Malware Analysis Report

2024-09-11 15:22

Sample ID 240611-2pam5svdqg
Target Setup.exe
SHA256 0ca333d46ad10eb06eafb84b422b48f3426a0feb360699819742eb74a391f110
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ca333d46ad10eb06eafb84b422b48f3426a0feb360699819742eb74a391f110

Threat Level: Known bad

The file Setup.exe was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Detect Vidar Stealer

Stealc

Vidar

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Delays execution with timeout.exe

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Process Discovery
T1057
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 22:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 22:44

Reported

2024-06-11 22:47

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2420 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2420 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2420 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2420 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2420 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2420 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2420 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2420 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2420 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif
PID 2420 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif
PID 2420 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif
PID 2420 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif
PID 2420 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2420 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2420 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2420 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2716 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 389546

C:\Windows\SysWOW64\findstr.exe

findstr /V "MasBathroomsCompoundInjection" Participants

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Angeles + Ancient + Phenomenon 389546\I

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif

389546\Cycling.pif 389546\I

C:\Windows\SysWOW64\PING.EXE

ping -n 15 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start "" "C:\ProgramData\JEGDGIIJJE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif" & rd /s /q "C:\ProgramData\GIEBGIIJDGHC" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 EOdcYUYhuUpTCOAaZwJulmEhdjOuF.EOdcYUYhuUpTCOAaZwJulmEhdjOuF udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 t.me udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Emotions

MD5 69188ac3cd99f1c625f0db889bac02ba
SHA1 68759675ac80a6de2b153d1b901ce8cbca9a97d9
SHA256 892a8bc72da3028f7001369f955f1663f336c68807ab70d66eb2ad233dd7cbeb
SHA512 4acf21b0d3c9f4b758787ebadc65aac7f1b8bed910e241fc2d1226fdf4f6725e010252fe88cd4a420fe5d5a35acf55ec1addbba8bd3ea950fc4cc420f3d5970c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Participants

MD5 82a38745ff9cefa0859b47b8bd69f535
SHA1 6f97750b298ed3f3910e5aa4044b91e7409db9d2
SHA256 92f1df88e0467d0284f1de3e6d30bcf41b0ed56e055719872754627a2b4bb470
SHA512 d22a5ddfacf8c00cde7c3fa27612ca386ae68f79b9c93b52d40be33d584eaf3c18b100da9ad6ba4efacef1cba4fa5d1665e4c3004454f0eb41c3051b98c60569

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bucks

MD5 169031d6f24eaba592bf2c6fe549b404
SHA1 82ee98c7082a38556e54fa4cf979cc611c218ea9
SHA256 4dfa1177500499fc4008ff8dc7e8f1b1525efc9baae5574a8d42ed8732f63b54
SHA512 f492e29103ccf76c0885e22102d3bb436fea3e82b2f1c624c413447d1017e64b32248329d7a10fee483aa9819aedd00ad9abbd50f38fa8377c33d0726bef8423

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Que

MD5 d9d16c848154f20853faf4599f32865a
SHA1 ebe0d941af4e7923b7bdba2a488530459089522b
SHA256 7b5a4d134252047a49d9f45b2c94593eb01e9be75a5af8f26db7eac6cc84ba41
SHA512 23e205741a8391197fc25083741328af0a274425bff5d1defb5d5d0d41f994edf6e880cffb1b57243ba0fa06f4515a21477f98daa5ddfb9eff870dcda8e5cbc4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ld

MD5 196c44643861d00545bdfbd7814dab39
SHA1 31f2c9e373882787ee917dcc9a2c66afcf516db7
SHA256 3b9db2986d5abe357587c91996c61fef6300d86b06ae93185652d11f6d785c34
SHA512 03a873eda79f429517a47ce84a30b179cadba102e0b6a49423c851159d978fde0beee9cb31ac68d7ddf4a21b07a74bb57eb78cae661fde385e09f80fab891a3f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Violence

MD5 5e5fa7a1a85689440ef2feb8b7ce8d71
SHA1 b8a7e25ce423171c5abce09d385deea95e4d0206
SHA256 d735a47e18a38017f1601ae2f432f177d635211bacbbcab9ed8e9c3632c47bd6
SHA512 c5d29400a1e7602f906e59384c63783978688675f4f72cc28d512bdb442d5834edcf7f0c94af5bf63ac76393ca8ba2827f79f1cf8abacb1bcf72a61ecacf56d1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fighter

