vidar | 2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe
Size

4.3MB
MD5

db5245aa66c7883d72b0f718467c842b
SHA1

8cf496453999ebb97987874873e33230e5ecec57
SHA256

2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f
SHA512

ca794edcdef86dc2745e87ba4851581e3d0ed83881e0f7dd61351b18e5b467b68d032f9ee6998cc5307dc40dc0f9b9e0c4cfc33b0e9df9abcbe14611e36d207f
SSDEEP

98304:0yeXw/fAXrC1h7a6dsRsB78r3SGE2rKYM0B1KEjjJQf+54C:teUAXObeeB7wM2rtZzX4C

Score

10^/10

vidar 8804a4f27e22750a8baa49e881ddca35 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

8804a4f27e22750a8baa49e881ddca35

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 10 IoCs

stealer

resource	yara_rule
behavioral1/memory/540-125-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-126-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-267-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-286-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-315-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-334-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-463-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-482-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-525-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7
behavioral1/memory/540-544-0x00000000006E0000-0x0000000000956000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1700	Search.pif
1940	Search.pif
2892	Search.pif
532	Search.pif
2964	Search.pif
1608	Search.pif
2444	Search.pif
1332	Search.pif
1492	Search.pif
680	Search.pif
2116	Search.pif
540	Search.pif
1084	Search.pif
604	Search.pif

Loads dropped DLL 16 IoCs

pid	Process
2860	cmd.exe
2860	cmd.exe
1940	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
540	Search.pif
540	Search.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2756	tasklist.exe
2596	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 540	1940	Search.pif	45
PID 1700 set thread context of 604	1700	Search.pif	56

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WarriorsArab	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe
File opened for modification	C:\Windows\PainUni	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe
File opened for modification	C:\Windows\LighterBulgarian	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe
File opened for modification	C:\Windows\RareJeffrey	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe
File opened for modification	C:\Windows\PentiumVoyeur	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe
File opened for modification	C:\Windows\ClassroomTemporarily	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Search.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Search.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Search.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Search.pif
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Search.pif

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1848	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Search.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Search.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Search.pif

