vidar | b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2025 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe
Size

1.1MB
MD5

db05af12adf9bec6dc7db5e6b63cd537
SHA1

8d7a89dff4a989db353bd6eb06c4e10e10a744ab
SHA256

b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc
SHA512

ecc98822ffffee1ec2d8d16cbfde32813a20e0f1f3c4f16d40599b101be7dcc0413c0c492aa61c53845a290de727f8b2a18e12acb45e80b1bf442214db30c9dc
SSDEEP

24576:NFXdWAia2MERpto++TmyY1rY0cfz3hCywFGp9RR2vSuzfb7Tb7j:bU2Jm1J+RCfFaRRSSu7

Score

10^/10

vidar fc0stn discovery stealer

Malware Config

Extracted

Family

vidar

Botnet

fc0stn

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
56	2216	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe

Executes dropped EXE 1 IoCs

pid	Process
1700	Plenty.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
428	tasklist.exe
2220	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RealSheffield	b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe
File opened for modification	C:\Windows\LeanMaintaining	b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe
File opened for modification	C:\Windows\CopyThreats	b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plenty.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
212	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1700	Plenty.com
1700	Plenty.com
1700	Plenty.com
1700	Plenty.com
1700	Plenty.com
1700	Plenty.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	tasklist.exe
Token: SeDebugPrivilege	2220	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1700	Plenty.com
1700	Plenty.com
1700	Plenty.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1700	Plenty.com
1700	Plenty.com
1700	Plenty.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3076	2168	b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe	91
PID 2168 wrote to memory of 3076	2168	b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe	91
PID 2168 wrote to memory of 3076	2168	b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe	91
PID 3076 wrote to memory of 428	3076	cmd.exe	93
PID 3076 wrote to memory of 428	3076	cmd.exe	93
PID 3076 wrote to memory of 428	3076	cmd.exe	93
PID 3076 wrote to memory of 388	3076	cmd.exe	94
PID 3076 wrote to memory of 388	3076	cmd.exe	94
PID 3076 wrote to memory of 388	3076	cmd.exe	94
PID 3076 wrote to memory of 2220	3076	cmd.exe	96
PID 3076 wrote to memory of 2220	3076	cmd.exe	96
PID 3076 wrote to memory of 2220	3076	cmd.exe	96
PID 3076 wrote to memory of 5104	3076	cmd.exe	97
PID 3076 wrote to memory of 5104	3076	cmd.exe	97
PID 3076 wrote to memory of 5104	3076	cmd.exe	97
PID 3076 wrote to memory of 3432	3076	cmd.exe	98
PID 3076 wrote to memory of 3432	3076	cmd.exe	98
PID 3076 wrote to memory of 3432	3076	cmd.exe	98
PID 3076 wrote to memory of 3776	3076	cmd.exe	99
PID 3076 wrote to memory of 3776	3076	cmd.exe	99
PID 3076 wrote to memory of 3776	3076	cmd.exe	99
PID 3076 wrote to memory of 2136	3076	cmd.exe	100
PID 3076 wrote to memory of 2136	3076	cmd.exe	100
PID 3076 wrote to memory of 2136	3076	cmd.exe	100
PID 3076 wrote to memory of 2408	3076	cmd.exe	101
PID 3076 wrote to memory of 2408	3076	cmd.exe	101
PID 3076 wrote to memory of 2408	3076	cmd.exe	101
PID 3076 wrote to memory of 4836	3076	cmd.exe	102
PID 3076 wrote to memory of 4836	3076	cmd.exe	102
PID 3076 wrote to memory of 4836	3076	cmd.exe	102
PID 3076 wrote to memory of 1700	3076	cmd.exe	103
PID 3076 wrote to memory of 1700	3076	cmd.exe	103
PID 3076 wrote to memory of 1700	3076	cmd.exe	103
PID 3076 wrote to memory of 1008	3076	cmd.exe	104
PID 3076 wrote to memory of 1008	3076	cmd.exe	104
PID 3076 wrote to memory of 1008	3076	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe
"C:\Users\Admin\AppData\Local\Temp\b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Advanced Advanced.cmd & Advanced.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 328748
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3432
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Discovery
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3776
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Lean" Lyrics
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 328748\Plenty.com + Tablet + Pointed + Furniture + Rhythm + Children + Cliff + Madness + Amend + Interventions + Deadly + Notre + Wood 328748\Plenty.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Biz + ..\Disaster + ..\Administration + ..\Stopped + ..\Broadcasting + ..\Kevin + ..\Pins u
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\328748\Plenty.com
    Plenty.com u
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1700
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1008