MD5 99f6f630ace0d999eccb54edd426d0bf
SHA1 87359e3c75da0f27efafbf0152b946c446134e18
SHA256 a4a8b1486887631a2eb8c670d79638a02711e6ff0e8198c95b1f39ca8a281ccb
SHA512 8158bcb0c865e16c2132d4ee786f7faf7906d15291812eb400441378ece24690300a2ae95542c5e48ecfd435211be9fa41850d973161be52bcbd5e46630f5b1c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Genre

MD5 e0fe0edd98e8d5dc6206008db5a219dd
SHA1 ca09cd966570766274e70bcb609baecfde867983
SHA256 1ed2640a2eec933b97b205b03836bf13b4650f67ab23f7cc3c52455b62a6c4cb
SHA512 30a5f2242713cd515148039ed70d7f675759baeff977e7c45d9cd2741c3e3102b86506a724b47abcd31f6d47d3717d40617ebaa84ac6c314594a4a984bdcaa9d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Alot

MD5 2263067cc70e1dbaa0a4a57b2a8e7fcb
SHA1 01c8de2133305a974f5308b656e7fc24518f929a
SHA256 22904ee52b888bd7eb7ade62c3b3c8718f2f425fe00bd2467f4af68a5138b36b
SHA512 288305e0cc15e1ecf54d7154ce9a350646bd5d23134e7ddd9c8802e8a88c191a8c69526d3851d2ca2ea033eea8eb71831f4dbd246e37607ef59cca123160a3e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Richmond

MD5 b252ec42745814254c189355ff869ea3
SHA1 61df27702779e73a410dc952c6ac4dff2de6815d
SHA256 be397d303eb61155e30516038e8693e9f73fb5706b5bccd2a7081e84d05e2af9
SHA512 786ef34fd0b648f2f5a610a01640604c91b559a49765bd3803aead7aa1db8758364cdc9465fdd7bd022e864c01ea32481b14259fa9d001c32a0e3d91bbf7a9c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hayes

MD5 71bd261427fbdf72899b417c38c977bf
SHA1 b2eff3eb04fb8aa9c92506e998314aed1deae969
SHA256 1524cf81ca46d5bcf334ab7fe5a0fc06c8d29de88e28831b57611381bc7b9996
SHA512 c1d3459f36d460536ad7bf0301ef8a9c808946926b39e6592a09154baf80f81ddc185dbae6179909e930fe4b27c5b12020914f6bcf71db92bf4573b61aaa5545

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cruises

MD5 df5dfe5b6a0421e48a25a415c324c11b
SHA1 f7acf9305f714e0010857ddf48c9ea3e3e5d5170
SHA256 c099fde206d6afa36fe381eb40d80ad056a5d049da2e95ebdb066b96873c9741
SHA512 7ff3f9af4205f08e5796d03af6d969527b61ec00bdd31d0afe2627d275788487549a525e10dd041f649a946d175dceb4b3ba2ca9d9a11f88ba116d05467578af

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Chad

MD5 1b7c6eb44770326634fddf223e06ae7d
SHA1 a7370710bbf5a975c072e8429875b94fb1d4d9d8
SHA256 418be1485e5b9461b7f9f2500f1d1c33b2d6453ddcc7c46833bf42fd9038d698
SHA512 141fef2985fc468ea16f5e8cd48362c6904ea869960110ceeb456c0994e7e9fde8a759b9845b369b74d68eaa38ffcbebc1b620c50a644a6147fbda17016400bc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Instances

MD5 c84879bb6f191c6e0661c2a2058cebec
SHA1 8a8d2b2b8f96360475447d2a7d47a9c339a08d38
SHA256 277ca96c002e9975c25d5f21a9813a7dcc4e585e62643cd76d2c787bd9f0154b
SHA512 a4b4efb19b2e9701d8eccf512185047c8e6110450d45d9dd30ce6fa7221ce146233ddc1a740decaf895eabcd154fdcb70d3810f4a3acd6b39535efbe57470ced