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1940	Search.pif
1940	Search.pif
1940	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1940	Search.pif
1940	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif
540	Search.pif
1700	Search.pif
1700	Search.pif
540	Search.pif
540	Search.pif
540	Search.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	tasklist.exe
Token: SeDebugPrivilege	2596	tasklist.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1940	Search.pif
1940	Search.pif
1940	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1940	Search.pif
1940	Search.pif
1940	Search.pif
1700	Search.pif
1700	Search.pif
1700	Search.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2860	1304	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe	30
PID 1304 wrote to memory of 2860	1304	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe	30
PID 1304 wrote to memory of 2860	1304	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe	30
PID 1304 wrote to memory of 2860	1304	2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe	30
PID 2860 wrote to memory of 2756	2860	cmd.exe	32
PID 2860 wrote to memory of 2756	2860	cmd.exe	32
PID 2860 wrote to memory of 2756	2860	cmd.exe	32
PID 2860 wrote to memory of 2756	2860	cmd.exe	32
PID 2860 wrote to memory of 2852	2860	cmd.exe	33
PID 2860 wrote to memory of 2852	2860	cmd.exe	33
PID 2860 wrote to memory of 2852	2860	cmd.exe	33
PID 2860 wrote to memory of 2852	2860	cmd.exe	33
PID 2860 wrote to memory of 2596	2860	cmd.exe	35
PID 2860 wrote to memory of 2596	2860	cmd.exe	35
PID 2860 wrote to memory of 2596	2860	cmd.exe	35
PID 2860 wrote to memory of 2596	2860	cmd.exe	35
PID 2860 wrote to memory of 2592	2860	cmd.exe	36
PID 2860 wrote to memory of 2592	2860	cmd.exe	36
PID 2860 wrote to memory of 2592	2860	cmd.exe	36
PID 2860 wrote to memory of 2592	2860	cmd.exe	36
PID 2860 wrote to memory of 2672	2860	cmd.exe	37
PID 2860 wrote to memory of 2672	2860	cmd.exe	37
PID 2860 wrote to memory of 2672	2860	cmd.exe	37
PID 2860 wrote to memory of 2672	2860	cmd.exe	37
PID 2860 wrote to memory of 1688	2860	cmd.exe	38
PID 2860 wrote to memory of 1688	2860	cmd.exe	38
PID 2860 wrote to memory of 1688	2860	cmd.exe	38
PID 2860 wrote to memory of 1688	2860	cmd.exe	38
PID 2860 wrote to memory of 2124	2860	cmd.exe	39
PID 2860 wrote to memory of 2124	2860	cmd.exe	39
PID 2860 wrote to memory of 2124	2860	cmd.exe	39
PID 2860 wrote to memory of 2124	2860	cmd.exe	39
PID 2860 wrote to memory of 1700	2860	cmd.exe	40
PID 2860 wrote to memory of 1700	2860	cmd.exe	40
PID 2860 wrote to memory of 1700	2860	cmd.exe	40
PID 2860 wrote to memory of 1700	2860	cmd.exe	40
PID 2860 wrote to memory of 1852	2860	cmd.exe	41
PID 2860 wrote to memory of 1852	2860	cmd.exe	41
PID 2860 wrote to memory of 1852	2860	cmd.exe	41
PID 2860 wrote to memory of 1852	2860	cmd.exe	41
PID 2860 wrote to memory of 1940	2860	cmd.exe	42
PID 2860 wrote to memory of 1940	2860	cmd.exe	42
PID 2860 wrote to memory of 1940	2860	cmd.exe	42
PID 2860 wrote to memory of 1940	2860	cmd.exe	42
PID 2860 wrote to memory of 1992	2860	cmd.exe	43
PID 2860 wrote to memory of 1992	2860	cmd.exe	43
PID 2860 wrote to memory of 1992	2860	cmd.exe	43
PID 2860 wrote to memory of 1992	2860	cmd.exe	43
PID 1940 wrote to memory of 540	1940	Search.pif	45
PID 1940 wrote to memory of 540	1940	Search.pif	45
PID 1940 wrote to memory of 540	1940	Search.pif	45
PID 1940 wrote to memory of 540	1940	Search.pif	45
PID 1940 wrote to memory of 540	1940	Search.pif	45
PID 1700 wrote to memory of 2892	1700	Search.pif	46
PID 1700 wrote to memory of 2892	1700	Search.pif	46
PID 1700 wrote to memory of 2892	1700	Search.pif	46
PID 1700 wrote to memory of 2892	1700	Search.pif	46
PID 1700 wrote to memory of 532	1700	Search.pif	47
PID 1700 wrote to memory of 532	1700	Search.pif	47
PID 1700 wrote to memory of 532	1700	Search.pif	47
PID 1700 wrote to memory of 532	1700	Search.pif	47
PID 1700 wrote to memory of 2964	1700	Search.pif	48
PID 1700 wrote to memory of 2964	1700	Search.pif	48
PID 1700 wrote to memory of 2964	1700	Search.pif	48

C:\Users\Admin\AppData\Local\Temp\2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe
"C:\Users\Admin\AppData\Local\Temp\2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move False False.bat & False.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 246579
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "KeywordCampaignSolarMatt" Settings
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Enable + ..\Decide + ..\Quarter + ..\Uk + ..\Threshold + ..\Prisoner + ..\Lazy + ..\Solar + ..\Affiliation + ..\Sn + ..\Phase + ..\Sport + ..\Rays + ..\Der + ..\Sandwich + ..\Zoophilia + ..\Swedish + ..\Very + ..\Marco + ..\Brand + ..\Offensive + ..\Beside + ..\Connecting + ..\Film + ..\Snowboard + ..\Placed + ..\Occurring + ..\Brother + ..\Matches + ..\Newark + ..\Evaluating + ..\Flows + ..\Brothers + ..\Manner + ..\Challenged + ..\Approaches + ..\Forever + ..\Wireless + ..\Jamaica + ..\Restrictions n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
    Search.pif n
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:532
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:680
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      PID:604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Upgrades + ..\Experiences + ..\Wang + ..\Rally + ..\Junior + ..\Poultry + ..\Zdnet + ..\Write w
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
    Search.pif w
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      C:\Users\Admin\AppData\Local\Temp\246579\Search.pif
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEGDBAFHJJDA" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1848
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 15
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\246579\Search.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\246579\n

Filesize
2.9MB

MD5
e2bdd610e757222aa8d0842c30a5b8b8

SHA1
8c2df75f2015b347f6fb79451460f40cf00b7dca

SHA256
b962c0db273654b0f3526b0b4867f4c89590458c0ca2ce429a1ad147346697f7

SHA512
eaa9331c7b19face321c928bfe9621802a9a08c28b4b06ca6f4029bdddc73e81a177ba24c277a5b0840cc2be16561eed954fbd2cf197e9f7fc8beec2bc1c5284