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjJCQURDMjktOEIwMS00NERCLUIzRTEtNzcwQzM3QjM1QUE0fSIgdXNlcmlkPSJ7RTREODcyMjItQjlERC00NUYxLUE0N0UtRDEwQzIyMjcwNDAyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7REFCNDczQTMtNjA0My00REQ1LTlGRDYtM0I5NDk3NUZBRkEzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDM2MTg1NDM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMY00S8L\76561199817305251[1].htm

Filesize
34KB

MD5
e5cf9359a31e418d0584a5376bcab6fa

SHA1
c1f801c37dc9e5267bacdfdef2df3678e687aa7f

SHA256
a7aa7c0758c76798690576c4b561b4ae585d3f42c6be94457bd7342729bade7b

SHA512
a6840c89cb547dd4cc2a3f2990f32e769bfc84457bb081f6a9dc600376704845a88160e31ee1b90a488f2d2212ecdaa39f65011d08e849d8371bd2d9e6415989

Download Submit
C:\Users\Admin\AppData\Local\Temp\328748\Plenty.com

Filesize
2KB

MD5
f09805024a16f2381073c4d3a31f5993

SHA1
025b2d97c5675c3c54058979ba6195db253d007d

SHA256
9d316dcb15ff00db06b5d2fcc98d342f2d068f93e7464fbeeed09ce665f00fb1

SHA512
9a16f5951e1178256c6112f59959366c44d3c0d35c92b8ba34928d6a77dfc9a524af68aa17c085172e9a7c26084d247ccc60251c15e8d105a353c660dcdd3046

Download Submit
C:\Users\Admin\AppData\Local\Temp\328748\Plenty.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\328748\u

Filesize
498KB

MD5
30dfa85a734342d74695150174729bd3

SHA1
5a6ab95a19f391410d1d17ca0387c7ea4eecbca7

SHA256
93a687feacdb81ea0912530bd90aeeaf521a65aaa6fbf0fcceee0f32278c33f8

SHA512
ef199a7b211909462cff999644400793cadc03dccd0b364b22a27827c5df21ff393e28cf2b492f9da682e112278ecf70c688da6335ccb5f513eb1400a7d59b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Administration

Filesize
96KB

MD5
fda6204097f5f8e49faddceea880c1d9

SHA1
fac73f638cdd72639286896172d8d8522208c48e

SHA256
f11af076891e5208b909db8c3b8a366f20595954c388cd2689fdde86af5bd095

SHA512
309203faa68e290db40a7e31d6a81a0d91589406cde62a3271bb085adabcae6e1f32d0c39003e6109818bfc788bf8ce9395a9c95f29e443ff8624462b9313d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advanced

Filesize
11KB

MD5
053e7b458163b419b4018530f67eb7fe

SHA1
435ca9c271d90fefd2cf2c66a9a182bb7f8c728e

SHA256
03baeda2a923bc32b12dfccd7704d5ac107859f53a3cb263c2fa95aa7a5ee2d3

SHA512
41a34ba0aebafb67b770989586c0af2b82df4adda5e1d993b93b075432b489555cbf2a4535b0545dcc5aae3b830fd877e10d5548129d6358fb64972d25f38105

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amend

Filesize
94KB

MD5
54eec178c4852249a2dd15f9462e8ba1

SHA1
28400650149515f9f526d1c96b89cba9dcf77925

SHA256
cd13a1fd45ee02fc0b54c57de86d0f249a9b84223fa6e8fa00090aef6722fe48

SHA512
67ec0b2773e711129f54b9663aa2bbad6a3aa393ee9cd643acb91f23241bd9171ab586feabdaba20937fb74a3181890ce788a9771f86edb4282c536d5c54d95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Biz

Filesize
79KB

MD5
70d676cd6f0d6ce53d3a9732f75e9530

SHA1
c2da2d98f94e9d955491d54cd763b90a0736ff73

SHA256
fa213c3fe6d3ddb3b9c138bf865ffbe6675881d3dcee0696d90588c4aa8e592d

SHA512
a7987972586cfcbeb64cfcf104942f45bc54de283669bd8bac23edeedbc3740e57673d31f571ea0226f93d35f0c700b4eb6d3ea8ddfc18c7b17d7bbc00687e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broadcasting

Filesize
57KB

MD5
7efa9ab6053bd424cb4cb4e4e6cfefd2

SHA1
c91eec59d4c95481d14e8fb1acff6c57b3cf4c7a

SHA256
abd7cf51098d69a01107aed50f12bed6a2c74dc2a7d50b5740c401afc9918de1

SHA512
a3f613081f74925b1e4a62c9a733f94bdbf2f71005e93bdbfc844bcae4a11ac5ce1a31cd4419abd659a6cceb477b5d846d27e2942c92441503149a3052f4abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Children

