vidar | a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939

Analysis

max time kernel
66s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
Size

1.6MB
MD5

90cace0b799aaad6cfc9436953f75652
SHA1

13b3102f25ad542cae0628fdd0880ac147a1b5b0
SHA256

a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939
SHA512

6ed16a6403d8801e84db3b81de2b0f6d4702b9b60fff80e331e6e124e9145a5b1226b121a0c05258686a70b12b78afd4434e5be956e564615c4a6146c9a61a9c
SSDEEP

49152:GhX126vTMGbSNquzod7fQzEytWlIu5LyaH8b:ol26LM3NI1QYytWlIu5LyaW

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2880-391-0x0000000003DC0000-0x00000000040C0000-memory.dmp	family_vidar_v7
behavioral1/memory/2880-393-0x0000000003DC0000-0x00000000040C0000-memory.dmp	family_vidar_v7
behavioral1/memory/2880-392-0x0000000003DC0000-0x00000000040C0000-memory.dmp	family_vidar_v7
behavioral1/memory/2880-534-0x0000000003DC0000-0x00000000040C0000-memory.dmp	family_vidar_v7
behavioral1/memory/2880-553-0x0000000003DC0000-0x00000000040C0000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
864	chrome.exe
1992	chrome.exe
2040	chrome.exe
1628	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	Alternatives.pif

Loads dropped DLL 6 IoCs

pid	Process
864	cmd.exe
2880	Alternatives.pif
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
956	tasklist.exe
908	tasklist.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DecemberPowell	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\CumulativeMaximize	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\BmMary	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\HarassmentWrong	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\IaBacked	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\ContextDeleted	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\ExceptCancellation	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\WestPython	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\NetherlandsRendered	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\MemberIrish	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\AdministratorsDerby	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\CoachingAmy	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\FrequentAluminum	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
File opened for modification	C:\Windows\RailwayDistricts	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	2880	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alternatives.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Alternatives.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Alternatives.pif

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Alternatives.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Alternatives.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Alternatives.pif

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2040	chrome.exe
2040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	tasklist.exe
Token: SeDebugPrivilege	908	tasklist.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2880	Alternatives.pif
2880	Alternatives.pif
2880	Alternatives.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 864	2204	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe	30
PID 2204 wrote to memory of 864	2204	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe	30
PID 2204 wrote to memory of 864	2204	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe	30
PID 2204 wrote to memory of 864	2204	a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe	30
PID 864 wrote to memory of 956	864	cmd.exe	32
PID 864 wrote to memory of 956	864	cmd.exe	32
PID 864 wrote to memory of 956	864	cmd.exe	32
PID 864 wrote to memory of 956	864	cmd.exe	32
PID 864 wrote to memory of 1324	864	cmd.exe	33
PID 864 wrote to memory of 1324	864	cmd.exe	33
PID 864 wrote to memory of 1324	864	cmd.exe	33
PID 864 wrote to memory of 1324	864	cmd.exe	33
PID 864 wrote to memory of 908	864	cmd.exe	35
PID 864 wrote to memory of 908	864	cmd.exe	35
PID 864 wrote to memory of 908	864	cmd.exe	35
PID 864 wrote to memory of 908	864	cmd.exe	35
PID 864 wrote to memory of 888	864	cmd.exe	36
PID 864 wrote to memory of 888	864	cmd.exe	36
PID 864 wrote to memory of 888	864	cmd.exe	36
PID 864 wrote to memory of 888	864	cmd.exe	36
PID 864 wrote to memory of 1264	864	cmd.exe	37
PID 864 wrote to memory of 1264	864	cmd.exe	37
PID 864 wrote to memory of 1264	864	cmd.exe	37
PID 864 wrote to memory of 1264	864	cmd.exe	37
PID 864 wrote to memory of 2228	864	cmd.exe	38
PID 864 wrote to memory of 2228	864	cmd.exe	38
PID 864 wrote to memory of 2228	864	cmd.exe	38
PID 864 wrote to memory of 2228	864	cmd.exe	38
PID 864 wrote to memory of 2312	864	cmd.exe	39
PID 864 wrote to memory of 2312	864	cmd.exe	39
PID 864 wrote to memory of 2312	864	cmd.exe	39
PID 864 wrote to memory of 2312	864	cmd.exe	39
PID 864 wrote to memory of 2880	864	cmd.exe	40
PID 864 wrote to memory of 2880	864	cmd.exe	40
PID 864 wrote to memory of 2880	864	cmd.exe	40
PID 864 wrote to memory of 2880	864	cmd.exe	40
PID 864 wrote to memory of 2752	864	cmd.exe	41
PID 864 wrote to memory of 2752	864	cmd.exe	41
PID 864 wrote to memory of 2752	864	cmd.exe	41
PID 864 wrote to memory of 2752	864	cmd.exe	41
PID 2880 wrote to memory of 2040	2880	Alternatives.pif	44
PID 2880 wrote to memory of 2040	2880	Alternatives.pif	44
PID 2880 wrote to memory of 2040	2880	Alternatives.pif	44
PID 2880 wrote to memory of 2040	2880	Alternatives.pif	44
PID 2040 wrote to memory of 2524	2040	chrome.exe	45
PID 2040 wrote to memory of 2524	2040	chrome.exe	45
PID 2040 wrote to memory of 2524	2040	chrome.exe	45
PID 2040 wrote to memory of 2396	2040	chrome.exe	46
PID 2040 wrote to memory of 2396	2040	chrome.exe	46
PID 2040 wrote to memory of 2396	2040	chrome.exe	46
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47
PID 2040 wrote to memory of 2152	2040	chrome.exe	47