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Favourites

MD5 7f0ae6287a123437680291caa6cb27e2
SHA1 5535de659a740d784b197317f00a3cc33cabbaee
SHA256 d1b0a933ba1302745b34c999f5d2b32555d73a195cc313159aef6f111f4af46e
SHA512 607e0fc745e289bc156f83bcec8cdcb387892124b1de3f7d8a36afb523b2b8e1132e78f2401c71ffaec9fefa05f23e4c15275748717ceb3ea1d6aa2d5e2264c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Seek

MD5 4facdde04a7bffe2209d9bd9fb94631f
SHA1 b01c2f8c543d49091dd7e33d2e6dba2e802d3f5b
SHA256 ff0dc2ee0664e496a8fbc378a5c0c8459fb792af08748d698788ab5f8f536db0
SHA512 84eb023feaaa363d37deb5c234ec9fbb47913f11cb607503235233e44a7b3cc2c67911cb34d61ce342d4bf2e06f9ccf191dd65d9a7bdadbdb173a835629ca244

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tokyo

MD5 d6a17dab5e811d782e263a629d69466f
SHA1 dc3469f41ce8b71fe4ada357bfaa07dc9c9bd463
SHA256 e5d23cd1f82c5a8c3074dfec1595228581288957cd2d33c0087fb70f4376f10c
SHA512 094e2cf79fdc3497caa9cadc66b59bf9a0c3ce420e519e79b11f28c2d37ed21db35e138f998ae16ddead8b558aecb9cc1c102a72f2bcde4c111c571fc1c6235b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Double

MD5 e88293eb64ab8248601f2ee5d8ad574c
SHA1 4cb79b530be9e6a3ab4a45a08e8bf081482606c7
SHA256 6ef532a05e1ecf4a3c9f898f8d7624d16bcd396fefae9bd828b6f3863e3b54d4
SHA512 86786414372dfa2ce88c7e4948ceefc568fb3e785ec3d49fad190238de7c65c5a764b43e56e99c9b43c23ab705aedfeb256c95ac52ef654e712850741c16ecbc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Portrait

MD5 d32f5a642703f9de4203fe03ff99444e
SHA1 1402f204d957ea840fed0b7a9fe2cde550838efc
SHA256 f30741289eec81c0bedd3833e3fddcce7c55ab7bb515aadba853b0f64c92b75f
SHA512 673c4a11a7c77f277dc320d09c00d44bfcf0e24e1a8a47f566250bcc6f7cd58a59c8e4ee0dfb101cb6c09f062951d9f6853168df75f9a3ace416e8d619d9fe96

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Studios

MD5 81f9103329f1d1987bc8acabf4479213
SHA1 9f6cd4c95d8832cad521141cd9b855b392257e01
SHA256 afd8f25d62dbe8d415e349d3eefe69148f45f23380fbf6589112aa9b761f6552
SHA512 e7b53e546f4c24d8d7917515a71f02c117a8082aff35954b761caa011c3a71c775dc618b35cbc1b2c6a7d379a9f8ade59aae17a298ecdc3535d758102bee048d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Referring

MD5 6c9db7026814dfc28550b4240ec184ba
SHA1 398a75ace24d683836f0ca18a637991f89655ebe
SHA256 e78c9ed0b98d8bbf333ce827206fe92ccc83f0a922fc85e3587fa9b212be0b09
SHA512 2893fb7ce3e4ee0f3ea9361b2d9e907a265281cbfaa13552c54c88e3a453792e979d4c9907c10ee92a81bedef931474c5cbf3891970549a18e4d074390ef61aa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Smtp

MD5 ce280a16fef13a2bcf02f5f535ddd8e1
SHA1 4a5a4127efeaee15f2334989fa44e285e40872ca
SHA256 f22cea8cbbc1d159736eb46e0863a1b2ecdc345988280cdd689c1ccfb8c8e3a0
SHA512 052d6286d0e7f5d01fb58a3a6e65450980b37172e569c91239f2e0f46b7199838a4f64209f90b9f671be9c574411c50123bbe9350fc49bd18863a5087d7a4e63

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tags

MD5 8bf1c767ee20182c10c754b4b0cee496
SHA1 9d2e97d270846e6b8a0b371313928c894cafa0cc
SHA256 be3945010b4e40b7684c41739b18fbc638e00b5e0fe7e1ac73a4786e949b60c9
SHA512 7eff4d9150a899d8fc21b41c0e66d2b5d448055a7600cc414a69332c2cafde3973a6aeca91c569eabed2b489f8c26b5560792ed1941284a82a7bfe372a40fdc4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Consecutive

