b9e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Breaks

Filesize
98KB

MD5
485219d304b992ab0ed781035200dfad

SHA1
63e8987ceb45c436492710ca01ebb446401c56be

SHA256
47fd1258bb717f6880500500e159a40737622cb6f23fc8ec5939f8cc9749a514

SHA512
4239cce9da7862b942cc9a482c2ebd84545139b367399689bc00e8765c078de1afa3c903037b7af272636ec4e77f56f35ddc408208b454c60b128d757cd6762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Candidate

Filesize
59KB

MD5
db394b34dc8c1f32c5fee56ae84af83f

SHA1
37346eba572c66762b64c04a7dc3e3cffa44b807

SHA256
dae061dc70b8c9f6ac8dc309921cc556d9b54ad08c9e432821e0cb2369fdc7f9

SHA512
a2b4baa8e5771ced385bd70f687c4e0843b77d0a1b856fae40d1403aaea9c153dc0813386407ee5a3f07ceb2f41177fcbb61c0293fc425cad1b6b4d421797762

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coins

Filesize
90KB

MD5
5496d97e1487b3e431b494dd2834d232

SHA1
a0517a515513faec1c0fb8347533f7f0354da5f7

SHA256
5bf6f26232af38e59f07c3236d6756ffb71ceafe96d02e162fe2e6337dd52426

SHA512
0250fcce2279210cd97517e652942011d16e0c20f116c70d3cb00ffce99a08dc5169a45ce5c1df5989c0adb7b1ac1236654a359d4ad681b4433c8d726c368509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Computers

Filesize
89KB

MD5
d02ffc8e8d580756714bb5d18850359f

SHA1
7ccccc42648f88900eefae6981f8011ed1e56599

SHA256
65d64f8320597afbd596c0b1a21269121dfb22a878dfbd33aa8819a9fc23ea06

SHA512
c694fd8cb647229a73a698c6884bc6e06a2e3a29c2f014b387343ca755b137989a08ce4ccbfcd7f7ceb85a104ed8ccb119af9e0ac2c36764a413629a9d7002dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Constitutes

Filesize
64KB

MD5
e293e737b6d4ed35e3dcdefb2de7c6c0

SHA1
a149afa7c0b54c906342fc8d1fdedc7bc23e8157

SHA256
9b917d4e0a319bc3cd87d04120b195e3816a99b68076e29abf652768b19fb597

SHA512
db11f3e4cb2de153c9f392e69ef6fd824765136a8fe17264821d096bb38f55134a6740bee24e7bc6474b68ec71ba3b14797ac854688f7d35b1ce6e4235655b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contributed

Filesize
86KB

MD5
f8b7deeab4f7e6abb0ea2a25b3417c76

SHA1
d101a6e4c878c1f80312ef0214a6beb69f6b03da

SHA256
684ff6989ccf166e8eb0e4d1c9436f46c95fe49e2589b50ec8f584f9c7f63543

SHA512
28f356efcbdbcdc96dbce8cfe1d26605417925cbb23dc51d533a5b1ac9403512263d2d618e8ee72ad056fc3730f9c45d254051ceeff78da624a568829b005cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dam

Filesize
79KB

MD5
9e9195ca990a22a5716e739236a2650a

SHA1
aa82e3dc82adaaa3805431319f4b9f44c06417f3

SHA256
f8f955541de3569c624a02516dd6ee147b0952f0df671a2a4067e903e60c8ed2

SHA512
41913c289922f8ddcf26c90a32140bfa2d4422fb65ca27871e083f6a7589e193120acc99ca4765e5cfbdafb992a189545cc69724f30cfec3e732e1cd322fbf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dc

Filesize
97KB

MD5
3d988a045d8092d4e4a466e277e2001d

SHA1
d018925ea4cf617635cf69da01a216fabe9f22fd

SHA256
b960dc026386fbc67603376ba2071efc41882b0519fdbe7f20f5861a8185c485

SHA512
e0bba3b7590f72641f7c4f07673b532c966316f768034b8607a0cde5768d838d626e97178ca1685d2a5f847298f5f4dea5458e9d17f4f9abc2ecd4a2f4d09246