C:\Users\Admin\AppData\Local\Temp\a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe
"C:\Users\Admin\AppData\Local\Temp\a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy List List.bat & List.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1324
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 6605
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "CEREMONYBRAZILEARNINGSPAPER" Phys
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Particle + ..\Watt + ..\Reel + ..\Colours + ..\Fires + ..\Walks + ..\Th + ..\B + ..\Telephone + ..\Commissioner + ..\Vc + ..\Optional + ..\Tigers + ..\Maldives + ..\Applicant + ..\Trinidad P
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\6605\Alternatives.pif
    Alternatives.pif P
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6cd9758,0x7fef6cd9768,0x7fef6cd9778
        5⤵
        
        PID:2524
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:2
        5⤵
        
        PID:2152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:8
        5⤵
        
        PID:2184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:8
        5⤵
        
        PID:1956
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:864
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2176 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1456 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:2
        5⤵
        
        PID:588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:8
        5⤵
        
        PID:1500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:8
        5⤵
        
        PID:1000
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1172,i,3386070242589671326,14200221436638145364,131072 /prefetch:8
        5⤵
        
        PID:956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 844
      4⤵
      Loads dropped DLL
      Program crash
      PID:2052
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f3b90ad9a8783b712f5ae69948ea966e

SHA1
7f8c984f514a0e66d11a14e86852c4afa9c58d4e

SHA256
cba173b9cc8d832657040d48fc26332afaf05abbfff9a5dbe0b6e221a67345d7

SHA512
af5abad6aa168b1bde30003392fd2c27b9037b03736a9380e1ca6febbb30d5d481402a734ec9bc630f85f10e838daece3eb6528b4657b0cdfc10b4b897f21cc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f8171dd448bc7ce04866148156bd56b2

SHA1
765e45bcf9cdaa40d522be61863111f5095b83c5

SHA256
031f3dae0b12a89a5a50c0db4d64e21b90b41d19194d0354a96c8a3a6690334a

SHA512
47b86fd72c6dc6ed4519e97525c8519803911b2740370d398db7cbfe07b9329363fa843311f115b5f7066386cd8954fdc14b545f37ac3d16eb44402444ffb5de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6605\P