Download Submit
C:\Users\Admin\AppData\Local\Temp\246579\w

Filesize
583KB

MD5
aed4768b98be96f2b4f5f33d9f988603

SHA1
d663a8165e5526a57719aa7878eb619fb2ede803

SHA256
14e4e870c2929df52912ba4ca0ce566f003da8d915c00b80cd43e2e66e784891

SHA512
8d8183a1a7698178552f7a112546195909929a5ecef0930682488e5a6700d2418a2b9c309a0bce086074372d6ad413305c5d8d22032ce1b9df4ab16d6bf013c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Affiliation

Filesize
68KB

MD5
68c0be316635a200fac22e3ad0f7bace

SHA1
23a4721014f3c7df06227f05a8fc1dd70a54f799

SHA256
b1b492c5108b1cad9a8db5a620a622537bfc7e1f9b8b1c5e6bd7f6f972b2e1bc

SHA512
002a4782642cbac3af00401bc5a21816441dff358e58167379b9969ed1986cd83f918de60af46cd3fbec7b6025e127bf86dd345561e2c2a795f0995c48551a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Approaches

Filesize
87KB

MD5
29f997fe763cc349738138ebe15ecd2b

SHA1
a786acd1a22b1795984ee2b1e32f84dd934e2318

SHA256
e9dcd2e9c739da89725d79afd1a65755d0e493976e39eea8f53ae4f5ae0e6823

SHA512
56089bb0b094e0a630d1ba961e41adcc247b3106bf475bf7291033f8f5f12427db3a6b2b1b5786f3c122eeaf712832e513cf7ca751c73aea5c6e45c37006acaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beside

Filesize
79KB

MD5
4283203f153f5afb0cfb569122011ec0

SHA1
6dae1c414efe8b6fa7950465cc5c78771d1550ed

SHA256
4a0ec20859935efa1a951bb1bebd8e756761d860ae6fa3522de514ccb1c60de6

SHA512
f93f5300a3643985c64ad84710c6e7be1a338f4db781e0b223a3f8c29da7f3255107fc2294ce88c57a14083de498d45c7bebad73d27752dd529914bef72e636b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brand

Filesize
89KB

MD5
f87ca056d298c578eef14f7387c18aff

SHA1
2917b9421ee35df7a06fe4053dc156d4d58884d8

SHA256
512f4916157919c6a7719ecba92d3f2e93ebe7b04bc9e46ce9d1fec243658747

SHA512
3a0b9866a0cc724c1fe8f8d0150e14980c6adb9cf43791653931f6c9ac255fe717f884f1d58ff718f41d1a1d15b7a7f22a82ee904edc5acd290617a1a66c7200

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brother

Filesize
89KB

MD5
d583cd9f87085ad338e2ed25337af0ff

SHA1
23293920534576f4e32e4dbc3124226cf89db4bc

SHA256
fd73b6dc5fb795810d2ba514a06aa764d5e6ef7ac5e4bae8b5e7b6245fffc142

SHA512
e13333b93c1751cb7fb7f5978fd31fa59191590c8a9dc8731a3fcb5b8dc0a72f8a277b2ed6953d317c8c9aefd7c0dcadf9aa880c72bd2e2795b4d5e13944dfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brothers

Filesize
78KB

MD5
b71c71d7538d700786ab08948df753bd

SHA1
9f1a5a6fc187f52533650e625244df74e5217d02

SHA256
7f842aa67ca5c94d7aec66cb08280f1cf878e53deedf0e27243dd7fb0344fb92

SHA512
47142617cb7ce600660a7dec85903f0f4b1d3a6f48cda74cc342086ebb93094bd64677f007e5226c3186d312b0e290d156f2b8fff74c4ceb41261d32ce85a9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEF70.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Challenged

Filesize
55KB

MD5
2beb97074a5edb1ed9fc75f880e232ae

SHA1
ebd42e6223e6c3e8585de358542899ddd5ffb050

SHA256
1d31a863956db03e7e59b7c567874fec1d39cc024ae1a78bf048cfc89631b0be

SHA512
aedf64c83cb387f4096016040b792ca0a8290ac061deca353248316e9872b90bcf2683c35b8c7b3bc81550a3047882f1dd6e28843307152cc700392c7aa10fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Computer

Filesize
866KB

MD5
90ac359540223fc7b10a7aeac75f429b

SHA1
ab644fede3a9e797826284607a5ee3fc38f3fdeb

SHA256
2414842abb006b60f03a513aacaf14a2c51a56865e638376337ac686fa7f442a

SHA512
8fee92c8c03d3f257b336f9a46a7baf24855a1de5f67f757e79776fe79edb0cb0aea127dbda3b11a90fb07badfb4fe26bd62c7d31f6a838f60a7cd596f7422ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Connecting