Download Submit
C:\Users\Admin\AppData\Local\Temp\Detailed

Filesize
88KB

MD5
1980d489df832d1057fda821d61723c3

SHA1
f2953ae4ce7e26d0b84569b588c55778c011f277

SHA256
ab1870ee87abe5a0bc0c6f202d663c0c73bd8a1ce5a6edae270f386e7a4fd6c1

SHA512
5558f3b51ee42400e4846e666ee19d56da4a0ee9f9369d36e2006f8d39b0f13ed77a70e249cd117a410c4b799273c426f1299a3cd22c44f06451b140b6c25e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Detected

Filesize
72KB

MD5
2d22ae3b8aeb91b8de828e19e229cba7

SHA1
fde673b3a192833a857365b7693f4e3a9b87cc7d

SHA256
693a75a2fb57eaa7a5e30e9ef43820ac85c4eaa3729c66aa91166c8ff3371918

SHA512
883e8cb10fb6a25719b6413fcb238fe590ada4572dd63fdc46f2c69c57ac370258c0a3ad70bd733dca5af5eb474ec09d445366e7b1f90d8b1ae395e2aac64410

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doc

Filesize
87KB

MD5
01864f4ca3d9bb8c2c936780b977fcf1

SHA1
b7f8d84b250ef423bcea67f67cc1ce2e208e2c8e

SHA256
dc14feec945ef5b45c4b0495c1fe806ed43fae2d82ace10eee6d0caea372f014

SHA512
b79f70cd20d2e8fc512640111567c3a0ebb8dfc27f015b9b8cbbc239b88602282dfce2143b1759c70d20fd454a95cbfd547c93ff4db8ffb02fcdcbbcf53ee65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Downloads

Filesize
83KB

MD5
9ad5c10d4f93170ca1057499af66582b

SHA1
074d946aab06f9a5ef073e79c4ce510f0ec1e786

SHA256
bd490aec00e3c142684b25e965bf88ee07c88ebf807691255f599a20e95d7016

SHA512
acd70c17c57c42e1c0b4009222ad3845357ef89fb71b957b114797f457297483b0975ccfb4da3516001911da166fd7ce714a087a4d3177eaf46acc0d9b58f6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dump

Filesize
71KB

MD5
3d65254558eacd933f31167bc0aeaed6

SHA1
bcecf7bbf0a4c48afe89677bebcdcf12b67abc49

SHA256
f960de37acfeca573f09fe06e32fc3d4b844bd18c027a6135d1beb9a4fbf9d7c

SHA512
12670c9ab9449c51d1a58d8ae839e7af8bab14c75de17d33623f3811bffbd8ab2e02a25621f39cabdf7c2b193c1bf41193fd472190f2168d7cdc3dd9bd879e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Empty

Filesize
85KB

MD5
2d237dbc84fb5d77a47a6c0fb8e8326f

SHA1
b975f6b5fd8130ef5fa4826c5a643585caff2e6b

SHA256
46af8f3490fdface57baa718d7ad067b6c7222b5d0c2113a65b3b9424fad3233

SHA512
b649f306de28dda808247cca5c0708ee577ab5e7ce4025ec9aea504358842a5c0168154b609e16e5162e17a2e8c25172acec2df66f5e1c3bc67e96cf13f1d889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Examines

Filesize
61KB

MD5
88dd97b3a55cfe11ef1d6358b67ccc35

SHA1
22b15461912943716c5598eaafe4945581294c46

SHA256
445af3c5ba03ccde2823e392782ea8a9666506fe76beca71cf78f05b86a172a1

SHA512
6d6e3b49261626c4bfcc5a5a2e3b63c2696d0948c3ffd9612a60131b0f35c007941003eaff8233fe10c63d23de99e43c50bf276406a7745d071b89b919a802aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ext

Filesize
85KB

MD5
430e78e63af27dcffc3772cdb5880445

SHA1
cfc0f5ce196e4117b2404955373f9d2f01a451d5

SHA256
5a0f24e726af7fa2f3a01f5a55937f9ea8aeb281251a0e63f58dcd19bece751b

SHA512
1e44e670f4c95c1665c4c57bf4081547c26767579ae9af30cc73a0908fcb6872f153c6a8e2c7b32be8588bbf09a27fb7c4fe246cf7b44b16bba87a63c6d5bea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freight

