vidar | hxxps://goo[.]su/G3LwWcK

Analysis

max time kernel
156s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://goo.su/G3LwWcK

Score

10^/10

vidar 8c52f3ec6eb37ecedc912a0179f9e97f discovery stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

8c52f3ec6eb37ecedc912a0179f9e97f

https://t.me/hypergog

https://steamcommunity.com/profiles/76561199642171824

Attributes

profile_id_v2
8c52f3ec6eb37ecedc912a0179f9e97f
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/4372-1937-0x0000000000400000-0x0000000000649000-memory.dmp	family_vidar_v7
behavioral1/memory/4372-1939-0x0000000000400000-0x0000000000649000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 2 IoCs

pid	Process
5476	Setup.exe
5904	Setup.exe

Loads dropped DLL 2 IoCs

pid	Process
5476	Setup.exe
5904	Setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
65	raw.githubusercontent.com
62	raw.githubusercontent.com
63	raw.githubusercontent.com
64	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5476 set thread context of 4372	5476	Setup.exe	126
PID 5904 set thread context of 1004	5904	Setup.exe	136

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1424	4372	WerFault.exe	126
4228	1004	WerFault.exe	136

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsBuild.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Free Uni$tall PA$$ 12345.rar:Zone.Identifier	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1968	OpenWith.exe
5312	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	firefox.exe
Token: SeDebugPrivilege	1496	firefox.exe
Token: SeDebugPrivilege	1496	firefox.exe
Token: SeRestorePrivilege	5312	7zFM.exe
Token: 35	5312	7zFM.exe
Token: SeSecurityPrivilege	5312	7zFM.exe
Token: SeSecurityPrivilege	5312	7zFM.exe
Token: SeDebugPrivilege	1496	firefox.exe
Token: SeDebugPrivilege	1496	firefox.exe
Token: SeDebugPrivilege	1496	firefox.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
5312	7zFM.exe
5312	7zFM.exe
5312	7zFM.exe
5312	7zFM.exe
5312	7zFM.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1496	firefox.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe
1968	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 4608 wrote to memory of 1496	4608	firefox.exe	84
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 3264	1496	firefox.exe	85
PID 1496 wrote to memory of 4740	1496	firefox.exe	86
PID 1496 wrote to memory of 4740	1496	firefox.exe	86
PID 1496 wrote to memory of 4740	1496	firefox.exe	86
PID 1496 wrote to memory of 4740	1496	firefox.exe	86
PID 1496 wrote to memory of 4740	1496	firefox.exe	86
PID 1496 wrote to memory of 4740	1496	firefox.exe	86
PID 1496 wrote to memory of 4740	1496	firefox.exe	86
PID 1496 wrote to memory of 4740	1496	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://goo.su/G3LwWcK"
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://goo.su/G3LwWcK
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9617aa9f-ccbb-40dd-ba39-6e9aa554ef1c} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" gpu
    3⤵
    PID:3264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25cfd1f8-df48-4eed-9c8e-2a0cd6745cf8} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" socket
    3⤵
    PID:4740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -childID 1 -isForBrowser -prefsHandle 1456 -prefMapHandle 3120 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b23c857-0a97-4199-8a15-2c876c917486} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" tab
    3⤵
    PID:4836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d77c619d-296e-40c9-a761-a564fc751875} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" tab
    3⤵
    PID:1696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {149944ee-0748-4739-8194-8d04cc2fbd06} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" utility
    3⤵
    - Checks processor information in registry
    PID:1356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 3 -isForBrowser -prefsHandle 5712 -prefMapHandle 5708 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf217071-9518-407d-ab7a-d689ebce3be4} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" tab
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5728 -prefMapHandle 5724 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa39627-2aca-40ad-8b9e-01b75444859c} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" tab
    3⤵
    PID:1600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5684 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f54336e-f9c0-45f3-b7bd-43f36b36dbe4} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" tab
    3⤵
    PID:4420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5312

C:\Users\Admin\Desktop\installer\Setup.exe
"C:\Users\Admin\Desktop\installer\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1664
    3⤵
    - Program crash
    PID:1424

C:\Users\Admin\Desktop\installer\Setup.exe
"C:\Users\Admin\Desktop\installer\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:4020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:3368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:3776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1604
    3⤵
    - Program crash
    PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4372 -ip 4372
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1004 -ip 1004
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log

Filesize
721B

MD5
37bb3ae996e7caaeade18f1cb59500a2

SHA1
1fac139b749297b6c44492b25f4180df674bd771

SHA256
b954e78b07b133591b8a5bd94ac59f74003b190acf446521d765bdb9f0e9dfff

SHA512
0e10a41dd97a46a3df0a39c68f517e447f490e1e536493cb96047c322c7e64a68f8348ad9b57b1d4315661ed124ab5bb6820aedf07acf95a6954121342340c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\76561199642171824[1].htm