Filesize
70KB

MD5
afd39b20d49af827e945b3e160802125

SHA1
ff6d2f1f675bd4d59f81351a26bf18e3fbced91b

SHA256
4efd6236d13ef9583cca9517168c15be64a87a017e761088564bdf8dc68b58e1

SHA512
49f687256ebef64eb010ae7e57b065f7d70dd7579f18ce876a2b0f9b97347c0b4f50ff06bbf1e905145394b3dd505a107c0749a65019c6222a7472b1d50b9d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decide

Filesize
83KB

MD5
7b1877c0535daa8b42149d38d903ef84

SHA1
c926ae22b245cd0aa6e73970326e12ae41476520

SHA256
ba9eb0df8a4d7e8d9d75e34e0b29f7cb36bf8227bcce965a2f8e509cd94b46e7

SHA512
bb3d46793f3fbc77fd7262638286421df65b2ca4cd4b11b6c1d212664182a7b6002db1669b0e69d505b8890aebf5afa67f2704d91a516c73ffe832dd74577eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Der

Filesize
91KB

MD5
129a5c68f06742f941bded29aac346ad

SHA1
765805d3e544065fe1711071f075c108997f302c

SHA256
74a2e2cb1fadf1358f9eab3898e6e0977955ad9a12f6c5c739f4bd225b2b0596

SHA512
5bfa89dc8aa912dddb468122a5dbf7bb2889c2c3a2a8afc4792b0757ee059ba62e1e81dad347fa20f5c96226fdb39661e808a46466ce3e17432d4386a1c10297

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enable

Filesize
57KB

MD5
f50b9e23de9c5ed1650665bb633bd142

SHA1
97d6b2f9b786f66423e85305c01502d3ddbb93f8

SHA256
3191a26bbfc53988df42904776638c47d823ec0452fe3066704c5e58bb562f41

SHA512
d1c5b53f405d9a3f5d33c0b881b0087116eed82c395f00713d0bffef20ae6bda860c703e947971b506d0e4e5e3a61662a0d483d4fe959b28cdb885b2620f5d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Evaluating

Filesize
72KB

MD5
06d88f96eca746b0559414070772f138

SHA1
16f7d9f272811adf115e1092a5c833905bdd9e6f

SHA256
49eac1a140e26dd30e5f320b356f3a05378e48f8f22aedc8468729d5169552d4

SHA512
3d6ff864b88968255e8bbd35b67d8b8af9e016009d6415ac023bcd5fea480d7a52e1b8fff759be017f32c9e1868cde9254c6a5231ff8b746c553e96dc76868f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Experiences

Filesize
63KB

MD5
bcf02ebb163244993dc6b7e8e6ee2ec2

SHA1
44051ef30fa12cd16b367d5d10c82cbdd6e8ee5b

SHA256
e1e1ddf8455502ac71b9199e54ca83578954c8e4c48843b545e848def4fdee32

SHA512
49b73487459de0b49d1a90f7e8e6497cc918cc90a02ff2701c73870c07c09ce39ce4d827a813b5bf6b04bb0f99ab2cc6b03cb86e770069cd855369e71cf19b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\False

Filesize
10KB

MD5
9e73aff46c6ba09d4422cbc0502df652

SHA1
09d3b6808401a6c5a4fa82741e8ed20aa08dca16

SHA256
38c4d48bf86800d851dff2fdba6ab4ea80412361aefac18b2fef6ca8e6027888

SHA512
5a0d90cd0cb35276e2daa948bb1e8615d1fdd8479418c700ad2470deb0522d8db58fc38b9752a93889c840d5a3f3e03dfa03d39fde9b0ebc57593f2f2e5da201

Download Submit
C:\Users\Admin\AppData\Local\Temp\Film

Filesize
85KB

MD5
f0f0c664ce36a59a3be3f4173e29ffa1

SHA1
b55613e8f0b19b1c25201b26b6032a8fc57efdb0

SHA256
3b4d17bf602d46cd1660b482986a6175c0561d9d2dea430cde873bd9e7c01b7a

SHA512
7c1c11f97f3885bf872abac7fb75f3b0c27fb93ddfd33637940a0686c245d321ae1e4a52132b1c882814aa4f4a917dd04b823fef579348cd6f7ba3a51e19bab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flows

Filesize
53KB

MD5
fcfc9ff64215ed9e4baa55b67536afd3

SHA1
071e0a5d054737e5dca6d7afcd4e206579f8db0a

SHA256
73541d4be0ac0b59ce0848e7d5e1a2286b695fd18cba9831fb3c228d39c4a3d2

SHA512
200848d98f3d5e096a419aacf22d37052b89915c6c47743caee27f762ce0418d67b5505d363753530054b1155e70cccaa0eb3272e36e41e00405a330f1ab3fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forever