Filesize
76KB

MD5
a812222189da2384da8d4b9fc1a895ff

SHA1
d033a2b468a247a07cb623ddab65b53257f40d6c

SHA256
d8a6fc9cffeac37ed92c7a92efe6fbf69b28f9c189308908301484d1bbdd275a

SHA512
b7d9730e38b8f15a855289eeeb47f7fbb1f059f32f233f69ae45912050d200455735a03b1c62cac228c9a237b4769457af3eb5365a13fa520c59ccdcbfdadd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Glance

Filesize
60KB

MD5
a5f18223b9d80f51f78caa7024f8908e

SHA1
9c610f2771ce91e95fca696e8cbaa00a2c08d7d0

SHA256
1c1b3dc76b499ca4fc47e3ee73b85de3999c1aa21a18ff0328176073fcfb797b

SHA512
29b90362f7d52a2f5066bc6afa9b71db779e96246b40e8d0b277a5b4fcd2eaf6366d5ea63871f5bfc8858612c2d05ca9cd7d812a3047335d8bfa3f1168ee7f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gr

Filesize
40KB

MD5
02a964c12b3d073fd20af318f0832a83

SHA1
94dba03768efee1cdf6da2f3065f587f7d6dfdb7

SHA256
6f42b2ff75d7b7fac3516ddff91d463844923a3336997880acef8306176bbb11

SHA512
224f6ce38e3f2da37f7daede22380e0e486f67b5b4f8bdcabe9cc3c35364752d6bc3d06582fbd66b88924e4d5d32713dc30624c44e738c032fc3ad97ea3f7c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hamilton

Filesize
62KB

MD5
0df0b42c7ef73c31aedf1dcf87b4b827

SHA1
5df7ff7dfd904557540560247d76755f88a17960

SHA256
518e369c2c1b63d73c6af63670879867f4b7c1073f54defbcc2ec32500a4f7d2

SHA512
1d08d0bda787a4f6a2c5d7218bf430e8955f3a58877bcfcc8d0aefc66e6f6691e0c52ef24b335da509d42983e7ce314bc78bc135996950caf6a7534589384c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Implied

Filesize
98KB

MD5
97fd6247745f23d2c8629b9dd0994d4e

SHA1
5cd09e7c97489251fd5d2b0cb5356bd7c913664d

SHA256
e32ca4ded6f4304ba6ac56294ac7183ed99a396e5121ea964af766187153f0ab

SHA512
d6d15604f42a176fc9d7e8ee3d8da256ae5388972d0208459da09fd772bca71319227c6e825179ae466d1faac6a61cd219cff4cc6beac520928d82fa3c1d2f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Innovative

Filesize
96KB

MD5
e1a9c4a5a6d13e85dad6cd2b38aa6f89

SHA1
dfb507e4c1f636c6dd1f4e5c0758a417a6552346

SHA256
285b0808ef9df43736f0c85c276e0e8415c7fad3c5f4b0bc2d25377ecbd1ffef

SHA512
a524bcd6ba32ab3d7040254b9f341c5fe30e64c606300aab1cc5b0c1604647e09b20f1b344d63c32a4e2a022786e8cbc1e34e9538a1cac62bea58c69c11a0696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Investigator

Filesize
71KB

MD5
9dfd50c3ae7bb53719dd6417132ed967

SHA1
752da3ce720a37d10363172ebed2470e71eb82a8

SHA256
7ad28f975a5da4e7511f0f989616c3d3117f0a0d8a7e5ad2ab5b24388fffab0e

SHA512
2dc6a7cc3f65a3055d2ab9253bf89bcffc2a49701734b4104df9ceb249bc66107133be5faabcce7bac291f1594e5d431f0b2892cb919c987f7217ad03b83b2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Judges