Filesize
34KB

MD5
ce7dfc75203eee9db025346ed9209213

SHA1
2b99e2fefb382d13351e3471c208c14c8ec8fd6e

SHA256
666c0f3b1a7106d346572281771cb47133e051c5117a9387bd96e095c772eaab

SHA512
eba496555d78b07ecd4436782bb96dc3152bbb6c600895f7f45b0d68c7ffd5041f7a094b8f1dd32b7f96ea6cfc8061926a8c055a97b8db8cfa238191b0472910

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
ad204892618596aad2c45d5b15837028

SHA1
679d981a03e23e7e1db0d3e7aa4d23e5b8a36ac0

SHA256
07d0945ee2234f5d24f3820b99c63cb2d9c6f827a14dffe7a552d43e7811a665

SHA512
f6a728a12d0a66aff4e447ecc68918ac29204b4816de1efcaa71c35cb8186b568c71f78fc9bab760e7c33223f051356b795c1752e8e3c0ad1c90fad813397c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0C4ABE98\node_modules\eyes\test\bg.pak.info

Filesize
554KB

MD5
8a679c02bfbb88c2760ca0d962c0b1c8

SHA1
70b1528af5c62336043b2531fa7b477f9412278d

SHA256
bda7bd9f39a00b007f21a4e9b82fcd2267f4dfbd53800379210ab4f91e982529

SHA512
df1031975a8acdcc471638dc21642c5081c9edb704382fd05c63ca638c61c637ceb97a480a18cfd3a1c784c020a2f2cf853f8c9bad5e3b3e3857c7ee25ea26a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0C4ABE98\node_modules\node_modules\ipv6\lib\browser\jsbn-combined.js

Filesize
32KB

MD5
b142e9d5184136e043f3a89f89af4faf

SHA1
2b1d21756f2133ec973b7a4ceb7ff4431a59acc8

SHA256
9ac9faf7e20d8e586ab936d2fdc1a54d6ebf6f643a3d5b7118e4c6103e53cd08

SHA512
a7144226f7aae73a0c60828572ba4b59853836fa56206a48557b39f65e7318312772812b208a21894e747770d0e291483765a86b089541c5f10809611bd9a3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
0df61cd6caaf027b9956db69e6f872d6

SHA1
ecff4a295113d9af9a4fcae0e7f9ad348b1d49d1

SHA256
f2eed2646d66730c93bc0a9e757463fd424bb6da0f9faf8695d5223419cbdeca

SHA512
1d30b918d41bfc51caf7eb3f9ecfaec0a1a7c6adda4a4629ce4bde89c05744561b9bbaea65a3898dd90d7cde05d2e8710e024d655d805caf9fab64581f256ed9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
7KB

MD5
49109569fa051db81db8d392912af598

SHA1
af0ea3bad3814b6b7277ec8d232d7d54f93440a1

SHA256
31b0c58c35b00a853f4cfd32cc9cb5c28906dd81a13985214414b85146a68473

SHA512
6d7ff0f24ce62a177cfb4b911ac3e10c0d4cd0303bcee01050b5e403588b058469f4e641be1086482142cab82e0cd26504f9d00f5cbb67ac7c8a65059036d372

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
10KB

MD5
5d58e4489ae818600248c06be4f1a3e9

SHA1
174e0e360de4af5229ecb7a5954b3cc36d1ad6ee

SHA256
c334e1a76abd805dd53a0b44aba85c9f857c08f1952016f885c62ae274e91b2d

SHA512
26d96a736cd59d24069a31527f9364b823f0ef89ed87533e155d85d6a37a3980c98c604e938805117a837d34c80f8833dca2fb862ae1b4743d310cef364c482b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3a0807307279ec1386ac88d220af54bd

SHA1
98578d37b45542c7de4c2ee0da37d639f22c3fec

SHA256
6bdfe37a31463736cff16d434f2a6c93a7f5fa295d1ad01771507930f1816d63

SHA512
1268769a2352c1074ef801e3623286f82a44060602c0c0cfe232abd9fb21cfd700cd53860f9869bf365ebf7303ac162616b03ee15a9123717b3e7d277170b83a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
edae0137ece58ec4190a1177359166bb

SHA1
83c9ec4d23cbabaa12500e20873bac42ff91d78f

SHA256
c565ca4ee684211e265f57d9c32ff9ccd675fa54ea9535f38d0528351e2e916a

SHA512
65079f5e6567e34940afa0c9cb9a2daea339d9fdf057782662787e735774d07c33f0e4482bfac81b4745c48314298f8f02dd1a48fdab8edc42dce78b7ae589bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\47370b3c-5adf-4ad6-9972-7f978257fd0e

Filesize
25KB

MD5
fe82ab6d3c0c0d525a3e26f73ab6fa23

SHA1
f427e08453b4452e1fec6c4b0ad09272c5e071df

SHA256
5362397a850bb005d91500bfd8a3ea03611bb3e9d2e4b8e465d7611fdc66c0f9

SHA512
7849a36ea603aa5d9904995c6bdc4fef90204ec24e90e1295bbcf4e9b5654da21bcab95e4b34750e702b68b04c777462be8b5e04aef5c7f395e807e28f432376

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\a0368e1d-8306-4863-a78e-c3910d899834