Filesize
86KB

MD5
a7cf8231dd1185811c85b758c848bc0c

SHA1
b2a782f582226bdc41b7c15d8aa498f4a6e0b167

SHA256
438ebf21d74cfe650ee7d18cc5a05fe5ff1bf0595ebe6e2b5376611046841c0f

SHA512
5378f9f1f328f04bed5c51f2406a2f088e86251b3ee6e4c1953afc35c89f9a1c88226a3aea3867b09699b0a239688f649f846e1a096cb99836adae996007bc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jamaica

Filesize
83KB

MD5
44dc244074b0557095ca2c17b76ab76a

SHA1
90638777d304409f3336787dce5cf273c5a51060

SHA256
5e5ae88b41edfb6cbf0c2349ffdb474548b18d5d2a6965a3dc412d8ae9879f12

SHA512
41b1ac763d498007453965eb77d7534eae02e2cfc46df5b624361b4086d3f94565db9052f9adc9c428201b6f3e53abb0f88e8733bf3b0e0a1c80f88cefac78f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Junior

Filesize
89KB

MD5
7b3e71df58f75ecf16385c70be185f11

SHA1
9b6d1df2b138d74f267f3972ca07f8741f4d58c2

SHA256
86819c8c3fae36cc4e2599b212c5bb8c817781338534aad9d3799e9e96f423e3

SHA512
8ccfd52250bb1aa5f5194bcbf44843e8ac29bf42a9b051b1a1469f68c48821ab30d0c1fb307291328aafc5c8590b5999f1826c46b543985c995fc22e42e3cb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lazy

Filesize
83KB

MD5
72d58f9482294f7970e0a8727e567f1f

SHA1
e548b2c58cb1aefc00a54240d211dfc91bb1ef7a

SHA256
ff431fbf31659d17b45eb9c8f0eb213e6a7f9790e883c83592e056580c327b8b

SHA512
c6600305eb4d35f3fa523af812663b96a6c9d6b2c5134f604b0bf81582783ff8cf08cf270cc62ef727e795835a44844c1a3682b8459ffe4f34fe049c55969f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Manner

Filesize
55KB

MD5
863ee137a45c13b2082e19069c774d86

SHA1
219eb20442f0cdd2a35641582b55304633d4966e

SHA256
75855e624bd4726661502c5f071790331578946a9ee2f47e509c1b05adaaad38

SHA512
c3e723d6da5cda43b797c8f9d06ba1de6da950160f0798fb3625f2d180c8aa17e3ecbaab142c041560eeef4f8f378f1de49bb22e447ceae5474dee32619bd92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Marco

Filesize
70KB

MD5
c7c71f7e68e48d74451e52a1d92e76a8

SHA1
c6e4cbc33bc28d17b4fd719d83c5a4087619310a

SHA256
b9a3d98efddb97f94bd6bd43953cc2dd4b8c844fcada4b9dbd0fa49bc622e452

SHA512
21c05b2f1db0047f56ccf594f9680d702879c6d0dc66071347358b5c04e50cb8510e97f3845cd45f84157570b075083212c6483a2b0110d52d70d530fe8eb7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Matches

Filesize
61KB

MD5
6548b1eb61ace2fe1ef378d1bd7995fa

SHA1
391ee6ee8ed0dd71beba5a423b48699e8cf261ed

SHA256
5aa5e874688069eb1d0f2bb8e7c726c82450ac288777903966f92ea0240e1816

SHA512
6694d2723990e9bf93deeb59b2d8738b4b7faffcb042e3e210a17728a24bae1b096adef20e936241bba00634dbfdf574729b36811c306d162d296bd3e0a63d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newark

Filesize
52KB

MD5
36ce287502ee38cb67ece4901dba4cfd

SHA1
525df93d361c6c04fd459080fc3608c656eb4ffa

SHA256
8a03eba2239dbddddcb98f184eb17dbded4eee5f0ce3790954825efa737ea4cf

SHA512
abed7ea68e06a00d92b199c6455f1eafa6bdbb3fc16ccb2e26b149d8ab6a26338cd6dfae76574f21253aadc249cbf32c2113e642c21acb31fe311389e436f4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occurring