Filesize
51KB

MD5
4d75d1e88fc6f80861686a07d71bc4e2

SHA1
d5ac1703ef1df6393d057196f78e6624c0f1fad6

SHA256
0f16088040e485b09fa2aeff83d5a3b42e86a24f6e77862e666846fa185ae3b0

SHA512
11c9ce864eed13e173101ae5716121cef512260052391fc5ccfa17b1ed21870dda082bbbd19d6d9e5587210a7811015108e90419b459921a0ef8753cfa026c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kitchen

Filesize
90KB

MD5
abb3015ce4254ec83f45e1718c427ce2

SHA1
59a4dc743d387a697fe8b0b13eefd4a54c557b99

SHA256
911ffd3afdaf10e6ac333632fa366001b0259c1f226433cce353fb5a5cd678cb

SHA512
d343caed6eebc8820898b4d92727af9290f2c102afe9e97605096c62686ca51f9ca710e27c5ca4624bafcd52c56f583176d689cf18684e5184d09f3e0c98da89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lbs

Filesize
68KB

MD5
12b78b34f6a96948ac773ba68e75bf46

SHA1
d4a704f2bcbb7c96d2af391b60390a8d55f0cf8d

SHA256
ea7d729355f8611def3c75b661c455f8886c2fdf3b15fd11fb88597aa4b7c5fa

SHA512
13a7ee491da4b7970ef2904d457c04e92ccb8494a03806e50dad0666500b86b3b3ba94d632457126cace081a7f39abfd61ed368f34b085ab97eac150c6f73433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lighting

Filesize
867KB

MD5
bd8f5c6d317c991490a20a85b7b3f3aa

SHA1
650ca2434b5650863e107994dbc83fd01453c3da

SHA256
73bed1be9eacac1239941373f45fc450359d7aa1655cce8514c96eda3a964e38

SHA512
68c6ef4626a13c355c26008c9b6e661ee14c166ee154e3b883a299fc09126cf7035446178fbf6f9a50b062ffe95f8e939ea961c7e2fd9e49cfe5d42494085111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Los

Filesize
51KB

MD5
74a370fb66d736eca25e7b6f8c082899

SHA1
f545b3c09933cef26879adbd5f5f637a3894cdbc

SHA256
4e2c99421abdb1d57877865b3c92bdf7fc8d2e9c6ebd252bdf0de2e5455c3ca2

SHA512
6521dca1aaeebddabf79dc2d94ed3498e90f45c8060a77409aef8cf2fa1460db7e00318ed9f8b4709fc18d802e14251e9870721e96858ac0d28776ea4f7a22f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mai

Filesize
53KB

MD5
4f7bf51fd203dc9f2a32341986112ac6

SHA1
8206c7b1702d4501a3d8131c9a3ad669629f39d3

SHA256
cd134aaf126dd448814027ad746e0b393da08cc374027e3d3cb8609c849beb09

SHA512
d0dce735defbc92be042a85eddf58150d1fb728f261c23c523ee67950b744c301ab686999e8125481d76024bb953867bfd5a7698642ca634ec7108331855e7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minolta

Filesize
18KB

MD5
293c7b504eacfcba3031df341f2f3216

SHA1
cab89d6571d5afa448a08ec1a0d054d4fad19d56

SHA256
e39390833534a670ec2297a57434ff0ae5e7ebc05254279a0858ace511385ec5

SHA512
6d6c40402e07720057cd4ade4a4d397a3ec868fe74ab57266ee48d71a13c57abf3926237c6bd56a35b793d317c077f85532271176564da0101c174ec771ca531

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mysimon

Filesize
67KB

MD5
bc654e2ea1d4493eb6e475752a9c715a

SHA1
356eea07f2166bbb25672b64b52a0a61482b4112

SHA256
85baac76f69fec493265f82aa4eaca2c53919e2ba5615cc52b9cde3c665b7dd4

SHA512
ffe573e4981e32fd4d8f3b8b24b071bd4a09023ac4e749dd373f9526c9476df987ba7b65071b70bbb5634863c20da00fb847235a4847744c80846907699dae01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opt