Filesize
982B

MD5
149f3f0e57286797b4b713bc2830dbec

SHA1
66b2e63fa42aa84dd9dc23b0e8b09d333132fbf9

SHA256
0fc0e7c3180dd948b13be9f2d60f76e895645b879df8b0a1779f47b3224852c7

SHA512
8109e3973a1490d1c6f22a4218b263b8be61e3b733c9ee08fb10879ed8219ede367327f01136628129f80b85972418bc5cdba77e489b1487edf19a20c109a6bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\d6fbea17-7c5c-4e6b-a647-26e144ec9969

Filesize
671B

MD5
082cb0fd91d287b82e4c4b80c9338e85

SHA1
9219fb9e38d204d07dc609e28ae987899d5e686a

SHA256
904fdc8b5a69f3b60ad016d36be8e455c156f4801e318e32a1c0035a1ec797c7

SHA512
79a19c2fdc36485ab6f0fdb18b4b37b012760793e5944a64836e31a234f2e6011fb6898fa812b4c4a6a0d37bdd1a73e9d57ea00f0589705e3ffeda73c83380a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
11KB

MD5
0386f519ad890f661bb29361df422987

SHA1
a0bb8ac7749218dda37e556ef30847fabcc9fc7e

SHA256
2b88f0e4a0dce94473ee2762edea4f6b46a7c5b47043d8d166c5d29478d0bcd5

SHA512
d22a240e4eebc33da9f81f2be084dff25f20589b6afb71b1f9aa47952ec5d18803ffed6fc5e6841575feb6f3837310499a86bfa3d85dec2fce2b6b9d3eb660a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

Filesize
10KB

MD5
a133c200e39032a3961307b0388c70e7

SHA1
8d075a45a45a8c1854feef85ade8fe956e056cc7

SHA256
62cf87a4e4ac93204883cba98bf5a01369ffede4d9e240d29d313675ddd1c9c5

SHA512
0c7df5992943ed53c85cc12dec04f40d9913e1a4aadb4857572836d4c6f952fe2509e35f3f90c201f400ba9099826227f8ab59fdf9179e06011b72c80d07c924

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

Filesize
10KB

MD5
4f318dc55ceb6426f604ec4a8004e5fb

SHA1
f87746d39422ec1cd48df0f3c0315faeb80395ed

SHA256
8a1a067057bf5db62dfbc39ed05473b18e83572da31519727b010e8272395def

SHA512
fe511988717cb1922a95dbb49b96a2c06b6464f63521eb981664a04a907cca390793af3d766cac3302153fe629435ffa61f62240c877c8ebd100e222f5ff939f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

Filesize
10KB

MD5
69d2633542b7bb09c651f360afc63175

SHA1
b96bb22d3f1dd4f4debffaa08fb05d5340c4a6a3

SHA256
a3dd26253379a983a9680c6cf3508b47164d12ec4aee29867d528fe80497bdf5

SHA512
680d859d7bc20fb8ea2b672e2f68ea5c7bd717c0fcf2d15af9130214ed3053e8c7bbfe2a8bea953593b2db1ffe9aa95403cb657164ff1969bf4b6fb9e0baaeaa

Download Submit
C:\Users\Admin\Desktop\installer\Setup.exe

Filesize
7.3MB

MD5
4d4a0049e32c510295ae603df1ab7198

SHA1
6262384caf767f091a7661d44411c7e1f89c3911

SHA256
60c6c8aa6ff036a9a871e031e7c15dbd1dcaba82a880f62fe789449d76ea6d6a

SHA512
78612f0ae46442b174b3bc2f97b81af4dadd0a4360a038e823ed86328732e70e803af7750c2993bf32ff214ef03c8e95a91969c5c3d814c8048ff4d2d0fcf6d0

Download Submit
C:\Users\Admin\Downloads\Free Uni$tall PA$$ 12345.iJinemOF.rar.part

Filesize
22.6MB

MD5
89d082a4cd2466997f7baacd579c4649

SHA1
98d19fa723342d30f450fbfcb9980fc7d83e154c

SHA256
be111092dc5a35fb490ba6cc6de0124ab5529f7bbf51c0c33892e385d83ca907

SHA512
72ddd1e90b853aec0796b8f0b5bc97d3b485be0478f8b72a4de5a046d4f2dcef310cb26d15000a764f30149f2da51c9e5916b4410e92582f6a2d683e79a11c7e

Download Submit
memory/4372-1937-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4372-1939-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/5476-1925-0x0000000005FB0000-0x000000000604C000-memory.dmp

Filesize
624KB

Download
memory/5476-1929-0x0000000006390000-0x00000000065C2000-memory.dmp

Filesize
2.2MB

Download
memory/5476-1930-0x0000000006600000-0x0000000006792000-memory.dmp

Filesize
1.6MB

Download
memory/5476-1924-0x0000000000F50000-0x0000000001694000-memory.dmp

Filesize
7.3MB

Download
memory/5476-1936-0x0000000006A10000-0x0000000006A20000-memory.dmp

Filesize
64KB

Download