Filesize
1.1MB

MD5
6e06051a757d905f5fe32eda39c4e546

SHA1
46361de4c63de69cc8c7d2b55ea7ad1c8c3fdf09

SHA256
4d7df4553338d788a6ea13a139d4733f0ce791ef44207c48e9d5eedaa480f61f

SHA512
fc2997135cfaa39d08a134e2ea5a3c3d0724f1b26c20ca351becd5cc48f234f19305eca4e9eb18c056960a718ad6267135302ab6af9775b424d5509f63f73b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Applicant

Filesize
65KB

MD5
f4159fd7a4aa23ff1af3f83184c7b591

SHA1
f169d89a439745fbe04996eae64286466996d6e4

SHA256
1964e48f3e0b4ecb562783680f23b71a0290a607958e40f22f600d829103ea38

SHA512
c0358c489dc3ec763ebc6bae6de9047fe36387b3817163a131e13bffde4fc0dbad5bde53a8967b2f8e6d64356fdf16d6a0fcffdfe749b41982c2607f5ec62c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\B

Filesize
64KB

MD5
813623fef4fc3598586163fe0e32b58d

SHA1
72e58713ffa3b9ca31b8233a54210830385d935e

SHA256
ceac9db58859eaa3887a614adf65a767c2f5127b420d153982cb536fa3851360

SHA512
16008b825dc59bd2a7814045dcd73da008f0788bbbba7a95cf8d834e7768265fa99c3bb4214b3aad81e721f758ae5f5c91ba411f2bac93594e1d3403a631b7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD6E1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Colours

Filesize
72KB

MD5
6f6be76a0dc7e40a48dea1b4b627c6fe

SHA1
c659ade9e22bfb1472c8e3964d66f66e21b48976

SHA256
9be563f70ec4e53e5a7ef93e435c565afd4fdd766247217307f13dc0fad83257

SHA512
06e8451799656751d7fb10adfd2225603f377a8a5e43d6a484ec4b0ca449d93912e5c3be4aa610bf18c9366710ee82cd37e584561cd80145d4816ba3a365e23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commissioner

Filesize
91KB

MD5
4d9bbaf20064cc706915a5f08c490e12

SHA1
532bec59a472644f7d80482e44c9aacf300ee808

SHA256
a6fe61e5a1a5bac30c4a92a3cb05e0ae4cfcfa225954aa59210f249e980b199d

SHA512
69eaf4aad8a3d42af23e626d23fce6c50c8329a23f6e5010b045312c2bf8a3cd0e17e6f478e207d64bf27c613effd89d51375c752401ce55f981cba5283f2f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fires

Filesize
64KB

MD5
aba7e7380e48c24866740ff22eab2797

SHA1
4707a8a80793985e49c56c787cd540fb2ef8d7d7

SHA256
c41beff691522fe522cb197509ebca3e1922fb853bca578353bacfa6b9b2e76e

SHA512
0cb8524187d1e349366538ddd4a2db5e962997b5817476da3a4e15c72500944a8321489d1208adf65fcda5c144db309fd7d059af3f479624a11ce3f14245386b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graph

Filesize
865KB

MD5
9544c3c85a44d02cae05f426dba03d5a

SHA1
d1318a16e0bfcc5ceb26c304f35e625f11fb2e79

SHA256
ff79936cfcf0abc704659ed5b0c1db7c367a78d09ffb9a459e082f48758264bb

SHA512
79c2ec200c0fa14ce324176f34f4a44f596ed77c8a28452a89e59e6db4692541a4cce98b3a39d91db1a2c358cd297f1cc00c1bda18399d9f8cfb47fbd9c5f2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\List