MD5 2c410a64dd126d7005c8bb1a4fc277ad
SHA1 dfcb97b8cea5d3544f21528d3dc4652ab97bfb22
SHA256 741d23db94df6edd906f6ed35e582592c47a23bfa92263a37de42851cca0c724
SHA512 6e0f4a9453377ce01be8a7a78f48f13bfd83490bb3292d3d9db9f635bd2bdd690a4a019c5a3230b56ccedc4242ab1060801c7dc0981e43843cbb5b4ba606fc4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Angeles

MD5 05d31ddcaff9b3500b871cee4185b495
SHA1 93d4923c5083ff322524884823aeea410b1e4aa8
SHA256 5ea8db4abde48b663420e066e16d2f91c45ae0203a60d4bde5c978137091c30a
SHA512 590a70654041cbc3779c5ad9b194a91566c8d72df08567f58cedc06f282af93b38d06f353e90e065cd66e95f70466124fb0fba7b334c483ed8ee9992d1a74948

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ancient

MD5 379bfbbb562917f48f1c3b88464bea8e
SHA1 e7c124ab47a45dedb0edaf6bc4a2dcb126446dd9
SHA256 26828bfdf0a00deb494bb5151f72010f4ec0006efff4530336aa7096d0b7ac97
SHA512 f4bd4d53a009bf68877406daa1ba278370f38c25827b176088aef55dbb3492ba99a0f81093165211810457cc70fc7d7aca283982f07b0c2b9b8d2dbe585798fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Phenomenon

MD5 b32330c50f312bccc185650c3b7c6b69
SHA1 5a26c0bb1bcc56fefa03f964f96e4d22806e9062
SHA256 b58e65919f7e1f7e1bc9389775546473f91162a539f6954caf89beeef6535d51
SHA512 d571f3b1690628fde595a128fdf0acda8df9a452cf83cd5586962cf04a89ad0409d5efc5da7946391b28dcd9eb180294195db4e5bf9bed862db07934ede66978

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kde

MD5 4ff55e1b173517e7a3714232c67aba27
SHA1 b85a132ce34a7f9c9583a4bbecbc668bbf68ef80
SHA256 85e6dcbcf863bd85bc1de8fe888c531bc2432629097876a1c9c56dca05f1b41f
SHA512 fec8be986ec5a445d021891222192d362207577e5b67290df3a499838eee4b9b5128cfc5223035a18ca9fdab669d28aca5fbecf3c7a6e7e6cf7493fa9484a389

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Old

MD5 d7be099bae3b2243941057b48b091c00
SHA1 c3bf3cf0716a87a2bb34aa1d1a498be867be3bae
SHA256 8afd0803ab97c78f1e57240725b202493210e6590f1736910621d73a48fd461e
SHA512 fd51583cae94ab7f39ea0001faf43c84bc119ddc100794181ff6c0cb222f76cdb5b0bd320ec918aa89ee38f0e3f6d1975fa06bd0a62c5a45d3ce5a110685d56f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Race

MD5 df7307d02f71ebdb3919ac12fc622327
SHA1 390ad98fa3a2b897b1a4eb10793e8a209a0132c3
SHA256 dab5df5b32f1793ca245121b64b5df054945e8d1db26d144c00259e9393a7ddd
SHA512 004deb72899edee10c25370954430007cc8b349294a566563fb6ec39b864a13cf2af5d460e1bfe21cd4def3c1b2309cbf472977d9e35db9830c53c3f5146c297

\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\Cycling.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\389546\I