Filesize
64KB

MD5
0d746aa55c0b0ffdd01b35a3d21cc8b7

SHA1
303374437b55a43084be66e6eacc54615cd3a254

SHA256
1eec29affba7c1565a03ec7fa834a4d73ebbd188559f8e54531dbf00fa5413b2

SHA512
3faaefc8a53f8340db1d75d9b3c8c29246fedf57f863a554750314b5ce6d4467d4d5d6abf70ca25066525483035c6578393b26ef42a00167e0bad7df4db72a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patricia

Filesize
92KB

MD5
d541c92402e55f7941f1c41f88ec2ce3

SHA1
2ea69267a05c24e82abcca96a543c8d71047f349

SHA256
d7db5c4fe3ca712d8f0d787530e8ec38746f510b2a38eb3012ac10b539a1a8a6

SHA512
4f9ca03d28abf05b19525d1c25d9858495ea01eed266c258bcc8ef93c36245f5aa1df9f0de20d600e10f5a554531e6becd3867f5121882ca088113737f8e29e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payroll

Filesize
77KB

MD5
6c5850a8b8c835efb850e50612ba930d

SHA1
85deaff6b39ebf97236eac650e8a0a07d7cde077

SHA256
c7eb067cdffa3b9bf707f1a73ddf8f70b89a751b8a59adfb6221fa7862aff8fc

SHA512
2b18195c202487782216f0560719a49f84735fa5bd75996f0bd8f2d7b034111bc9e6d00aa67b9993157fecd450c5565513d01eaf021894c10b03a8d4c2cfdd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Percent

Filesize
79KB

MD5
c224c3d3192809a5e5d09a136b121252

SHA1
8faac838ea4dcdba905959953dea19da449451ff

SHA256
fe27ec553bb295d7c6e9391e414cf84d88d917452ac4d51fa9c4280305d0eb9d

SHA512
0290aa687e8398d4db8eef5400eb631eb22dbcb8269badca193daf26ce9f18d7d5bf3c8e1fce1afdd6965a03f80aa3b8ba2c816d47dba411379950398640770a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plants

Filesize
62KB

MD5
eba783fe98dc0bf4f59e487b0179082a

SHA1
6fa2593a78d666575e930c9d89bb99a07ea9d4a3

SHA256
e3260322d231bacdf4a081c90f4afd9aad1f87f5339bb35ddde1aaa3e30e9eaf

SHA512
40de8fc250424cdb8d9c0157c754b0f81400217b99aa7326ca4229591c41b04571b6ba16099a5eddf20311480ba42b9fe28c057fb92e020e6c338215fc2ec91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Premier

Filesize
76KB

MD5
33be84a34c336d144ff9532a9ca71bb7

SHA1
2aead765883985806707d8ece66877bd631ea430

SHA256
cc45d632d828f22d3de9d4834754393e5afbf0a43af01ee47ced249fc5b70479

SHA512
2937dbca673104414c3ec8d86e50e2cad1c4da98c3b7ff91dcaf2252406ef157aa9ca45da3915233fee135e5cdab5d4feffee3873a1e837b8d1ec220cd729c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prime

Filesize
84KB

MD5
20a5efb8b50ea616ee40076af54db077

SHA1
df90ec97df888f6bc911905948b329350168c174

SHA256
840ba43d2bec3055a9a00daab0db7c3af26c91796b4d6f9786b233dcfc4794a6

SHA512
2c54b2afda9a73b1b25a87645f7eca5eede063556552b399a96993096a5602741c27d1cf2ecefb41b4e75240a867b9de2e5fb34c640005405c0de46e9f288f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profession

Filesize
98KB

MD5
2095579ddcfde6b955bbb3f3bcea7ae1

SHA1
ec68bfcf85f386024a56909e3f8a1871ab555918

SHA256
c3ba7a55701643d2b8c5d79e310530c36cdac6e337df6b980671f8f606f3f6f1

SHA512
5dcc7a0afc06f05bb98444dcf3cc29904852eda266dbb3a82228e64473c854886a98f200d35b806966c085887a5702dac1ea764cd2c34afcdf32937a61a31bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Promotion