Filesize
61KB

MD5
83dfd5584f7f81cea0e4af2919bb5ea8

SHA1
61ccf77bc19185601e957c04fb50345b58359e42

SHA256
d9c2bd902802d0e458d7c96656dbcd9b36dfdaefe4f309c46b350b32e892e140

SHA512
5b73ab4e9f9abe27594328b0c0656075f084c9745d8f513357e74cc1a0559a77f6cfa0b51f9fa7dc181396452072d829ea5c193f9628a0625147946a473c0247

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cliff

Filesize
111KB

MD5
33f61a79bd6438b5be3326be7a493e3f

SHA1
a380ae835aae0c34a9427565f2221b0e9d984fbe

SHA256
56c8cbac3e1daa38c1050eeb3b6c772d734e3763738260d35eced5597fcb6a9b

SHA512
8c71780998b557dc57ad3894155a5b34ff22425d679e3fe60b6060822867b6c30f9989c665021151d22554fb6083b8e07c6423792994a00498b9df569bc8b295

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deadly

Filesize
115KB

MD5
62b8977d11a5515d6834abc7bd0c4e61

SHA1
0712a2d094a374fabf8b2cdc0e07125ea27224e9

SHA256
a65efcae907a9f3d565a36097aede572a82e7f3abe4b7156e10eecff9690db4f

SHA512
236fb07986cbf36fb4ccf42a7803010c89a1abe593a77a47a778561b10aaea4038e726d4cb96b0293872fc7f21e8a1fe771fd8be85a680ba96e8879861218816

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disaster

Filesize
51KB

MD5
2f58564bd2112dc060f35159f15375c6

SHA1
3e01539f2721ac015627d4990a884ffcf585a1c1

SHA256
78890b3f85c46a2eeaa1fa623c9e6c10a12e9c42c7ac4a8ad08a3c73d2872ae0

SHA512
111a192f72ec7a9c9e8b6e0998f13898530c6f28732cc0f83401d4b7dde9d28d1f7dccfa151fd93d88b22c6aa24e30a17896c20d55f19de1e9f49fb592e42e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discovery

Filesize
479KB

MD5
59af24fce6fea792088a3c38faa6d211

SHA1
bc622be846cfa137c20a0ac68c91b1a6c01240f6

SHA256
2e65a495270e8b204e7e64d180f89d9c3ac167e557b247b9b4f7e860179019e2

SHA512
072a362aa34228b02ba80351354b98df8bdb0479b7164cfbcd37087db68b41cdd60737bef7687a502f7970550b5a76a69cc35e7180c3a0db3fa13bc0af75ecbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Furniture

Filesize
54KB

MD5
1b1e7f549858aba566db14d5ad3d9010

SHA1
b144bdac59960c2ac6a8477c68b1784461d1367e

SHA256
ab2a5e9a948aaf205447377b053b88c21eead8fb746e4d87bb161e471461f244

SHA512
d21e0319e095ac27cf51f88700158548da594c21ff024370f9f711012eadd0f8b8629b2a29b4da11ad3e16f255862ee21c30c32ee03df4b0297e36a16c2cd737

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interventions

Filesize
73KB

MD5
3ea0b05042da47e530b6a6a160bb452f

SHA1
7568a8650a4655ba1fca3f3bd03c508d587f1d6f

SHA256
dac8d024117e9276c794f1e7f8254223142c83b2efbee0bc0de7381323d83cf8

SHA512
0fcd729b32b5a05c81dfa17e3ff83e2b4900f0e7f6548e165ad7b92cb452a24fd9ecc9c7e794b722492e5a58e1b9d92c55e60e12ecfee30c6d386f900cb4bce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kevin

Filesize
96KB

MD5
f171619b7267dda17ac48b3677629116

SHA1
407778902588c7c67c0d667f7f2b2535fc1b408a

SHA256
17b9c38ca1b78eb5c2a4adf1b6ae12ee3b784cd96fe47ff651ef408aefd4262b

SHA512
72b9b132814392a3515d89ef5d4f136558e51fee7808e34268ff28391eefde6c9e249c5863bf7f3cb05b8f33e5e7156e166b64aec0da0b5d449c18a069e7529c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lyrics

Filesize
2KB

MD5
854b7748df2d57f9525fd58119cb0821

SHA1
36c75e2df5ed5cdb69d95f8563da0084fa1b54ea

SHA256
efa993ad07d3fdda6195adbb08cd2683d81c1b6905ffcd984ee865b499da6ffd

SHA512
987cdc3c3d93d78eb192b5a8551bb3e3e87d55849548e858180fee123f489f7d150857558867e2b5f77e6782f1f3bc23177a42446501ef29851682edd0fac2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madness

Filesize
104KB

MD5
ff2b6968276b6242bf89570caa3e83fd

SHA1
c2ed44c8606bdd2017d0748fdd40cf06463bf018

SHA256
6d09d2562f9ed37e1ee9fb315c871b1610ee18eb17555a4ebb8419ebb16c1c1e

SHA512
34a322c3937bd960846e5aebed25d09201a0e7b438af493822932b4c37d2e901043ae89f09a7b184bda45eb47572001458958c9a00f654f8072ff0d1d0051a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Notre