Filesize
93KB

MD5
27b0757073da5b10c8d7d1cb6f49fe5c

SHA1
300e7893148c928d2bebaeab303c1aeea864ee47

SHA256
041ebed847f378e7520274ee1feb82fb5565afce9539f85927c66574d39f5f2f

SHA512
e3cef0011aa3f0f40a24ba4e78106c24264aab100b0dfa9aa0db69dd5a0c0090642ad9e188fa4beec85381f0069d5fcba9ad05b288718c14d9b2905d3d04ce14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Offensive

Filesize
95KB

MD5
9bdd7a0959c7fbd7bef2bcc8d62c5956

SHA1
19845cdb4d549f8dde37bec5902948d4d9a0dd48

SHA256
bf3b342b46cf347395454e165f94ba73b6b00cebcf4579e519f1ea2532ec0a1d

SHA512
ae059f7c3b22274919a666e0a5d642d2b1c43e498acc7f90c39a0dc2d1ce536ff6b7b0f36400b89e284fc958977d6ddc3943093a1ecf5ad4e827b809e89b5f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phase

Filesize
71KB

MD5
d4da703fcc9bf80c493c8f4c1a613c69

SHA1
0f01abe209b187661f9b6d29042cbabfa0eb10f5

SHA256
6e96732a14da76cbb91d8186cd8cb9db12fe8e3a8aaa5cbe573eadb21094dcfd

SHA512
35e55b4ed940cf2307cba271b262a7c61aa85bdcbe5ba8f95fbfdb2af73be5ef21260aea0cbf7e885df7507dbc07a41c6659cbda6c505a292fbc8e146e54228e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Placed

Filesize
89KB

MD5
8d2774d1633b79130e6c3b6fc2f974f5

SHA1
4d64d2559fd2675e890b7836ff282e0dea383b68

SHA256
4bdae3d1e0488614877c149b84fd86ad8bb594698a489f4766c5ed0e5204d71d

SHA512
55b925a3d5647969487a3fbff8dcc78a7aee2364408102de4b5b3c045b8df3bf33907d3f34758d18d754c45cfcdaca00fca97a60b2058f59fd6f40ca1922084e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Poultry

Filesize
97KB

MD5
d24d640eecd7d2aeb3dd839e2e3dc9d8

SHA1
3438f5fa67366681f83cc8dc16716bc60869de92

SHA256
345c6f8099009e55b81da59ad8f889957b1a10cd7a2376303cff810bcaa94c64

SHA512
50691509c5e00551ac1549bdac7513a0948d4a189be1fd7534333b8c00a33b75bc2df30a2ce2b95a257f594720f997691a71632cfebd516a3f00449f38f35037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prisoner

Filesize
63KB

MD5
f62a22c459770bf32ae917bd6018573c

SHA1
852948a74b45c35062001413e5ae7971d6e0098b

SHA256
559109fe538151df0ce600e38c01584216266a24c2eb0be2c0d399f7bec73296

SHA512
9447814ccd92607d24b6b758e7a9884c8922495163528e08219f410bfb93f2a9ed759bf24c85f6334fa8313c0f2f32df611e5aeaf60608304208227c2899b0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quarter

Filesize
92KB

MD5
145236087e7bcde1c917876ae551089d

SHA1
0495ab076b02f0371473ffc0e63fd74a18a6fad6

SHA256
4bfba4dee1e42d53c847ee7ef8d94cf045164201869a9f304baaa13ce210844d

SHA512
f186f2fbed46c6b3eb9cdec31610fa840d088181764d57e60f01d44feeb3a120850aa55e3be2186c90b68fca6719c372cb82dc9c3b3c59e7f08254360a238296

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rally

Filesize
98KB

MD5
48af6baaa8eda6051bb5150f85610835

SHA1
871944d3167985eb3c36996ee4fb625cb0868555

SHA256
f9c5b6473abbbd58d55124c825b12b7d44260ce7defb2abfeb29c27e1875da7c

SHA512
5a6f5a4229748f020508416a1726425c1604a699dc737f243a34652f095424f01f3eada3053a721413489fe2d393504afc034b54043873defdd444ab631d2bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rays

Filesize
80KB

MD5
f87bbe1f897198bdf18bf91ba6d2653e

SHA1
11172fcf6996c7ee06f792c856c3ac1f81b523a3

SHA256
015e198be73c0d7d97ab54022cc159933cf29fc95e8828729c908ca5eaaa3cea

SHA512
1a3b6d6b13a88a5eca0a70d2ac3b17ec348214d38271643c06a036ac4966b95e4260ca58d1ebb32ede264381deb3fd43323473fd749c4a6f60e62ebf6997e445