MD5 babe65ed34141cf5f73a21e84c06349d
SHA1 6571bac8d9e020c2faf44dd312ef66b51d733ced
SHA256 65807df1cb1ee39b8d544e4a4481bff18ba6cb803d0de93345c6c2733012ceec
SHA512 deac1458d7cc988cc8df9943563f0944a254d1137166ea973fcc499617ac819de7105df2a7701275440bce61870d61f9752ad490e09d54e7d5a031f1f8abd67f

memory/2716-504-0x0000000005E40000-0x0000000006086000-memory.dmp

memory/2716-505-0x0000000005E40000-0x0000000006086000-memory.dmp

memory/2716-506-0x0000000005E40000-0x0000000006086000-memory.dmp

memory/2716-507-0x0000000005E40000-0x0000000006086000-memory.dmp

memory/2716-508-0x0000000005E40000-0x0000000006086000-memory.dmp

memory/2716-509-0x0000000005E40000-0x0000000006086000-memory.dmp

memory/2716-510-0x0000000005E40000-0x0000000006086000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 22:44

Reported

2024-06-11 22:45

Platform

win10v2004-20240508-en

Max time kernel

32s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2956 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2956 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2956 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2956 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2956 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2956 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2956 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif
PID 2956 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif
PID 2956 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif
PID 2956 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2956 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2956 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 389546

C:\Windows\SysWOW64\findstr.exe

findstr /V "MasBathroomsCompoundInjection" Participants

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Angeles + Ancient + Phenomenon 389546\I

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif

389546\Cycling.pif 389546\I

C:\Windows\SysWOW64\PING.EXE

ping -n 15 127.0.0.1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\fontview.exe

"C:\Windows\System32\fontview.exe" C:\Users\Admin\Downloads\RedoSplit.ttf

Network

Country Destination Domain Proto
US 8.8.8.8:53 EOdcYUYhuUpTCOAaZwJulmEhdjOuF.EOdcYUYhuUpTCOAaZwJulmEhdjOuF udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emotions

MD5 69188ac3cd99f1c625f0db889bac02ba
SHA1 68759675ac80a6de2b153d1b901ce8cbca9a97d9
SHA256 892a8bc72da3028f7001369f955f1663f336c68807ab70d66eb2ad233dd7cbeb
SHA512 4acf21b0d3c9f4b758787ebadc65aac7f1b8bed910e241fc2d1226fdf4f6725e010252fe88cd4a420fe5d5a35acf55ec1addbba8bd3ea950fc4cc420f3d5970c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Participants

MD5 82a38745ff9cefa0859b47b8bd69f535
SHA1 6f97750b298ed3f3910e5aa4044b91e7409db9d2
SHA256 92f1df88e0467d0284f1de3e6d30bcf41b0ed56e055719872754627a2b4bb470
SHA512 d22a5ddfacf8c00cde7c3fa27612ca386ae68f79b9c93b52d40be33d584eaf3c18b100da9ad6ba4efacef1cba4fa5d1665e4c3004454f0eb41c3051b98c60569

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richmond

MD5 b252ec42745814254c189355ff869ea3
SHA1 61df27702779e73a410dc952c6ac4dff2de6815d
SHA256 be397d303eb61155e30516038e8693e9f73fb5706b5bccd2a7081e84d05e2af9
SHA512 786ef34fd0b648f2f5a610a01640604c91b559a49765bd3803aead7aa1db8758364cdc9465fdd7bd022e864c01ea32481b14259fa9d001c32a0e3d91bbf7a9c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alot

MD5 2263067cc70e1dbaa0a4a57b2a8e7fcb
SHA1 01c8de2133305a974f5308b656e7fc24518f929a
SHA256 22904ee52b888bd7eb7ade62c3b3c8718f2f425fe00bd2467f4af68a5138b36b
SHA512 288305e0cc15e1ecf54d7154ce9a350646bd5d23134e7ddd9c8802e8a88c191a8c69526d3851d2ca2ea033eea8eb71831f4dbd246e37607ef59cca123160a3e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Genre

MD5 e0fe0edd98e8d5dc6206008db5a219dd
SHA1 ca09cd966570766274e70bcb609baecfde867983
SHA256 1ed2640a2eec933b97b205b03836bf13b4650f67ab23f7cc3c52455b62a6c4cb
SHA512 30a5f2242713cd515148039ed70d7f675759baeff977e7c45d9cd2741c3e3102b86506a724b47abcd31f6d47d3717d40617ebaa84ac6c314594a4a984bdcaa9d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fighter