Filesize
111KB

MD5
8ffd03bdc79edddae835f650be55fcfd

SHA1
983025b0e8273183e0b98b15b1d018e7713dea30

SHA256
a0bce5c0aa044fa17ac6a00fa5fbe0758dc6955688b52c0307d8f84d029e9bd1

SHA512
90f8900fee85ab2387a9f0adb93a601568e96327937ead74f6375176833bf0f6b3057521ee219685dd7ef94d7b6065df7f326fa572ee2fbface507fb42b8ab33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pins

Filesize
43KB

MD5
bee382f09e0dfba25d25bfb4c5a907c4

SHA1
78abe59b7c39363379b8b263d9ae3d5bfa86ab8a

SHA256
18774ce40018af110ee85d4fc42813ddfaba28302fe82b9286f764aed53defbe

SHA512
6ec3dcffd156dfb34df16613b86135d5eea81e0ae2f1f56988f09943f3e1fe0541f7b1b8a0a9f8ae22de299c00b6af4537eff101eed4820c8dab2c84af78ff59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pointed

Filesize
51KB

MD5
f7f5ff0f2bd31623e7c033b803b053c9

SHA1
b6250f30f9a0306b899445e7a50f212219d06c4c

SHA256
64a527caad4223df35940282da552d54f45ebdd77cd54eb370df1d2d56dc1714

SHA512
29cfe0d6c45c646cbcec69bb7e37affb169a64c62f63f6b28705eea1fb5d040bf0776ed01efde74d22ab6dbf95fc6076b2e3ee1d7d4421a99db72496105d1ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhythm

Filesize
63KB

MD5
b2dc4dd8b27e85c1fc1f9e2756cc5010

SHA1
84cee97f9cf0f3aa635cffa05c5c4bdb8479fb47

SHA256
4011089f5c9af5b0977fe1cf27fedff2b4386f604ea4d2ff027c2212a6c81a79

SHA512
684ded74ea6a2d8c48377675698bba36077acaa44af051c26df8ce3a838c67cf4a82ca461f9a7a00557136d038dc5a9b47e03e5d8307cf45748f49051ddb9cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stopped

Filesize
76KB

MD5
6c224dbaf78e8546e824354f389d91b0

SHA1
4a8749ae451a87498a6a5fa4d088870da192a904

SHA256
d58881edc4a85cac2ee041bcb50102f48f1b97b05664fd1751f764d83f620b9f

SHA512
ffd0bbce9d723bf41d876cb8a4b9c1de921b2ea98d6861201e1c0a7330f13e089a00e76c353012067882bcf3a218cad0b53c03e076c66aeb8b0b6f23dee41e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tablet

Filesize
82KB

MD5
4582dc3d5c7a62eed55d2501e181a9b5

SHA1
99844acf7dd64a59b7a8dda00c87c1c964acf88f

SHA256
d7707ea0ee210d0ceca688cd7ae427c283cbb6d0099984c1744ca56f485a1a92

SHA512
bfe575d9ae578a42b81e4b4c1eb16105bd5f301ffd26e1c44eb47a6e193a875648030606b011df0cbd680bf3013f4784c3b2c2ad2e2b07a934ac07cc543c203e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wood

Filesize
3KB

MD5
51a43556ae67c4aa09fb2908e91fd156

SHA1
a1cdadbc866ae428c211fb0ea59b111708dded19

SHA256
93a557b9d976afbc36dff4753efbe299df706313645eff4513fb08b28ccdd0c6

SHA512
66cbbf74947fa94b9577daee56a1f5b5e918be6c0133da5e9fb2651851baac55170eae74e67f14a35fbd2009dceee8b41d6f6e4a5f1731017672034d145362b0

Download Submit
memory/1700-79-0x0000000003FE0000-0x0000000004040000-memory.dmp

Filesize
384KB

Download
memory/1700-80-0x0000000003FE0000-0x0000000004040000-memory.dmp

Filesize
384KB

Download
memory/1700-82-0x0000000003FE0000-0x0000000004040000-memory.dmp

Filesize
384KB

Download
memory/1700-81-0x0000000003FE0000-0x0000000004040000-memory.dmp

Filesize
384KB

Download
memory/1700-84-0x0000000003FE0000-0x0000000004040000-memory.dmp

Filesize
384KB

Download
memory/1700-83-0x0000000003FE0000-0x0000000004040000-memory.dmp

Filesize
384KB

Download
memory/1700-78-0x0000000003FE0000-0x0000000004040000-memory.dmp

Filesize
384KB

Download