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restrictions

Filesize
41KB

MD5
d2bb01ce93551d89a326b38941fe7b31

SHA1
182b244c27fa836784a51f9af1685c0a52520690

SHA256
7e300b7f935fb1a3a76b8eefcb245da67247e03c0f3ab810b8b4224c2b97d9a6

SHA512
c73d3998138855330b840dc3290d6e20db55263da013ae4275993cdcd1b67b0d638ca51a027699bf0bf9c5698cf70cad15ee1657320d221804f964766d80668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sandwich

Filesize
54KB

MD5
dbe57fa1350ee2b2307ce184484325d7

SHA1
8e5a670e839e834e06b91115b5eee6a5e23ee73b

SHA256
fdf45b1ce131ab00a35bb10ba547612cf03c0cd876f90ae2df17eabae58799a4

SHA512
2899efc3fc677b92d3a44469ccfc14e32a733ceab6aacbdb6bdf0464fec95c71e142674095afe050555d210ed39043971464cfe70177184999a187af8d91cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settings

Filesize
6KB

MD5
f0d0abf3770e725d5c4665e5b19714e3

SHA1
2734dcd001ad576623144bff758d2b4b368bca42

SHA256
fdc561fcbb5399e1da2fb0f649c0646e02c2dcd4b4321a49d24463a60c8eaa97

SHA512
24e9e8762a92a7856c95a5aa31e7e9d88622b87817ff279570fb79975d4262b60eeadbc01d16b1756ee46cc6d0711217c73ba3671ec115ca4dccef43adb57c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sn

Filesize
94KB

MD5
ae999b5aced1553d6c2c45bbe011de23

SHA1
d0b320c82c1cf3cb14e6a6cdd53b80187ad58ebd

SHA256
589dccd60da50ee66a41f58eaa09c2e7f8fd74d5fbe136698a84d71ef3ab372b

SHA512
86438e34cc10aabe4ab5f76fcfe5c7b3acd801c8ff39292eb1a6042eeb984ed1b16314d0b4566b87b0feb0aeef685dc9118a2b7db8f3d7bd91d0fcd61ffe0ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Snowboard

Filesize
66KB

MD5
1e57b59f92be0a83958a3d2f59d83632

SHA1
edbb4b29f8e04dc1ac5c1b1949ba4cef5057fe3c

SHA256
79462f959a1406437e6a9327fdf6e71b10f348fa4731c888d6cede85977087ba

SHA512
cf0ddbb20384fdb3d138717db55b1296326498743af92e8ae5b1f967485aaba6ccad793802987626427291f7f3a46668ebb01a15db9a09ac6386325dca331c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solar

Filesize
87KB

MD5
2e2222658e7ac6fa78b078849f9dadbf

SHA1
a8c9aed33b4e2f62a012e4b125d070ca2c9bf9f5

SHA256
3d6b29d76b3768fb5faa43543de5f93474bd010968467f815d50192e066741d1

SHA512
921bc21d2907c9243b81d0abc92620bbb3b764769fb96ad84164a4efcdac73b44e16be684f94096a2ed5c15ea913bc53300e8bd04dcc51e958336d53de6e0630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sport

Filesize
71KB

MD5
68d0d09c73f4930ae9b8f1547038611f

SHA1
b3533cf3313d2aa1b54c21462961df9fe7395ca5

SHA256
7598b366c80221f349f91921b1eb9066062086481666cb256eb6ea8b415efe1e

SHA512
7886339a938ac2b6194e780c593d2b123817a1196c34c81fac7f1e7cdcf04bc9cdb9672248beb2212f419e66173aff1e2c59cef91062738b654c05d2316db8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swedish

Filesize
69KB

MD5
f53caebf6816f95f1d8a2963dfbc0f28

SHA1
1823a65b1c4479506e576d41c952d088f3de383c

SHA256
6c13b8f0d6d6bb633fd8b8089e5c6f124d9fbc2288f84d6bd5f7552d4954d2b5

SHA512
3fc849dde17b2b00bdc0d4c7172505ad05fac80e5e078760ce8e2f50cca12aa77f892bb2a2d915642722158ae54904817d372ccad15d24b1aa3f5be5e05676f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF92.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Threshold

Filesize
89KB

MD5
61d30e81d39b0c2f2a34298d13986188

SHA1
38d9a9e9a7811fa8e050ad7c27d7260b9964bbbf

SHA256
9298bf97742de6a737942ddc4ef8131381339ed6c3da9c1ba459c36d304cbf8d

SHA512
50e95cdd1c211939cce1ec02d0472a701cb2d2550eff58c939c4dd32534e71a4c3b1e3db842727c92407d29af03c6717cd85712ad8548760bc72082fc5c20f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uk