Filesize
15KB

MD5
e73430fed8b772ee346e05ace0cbb3a2

SHA1
f5a89b962504408636e64c6d3d171ab50e1de8a6

SHA256
35b8c8e6ffaacab2cf18bd3dbe5e2de44ce9652c7a4a2e6b59a5522c88b4db95

SHA512
43ba88788330bda0d7314e8eecd5ea4c452c926984887401ad40f591da08899385bd536df2b9658240b82e9f77e8e88b9cdb82f0cb7ac963b0b758fc8cf3398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maldives

Filesize
60KB

MD5
453f52e664b31a955f4349ecb45a559f

SHA1
d04ce1e3508478f7a41d4d3713b90c94bed94f93

SHA256
c65690e2c56db99f8915548823c9edd68020416271ffaf2d4291024de644c9b4

SHA512
2ad18152b4b4642832d7b6b172d7cd94d9fd9c2e60d7f5597c3d20840a9442b7dd3cd770fba84627d2ed83f7c639942749b9f2de0914f167250b3964350338ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Optional

Filesize
60KB

MD5
2e0cbfc717a59ff4d40477dca3c47505

SHA1
682293c207567df1c6a83543e46117bc5fa756a6

SHA256
5cfbe754f8b85189fc063b08277820912c9c88fb0cb0b9330d2c2a2246fe0aa1

SHA512
13e7d4268f8a7d7e745be1c5239bff791881e31bccc5f423c30536ff420d577b378f3411f340c759804df24c43a5924bddab5197aae4b442692bf1e5fb8e7cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Particle

Filesize
54KB

MD5
7e35268f9e5a77094daa410be23e44bb

SHA1
0f279144a2338f9808a6079058eb6d0ad1db39ac

SHA256
5354833f3b8d7130b391fcc6e56d8a2a29e5eb55980c7d485ee8713e4d8c89cf

SHA512
6d66920f3b1545c7412e66c6676ccf126978803a78f062d5a6b80d0787f05f4d42ebf49b48c491dc5d61e1b175bb67c87dbb2e1b818112b1633eab0997f3baf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phys

Filesize
7KB

MD5
a83b54819f8bb4640619ec47cefbd2e3

SHA1
dc54b87e4d6b4ea47e76476c3a21a8bbf45d208c

SHA256
3392ddff8c2e92168709742131843bcc7c87ae7e519ba8b4e59c4a0da63e4b89

SHA512
ff3a7b4ab7609cbdd329203d4a58f4cc3c3da6ba6767f11635cbf71c94efd0c994a3c50202d55540bd28138dc2a2c417a263ad946dc0963a8ef2b8787f1a4413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reel

Filesize
88KB

MD5
71a1d80c1c0d09598aa3bdb89bb916fc

SHA1
8114685210d3627e3e788133cfd8e421344add0f

SHA256
320d3ba624db4a583f95c0f43e226246823224b4664d71bd7a774d2314b8f3de

SHA512
8892c6533a65bc1a752cc387c63935fb7f3f59f31aa7512d4b68f43f2b6bfefa4353ca0c5ad01d48fe9429ee5d07a381f7f6a1abec289033140d1a6e1015bac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD703.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Telephone

Filesize
95KB

MD5
e0aeb372a59033b33e86e336050912b3

SHA1
08dfdbeb1b934408c1c18bba3277306661c3c419

SHA256
60a52e926ddab397d29cd866d25239a8b6b474152901181152987cc5537df24d

SHA512
5752401d487c0369684e8f5b179b5571a7584089c5029288a6393f9008164f8ea53347a84e1ad6be6cd286a63fe63301a31785b2ffd62e81f2aca40640fe722c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Th

Filesize
85KB

MD5
fd51fde362fa58526a959290644a357c

SHA1
bd2fa0c67d01a6b46a5280b79ca95d899abcca55

SHA256
f7b805e776026b2ac8efb05212858fec60084e1f5c85c408b8b5aaf7d63c362d

SHA512
8fe073748d315d288d1b63b9bd69d66b7cc946240f7e5ab04f2c87ab010325b86611c0045e0c2d96693a65df51d66102a8c9e5fc22976b22d88963aa564f1293