MD5 99f6f630ace0d999eccb54edd426d0bf
SHA1 87359e3c75da0f27efafbf0152b946c446134e18
SHA256 a4a8b1486887631a2eb8c670d79638a02711e6ff0e8198c95b1f39ca8a281ccb
SHA512 8158bcb0c865e16c2132d4ee786f7faf7906d15291812eb400441378ece24690300a2ae95542c5e48ecfd435211be9fa41850d973161be52bcbd5e46630f5b1c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Violence

MD5 5e5fa7a1a85689440ef2feb8b7ce8d71
SHA1 b8a7e25ce423171c5abce09d385deea95e4d0206
SHA256 d735a47e18a38017f1601ae2f432f177d635211bacbbcab9ed8e9c3632c47bd6
SHA512 c5d29400a1e7602f906e59384c63783978688675f4f72cc28d512bdb442d5834edcf7f0c94af5bf63ac76393ca8ba2827f79f1cf8abacb1bcf72a61ecacf56d1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ld

MD5 196c44643861d00545bdfbd7814dab39
SHA1 31f2c9e373882787ee917dcc9a2c66afcf516db7
SHA256 3b9db2986d5abe357587c91996c61fef6300d86b06ae93185652d11f6d785c34
SHA512 03a873eda79f429517a47ce84a30b179cadba102e0b6a49423c851159d978fde0beee9cb31ac68d7ddf4a21b07a74bb57eb78cae661fde385e09f80fab891a3f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Que

MD5 d9d16c848154f20853faf4599f32865a
SHA1 ebe0d941af4e7923b7bdba2a488530459089522b
SHA256 7b5a4d134252047a49d9f45b2c94593eb01e9be75a5af8f26db7eac6cc84ba41
SHA512 23e205741a8391197fc25083741328af0a274425bff5d1defb5d5d0d41f994edf6e880cffb1b57243ba0fa06f4515a21477f98daa5ddfb9eff870dcda8e5cbc4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bucks

MD5 169031d6f24eaba592bf2c6fe549b404
SHA1 82ee98c7082a38556e54fa4cf979cc611c218ea9
SHA256 4dfa1177500499fc4008ff8dc7e8f1b1525efc9baae5574a8d42ed8732f63b54
SHA512 f492e29103ccf76c0885e22102d3bb436fea3e82b2f1c624c413447d1017e64b32248329d7a10fee483aa9819aedd00ad9abbd50f38fa8377c33d0726bef8423

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Double

MD5 e88293eb64ab8248601f2ee5d8ad574c
SHA1 4cb79b530be9e6a3ab4a45a08e8bf081482606c7
SHA256 6ef532a05e1ecf4a3c9f898f8d7624d16bcd396fefae9bd828b6f3863e3b54d4
SHA512 86786414372dfa2ce88c7e4948ceefc568fb3e785ec3d49fad190238de7c65c5a764b43e56e99c9b43c23ab705aedfeb256c95ac52ef654e712850741c16ecbc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tokyo

MD5 d6a17dab5e811d782e263a629d69466f
SHA1 dc3469f41ce8b71fe4ada357bfaa07dc9c9bd463
SHA256 e5d23cd1f82c5a8c3074dfec1595228581288957cd2d33c0087fb70f4376f10c
SHA512 094e2cf79fdc3497caa9cadc66b59bf9a0c3ce420e519e79b11f28c2d37ed21db35e138f998ae16ddead8b558aecb9cc1c102a72f2bcde4c111c571fc1c6235b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seek

MD5 4facdde04a7bffe2209d9bd9fb94631f
SHA1 b01c2f8c543d49091dd7e33d2e6dba2e802d3f5b
SHA256 ff0dc2ee0664e496a8fbc378a5c0c8459fb792af08748d698788ab5f8f536db0
SHA512 84eb023feaaa363d37deb5c234ec9fbb47913f11cb607503235233e44a7b3cc2c67911cb34d61ce342d4bf2e06f9ccf191dd65d9a7bdadbdb173a835629ca244

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Favourites

MD5 7f0ae6287a123437680291caa6cb27e2
SHA1 5535de659a740d784b197317f00a3cc33cabbaee
SHA256 d1b0a933ba1302745b34c999f5d2b32555d73a195cc313159aef6f111f4af46e
SHA512 607e0fc745e289bc156f83bcec8cdcb387892124b1de3f7d8a36afb523b2b8e1132e78f2401c71ffaec9fefa05f23e4c15275748717ceb3ea1d6aa2d5e2264c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Instances