Filesize
40KB

MD5
50cb095267d293e8d44b91dbedc41764

SHA1
d40bdb1ba359c0909ab635c79444296ac3b354eb

SHA256
3b84c4324e6fa2e5d8a411ff90ef857d0122eed1a18f244a19b08c0b9857dc1e

SHA512
99cdf717eff0b3f3c6e474b8489fba62c818b94ad7747c5c83474134b31221e5f74bdebe9cd16f22a54862732fea59ac2fb3895595b639ebb2da02f86c217043

Download Submit
C:\Users\Admin\AppData\Local\Temp\Publication

Filesize
53KB

MD5
1cd7bff23cfcd72ca40fb0be251bfd38

SHA1
2d2f1fc06b04a82cccbdc400958449af3d6a74f8

SHA256
4f26f3d48ff5607c3dd2b00dbc010358693fa8e72212da4b34e2c16af38630a2

SHA512
e5a52d95df05bc57f3a5cbbe41fffec13195eae0120953bf4451b5af24c5e6a6d84b35be28f45b7fec4b7a15c855ed82e506d7c107b79b37b3c089434923f1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reading

Filesize
67KB

MD5
f7f0674d68e01c9618641908cc570462

SHA1
66ff65d1dd7af6a1e48347b8196a96fcc547cfdc

SHA256
92212d8c53eeb0eecb1c2df2de5e5e36f832c881996ec777f2a146879bfb0e68

SHA512
92dcb855a1a5f8019fdc5025a11ebab79540a5be7aca9ed95d573d19d520e844a395c51b16d56da7afe881afe4b00849cc8d4a279ef46d38b78126f2454cbac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Senator

Filesize
81KB

MD5
203e86780e7ff7d7573a5a156e077665

SHA1
029b4c497015a85e11d597fef82ea6d250953dd6

SHA256
ab2e7d5707e9792e69eabba236829e69564c393b0584195abfab631fd4187a8f

SHA512
5ea4117e0fc019a07afd1512dd5b9868e64312d2d09eb0f7208d6256f2d3872884ff3e3b98037dcfbd15debe6eb15fe7c894f1632fda9d77ae8f6bb511f4e4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sony

Filesize
73KB

MD5
5056a164671df52d1d2da7ed8ec37e02

SHA1
b1ceff41eb300dbb6d8ff94bf36faa335fd94f9e

SHA256
ac6936d7dda7c3a6a09b5291590a2626c4037e72e7ecca2b46a9045de90986f0

SHA512
62a1d6336e35c5278f4a7b37b58edf4264c5e9f1494156ff249b0d3ac94af9016b022d5761f2e97d5c21b4dbb31ed02db1ef7b79c86a1bf0e979e25bc899a3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar40B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temporary

Filesize
65KB

MD5
c72d0a3b5dc6c2bb37c2a73213ceb954

SHA1
f08aeca1c0bab3e0426ada1b65a79891d13d2465

SHA256
cfd9c90920ae60ff5450c48b7411ce274264c63c12fe0843ccdb9282706cba8f

SHA512
24c1761763499dc6fe525431eb7372059070ecf14e0054cd053cc34e1f0096f921b4680eb065f8d17a3df98b58ecc4df8708c9f0c6233f686721de99e404422b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vii

Filesize
5KB

MD5
343ab6475c36ccccbc01a168a71b8b92

SHA1
28db1ef8e536dc3f0cc7a72987921f004ead082c

SHA256
2e73e4c6b1f001a406254729aac401a40bf3269a1e77aa99ca5c8b95b7cec2c1

SHA512
23afaa4a874cbdaa55e774ae8b79e1a46006ce039a341e951bfd6d43983a9172392c142c8ec0a659f2df85c12e270400a28c05d8cb7df955e065dfa6b36a189a

Download Submit
\Users\Admin\AppData\Local\Temp\159317\Fly.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/2120-120-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-122-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-119-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-267-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-286-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-305-0x0000000021BF0000-0x0000000021E4F000-memory.dmp

Filesize
2.4MB

Download
memory/2120-315-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-334-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-463-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-482-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-525-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download
memory/2120-544-0x0000000000840000-0x0000000000AB6000-memory.dmp

Filesize
2.5MB

Download