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tigers

Filesize
86KB

MD5
fe10c257f3d7eefd76a9ea96917b3dac

SHA1
8150e95eff9f15bef4f1c744022755b11a9ce6ff

SHA256
bf1045e5fe1a84579c823e2f07ee272f09db5167a029db019af20cb2fd12c943

SHA512
21069c0285f21ecaf140e107e7214c76eff59fd8efbd5344835b3dbfa5a0aecee6e4676cffec95ce81d229aa75bdbbde424a87e37179efbb90b98781d1cd1397

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trinidad

Filesize
28KB

MD5
99e50eae127dee9a187a3479bffb2611

SHA1
f2feb6779af7e2f36ff75d55708498eea0dc75dd

SHA256
8fdcf3f130fdc46abae2a437e6922bcd849d0ad535e10f7e338daa4f335596c5

SHA512
8a998836f4a375ae4c5c31b733c9e9cf452e33d87b80a153944bb1a95a0bcf1a1d21f2854d6d5f343f636517b7ef4c578dd1a7a838ae375528cbdf38bfbf734a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vc

Filesize
83KB

MD5
d58f412c0608af2b7d9230b8af1c6ca8

SHA1
7239b104825828dcf7ffd6172d9e370e99ea2975

SHA256
782d31412eac898866880132e32638592f36b6219a19e682ccd4a85552581a01

SHA512
94434b737b0f128e058f38e360ce80b6a447149a176d5fce2caa06162e0001f1dd7d56f25c8d7fd6c0e07ff6ed1ec55fbdb5d9b3bd82ed62db8c10b324f7ba40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Walks

Filesize
61KB

MD5
4e08d104a885b2fc68f87012b213dac5

SHA1
cc36ead0dd87bc6d5c9274107f4946a48b1a0f7d

SHA256
ecb370f7ee955af6363a24c036cbf83e29818b54804d508778dbf89cd9478db8

SHA512
c76575ee85e2c768934235a5a1436521c1fb379402b5933501dacd4ac2727f599a55c6f2cdbb79ba3e3135f67f313c77df6bd74df41fcc385d5f4c4e3a7a471f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Watt

Filesize
83KB

MD5
c1417dd7a4f57927835f9dc4bd5d161b

SHA1
8985d33327cba9bd6adee01ee8755f1d40b87932

SHA256
c2165e8373253cab652528f0511b623bbea4037d211936d3cf613090a1cdd3ba

SHA512
4618dc37ac68d55dd15cf0199d894ee6c2c3387e93d51dc7b466c63e97da30b04154d001f7d9f1578e9212111ea4c49a57109880ccf6b53d21ccbbd433ff6a00

Download Submit
\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
\Users\Admin\AppData\Local\Temp\6605\Alternatives.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/2880-391-0x0000000003DC0000-0x00000000040C0000-memory.dmp

Filesize
3.0MB

Download
memory/2880-573-0x0000000010000000-0x000000001025F000-memory.dmp

Filesize
2.4MB

Download
memory/2880-553-0x0000000003DC0000-0x00000000040C0000-memory.dmp

Filesize
3.0MB

Download
memory/2880-534-0x0000000003DC0000-0x00000000040C0000-memory.dmp

Filesize
3.0MB

Download
memory/2880-392-0x0000000003DC0000-0x00000000040C0000-memory.dmp

Filesize
3.0MB

Download
memory/2880-393-0x0000000003DC0000-0x00000000040C0000-memory.dmp

Filesize
3.0MB

Download
memory/2880-388-0x0000000003DC0000-0x00000000040C0000-memory.dmp

Filesize
3.0MB

Download
memory/2880-390-0x0000000003DC0000-0x00000000040C0000-memory.dmp

Filesize
3.0MB

Download
memory/2880-389-0x0000000003DC0000-0x00000000040C0000-memory.dmp

Filesize
3.0MB

Download