MD5 c84879bb6f191c6e0661c2a2058cebec
SHA1 8a8d2b2b8f96360475447d2a7d47a9c339a08d38
SHA256 277ca96c002e9975c25d5f21a9813a7dcc4e585e62643cd76d2c787bd9f0154b
SHA512 a4b4efb19b2e9701d8eccf512185047c8e6110450d45d9dd30ce6fa7221ce146233ddc1a740decaf895eabcd154fdcb70d3810f4a3acd6b39535efbe57470ced

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Chad

MD5 1b7c6eb44770326634fddf223e06ae7d
SHA1 a7370710bbf5a975c072e8429875b94fb1d4d9d8
SHA256 418be1485e5b9461b7f9f2500f1d1c33b2d6453ddcc7c46833bf42fd9038d698
SHA512 141fef2985fc468ea16f5e8cd48362c6904ea869960110ceeb456c0994e7e9fde8a759b9845b369b74d68eaa38ffcbebc1b620c50a644a6147fbda17016400bc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cruises

MD5 df5dfe5b6a0421e48a25a415c324c11b
SHA1 f7acf9305f714e0010857ddf48c9ea3e3e5d5170
SHA256 c099fde206d6afa36fe381eb40d80ad056a5d049da2e95ebdb066b96873c9741
SHA512 7ff3f9af4205f08e5796d03af6d969527b61ec00bdd31d0afe2627d275788487549a525e10dd041f649a946d175dceb4b3ba2ca9d9a11f88ba116d05467578af

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hayes

MD5 71bd261427fbdf72899b417c38c977bf
SHA1 b2eff3eb04fb8aa9c92506e998314aed1deae969
SHA256 1524cf81ca46d5bcf334ab7fe5a0fc06c8d29de88e28831b57611381bc7b9996
SHA512 c1d3459f36d460536ad7bf0301ef8a9c808946926b39e6592a09154baf80f81ddc185dbae6179909e930fe4b27c5b12020914f6bcf71db92bf4573b61aaa5545

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Race

MD5 df7307d02f71ebdb3919ac12fc622327
SHA1 390ad98fa3a2b897b1a4eb10793e8a209a0132c3
SHA256 dab5df5b32f1793ca245121b64b5df054945e8d1db26d144c00259e9393a7ddd
SHA512 004deb72899edee10c25370954430007cc8b349294a566563fb6ec39b864a13cf2af5d460e1bfe21cd4def3c1b2309cbf472977d9e35db9830c53c3f5146c297

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Old

MD5 d7be099bae3b2243941057b48b091c00
SHA1 c3bf3cf0716a87a2bb34aa1d1a498be867be3bae
SHA256 8afd0803ab97c78f1e57240725b202493210e6590f1736910621d73a48fd461e
SHA512 fd51583cae94ab7f39ea0001faf43c84bc119ddc100794181ff6c0cb222f76cdb5b0bd320ec918aa89ee38f0e3f6d1975fa06bd0a62c5a45d3ce5a110685d56f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kde

MD5 4ff55e1b173517e7a3714232c67aba27
SHA1 b85a132ce34a7f9c9583a4bbecbc668bbf68ef80
SHA256 85e6dcbcf863bd85bc1de8fe888c531bc2432629097876a1c9c56dca05f1b41f
SHA512 fec8be986ec5a445d021891222192d362207577e5b67290df3a499838eee4b9b5128cfc5223035a18ca9fdab669d28aca5fbecf3c7a6e7e6cf7493fa9484a389

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consecutive

MD5 2c410a64dd126d7005c8bb1a4fc277ad
SHA1 dfcb97b8cea5d3544f21528d3dc4652ab97bfb22
SHA256 741d23db94df6edd906f6ed35e582592c47a23bfa92263a37de42851cca0c724
SHA512 6e0f4a9453377ce01be8a7a78f48f13bfd83490bb3292d3d9db9f635bd2bdd690a4a019c5a3230b56ccedc4242ab1060801c7dc0981e43843cbb5b4ba606fc4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tags