Filesize
58KB

MD5
2d68b9fa1f624a75853e0c9ded7f02da

SHA1
7b79d02e9d6fa999cb328f967f649f4102fd5602

SHA256
57c843ca01cb3b9035af887329ef9b70b6aa4939ccc99daa5cd9a55232e6bc19

SHA512
b6ab478d562a9aac475ce84ad38b0be3e8e2a4cac83dae2d345cdcf6414ff0259e1855027f847f9bf0681c70d12bbbb1a249f56efa5e74b49f058fd376fd9b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upgrades

Filesize
68KB

MD5
b7c05874c1803df34a31b4d10f301762

SHA1
ad2201980ef579c83161dfed62047a5a5953c8ab

SHA256
8d5186d4d7d5c02ea640dd37b5fec7d0b6b647d5fee9811e5f83e28f2c578e37

SHA512
e57b05b5bcd4d5177961882e809db4b334a2074c8ffb21586a87586d7a5fdb1eef84d9b0ffbbf93b56e4e597f31499f6bc3912fe9767cec426b25252414e3aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Very

Filesize
87KB

MD5
027d2a49121e82c5b98ccb89176ef812

SHA1
0e5542e48b66ad8802965200c93ea6464201d87d

SHA256
6133621a4147da7acbade24f350aa8d026c7e56476f0f587b8c30bd1994f5b30

SHA512
f50f916e2f518a9548c49e407095703b8efdb0611ea0949e4fa239dbc3ea4b18462c0c825cbec63e60f1cb0b2a6bc2c7a6cc5e70681ab49da2a0f2499a773159

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wang

Filesize
70KB

MD5
c09a44c5a18c3a2e913703f3a8e3d3ed

SHA1
f924d0fec1b860849e4273b625ead2808bba59cf

SHA256
184bfbb5ac71efb21c84a8d8d7a2ffd882898ffa9b7196349a05cf82448153d7

SHA512
ae4dc95716ccd87568669cc9860f2556cca4cf82731444490335ba8edaa002fc79ba741b48fb67d308db7002391502d3859a90d93046fa2e9595ad9011ead88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wireless

Filesize
54KB

MD5
a516e111e80c70128382f9ac6934f710

SHA1
9c83840c005ec316c5f956a10dffd8b5f4ebf887

SHA256
2aa93370a08f2347148d0553588ed674f3719e28b8d96e265fe1fd206e337492

SHA512
2a086d9947960a81f84d5f7cc2ee5526a331d6b9c98ae8ea2a7f3b998e2d70d824c8a7deac9ed6348f0cfab8f7d5e21a402c70a8581a012f11605f844f04013e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Write

Filesize
34KB

MD5
86e5717c3e866b8945e3a8d6567fc253

SHA1
cb7d4000c7dd5606697e11872fe2840a56011ac4

SHA256
1e8e2e5e59eae4165d4cd5041414a3087d17865f9b5003725ba566629d0508c7

SHA512
fe25017a88420fa0e07da6fd7a5b2c533bb5243afb45b60d5dff945931b30001856dd6fa23129d2afe43f026b36ce62fe94a0eaa25be3d38a47a7e7f43713f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zdnet

Filesize
64KB

MD5
ea93b6aab8646380d702179be480f652

SHA1
ead950fd78817eee0681eb278dd24b5ff9fcc6c9

SHA256
61ccdfb410b9e51335e89539faa908aaec7d3d98d69866af67f5efd9f31534b2

SHA512
86cb6b787fe7969ad4469231761c596b2a61a1b66c4e7f76b89b61c22feffd2a05a9aa52f8d2ee9953ea7b31b3368a126ac5ec085309f9c86c38be51dbb4dd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoophilia

Filesize
68KB

MD5
c847a5e8fc2201afef937586d14adf41

SHA1
19f9d89e6c80ae9bb9e1bbb40711b0fd2a962265

SHA256
8a88951c7e21253db31b89f257a4e852c8e6e4cfd4bc1e51eb6b334d48b54443

SHA512
86ea106354ea5e96917bc73ae77219000292900fb8491c85fb20d0e80d118d9de1e6115756329e5df695207ec53a56ef6c84ad85da50587fea388120d8e74f39

Download Submit
memory/540-119-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-126-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-125-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-267-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-286-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-305-0x000000001F7C0000-0x000000001FA1F000-memory.dmp

Filesize
2.4MB

Download
memory/540-315-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-334-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-463-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-482-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-525-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download
memory/540-544-0x00000000006E0000-0x0000000000956000-memory.dmp

Filesize
2.5MB

Download