MD5 8bf1c767ee20182c10c754b4b0cee496
SHA1 9d2e97d270846e6b8a0b371313928c894cafa0cc
SHA256 be3945010b4e40b7684c41739b18fbc638e00b5e0fe7e1ac73a4786e949b60c9
SHA512 7eff4d9150a899d8fc21b41c0e66d2b5d448055a7600cc414a69332c2cafde3973a6aeca91c569eabed2b489f8c26b5560792ed1941284a82a7bfe372a40fdc4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Smtp

MD5 ce280a16fef13a2bcf02f5f535ddd8e1
SHA1 4a5a4127efeaee15f2334989fa44e285e40872ca
SHA256 f22cea8cbbc1d159736eb46e0863a1b2ecdc345988280cdd689c1ccfb8c8e3a0
SHA512 052d6286d0e7f5d01fb58a3a6e65450980b37172e569c91239f2e0f46b7199838a4f64209f90b9f671be9c574411c50123bbe9350fc49bd18863a5087d7a4e63

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Referring

MD5 6c9db7026814dfc28550b4240ec184ba
SHA1 398a75ace24d683836f0ca18a637991f89655ebe
SHA256 e78c9ed0b98d8bbf333ce827206fe92ccc83f0a922fc85e3587fa9b212be0b09
SHA512 2893fb7ce3e4ee0f3ea9361b2d9e907a265281cbfaa13552c54c88e3a453792e979d4c9907c10ee92a81bedef931474c5cbf3891970549a18e4d074390ef61aa

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Studios

MD5 81f9103329f1d1987bc8acabf4479213
SHA1 9f6cd4c95d8832cad521141cd9b855b392257e01
SHA256 afd8f25d62dbe8d415e349d3eefe69148f45f23380fbf6589112aa9b761f6552
SHA512 e7b53e546f4c24d8d7917515a71f02c117a8082aff35954b761caa011c3a71c775dc618b35cbc1b2c6a7d379a9f8ade59aae17a298ecdc3535d758102bee048d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Portrait

MD5 d32f5a642703f9de4203fe03ff99444e
SHA1 1402f204d957ea840fed0b7a9fe2cde550838efc
SHA256 f30741289eec81c0bedd3833e3fddcce7c55ab7bb515aadba853b0f64c92b75f
SHA512 673c4a11a7c77f277dc320d09c00d44bfcf0e24e1a8a47f566250bcc6f7cd58a59c8e4ee0dfb101cb6c09f062951d9f6853168df75f9a3ace416e8d619d9fe96

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Angeles

MD5 05d31ddcaff9b3500b871cee4185b495
SHA1 93d4923c5083ff322524884823aeea410b1e4aa8
SHA256 5ea8db4abde48b663420e066e16d2f91c45ae0203a60d4bde5c978137091c30a
SHA512 590a70654041cbc3779c5ad9b194a91566c8d72df08567f58cedc06f282af93b38d06f353e90e065cd66e95f70466124fb0fba7b334c483ed8ee9992d1a74948

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ancient

MD5 379bfbbb562917f48f1c3b88464bea8e
SHA1 e7c124ab47a45dedb0edaf6bc4a2dcb126446dd9
SHA256 26828bfdf0a00deb494bb5151f72010f4ec0006efff4530336aa7096d0b7ac97
SHA512 f4bd4d53a009bf68877406daa1ba278370f38c25827b176088aef55dbb3492ba99a0f81093165211810457cc70fc7d7aca283982f07b0c2b9b8d2dbe585798fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Phenomenon

MD5 b32330c50f312bccc185650c3b7c6b69
SHA1 5a26c0bb1bcc56fefa03f964f96e4d22806e9062
SHA256 b58e65919f7e1f7e1bc9389775546473f91162a539f6954caf89beeef6535d51
SHA512 d571f3b1690628fde595a128fdf0acda8df9a452cf83cd5586962cf04a89ad0409d5efc5da7946391b28dcd9eb180294195db4e5bf9bed862db07934ede66978

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\I

MD5 babe65ed34141cf5f73a21e84c06349d
SHA1 6571bac8d9e020c2faf44dd312ef66b51d733ced
SHA256 65807df1cb1ee39b8d544e4a4481bff18ba6cb803d0de93345c6c2733012ceec
SHA512 deac1458d7cc988cc8df9943563f0944a254d1137166ea973fcc499617ac819de7105df2a7701275440bce61870d61f9752ad490e09d54e7d5a031f1f8abd67f