Analysis Overview
SHA256
09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e
Threat Level: Known bad
The file d51ffcf06dd50b2b76721970c389dde2.exe was found to be: Known bad.
Malicious Activity Summary
Vidar
Detect Vidar Stealer
Stealc
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Command and Scripting Interpreter: AutoIT
Enumerates physical storage devices
Runs ping.exe
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 18:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 18:33
Reported
2024-06-11 18:35
Platform
win7-20240221-en
Max time kernel
133s
Max time network
139s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| N/A | N/A | C:\ProgramData\EHIDAKECFI.exe | N/A |
| N/A | N/A | \??\c:\st\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| N/A | N/A | C:\ProgramData\EHIDAKECFI.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Command and Scripting Interpreter: AutoIT
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\st\Autoit3.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\st\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\st\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d51ffcf06dd50b2b76721970c389dde2.exe
"C:\Users\Admin\AppData\Local\Temp\d51ffcf06dd50b2b76721970c389dde2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Filme Filme.cmd & Filme.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 620735
C:\Windows\SysWOW64\findstr.exe
findstr /V "EvenAttributeWatershedCumshot" Professor
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Ron + Treasure + Dept 620735\d
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif
620735\Joe.pif 620735\d
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\ProgramData\EHIDAKECFI.exe
"C:\ProgramData\EHIDAKECFI.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif" & rd /s /q "C:\ProgramData\FCBFBGDBKJKE" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
\??\c:\st\Autoit3.exe
"c:\st\Autoit3.exe" c:\st\script.a3x
\??\c:\windows\SysWOW64\cmd.exe
"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\cehddef\hakbeah
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get domain
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yfIcivbsLajhLLbIUcwWdV.yfIcivbsLajhLLbIUcwWdV | udp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | tcp | |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| US | 8.8.8.8:53 | victorisport.shop | udp |
| US | 172.67.140.183:80 | victorisport.shop | tcp |
| US | 172.67.140.183:443 | victorisport.shop | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| IE | 2.18.24.9:80 | apps.identrust.com | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
| DE | 5.75.212.114:443 | 5.75.212.114 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Filme
| MD5 | 32b89cdd98765294a865d24d3ff416bf |
| SHA1 | 6b2d48789c1d3c383c9e76246046bbed55d226a3 |
| SHA256 | fb5fdc4d1276303ff4651a7177e9b1bbcbdff2438c50df99b946e87c568e84ab |
| SHA512 | 2a4af9e316711062c26e3455f5c1d45fb66683c13668067b6319c89440b4d8b59c40f4704a25b31c9c37f4223e69aeab1a2eca7783b40ab9feef6785edfb9fd1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Professor
| MD5 | 9a3ceeeba34e0ce1353bb1e45603884a |
| SHA1 | 994c2352530052684dca2706ec8707e87e78c3fa |
| SHA256 | 0b78d958972123238bb1ee439aa4ac30b1bff93071daf362bc1e171ab22f9a13 |
| SHA512 | f291ee3ba3fedd739cb5ef863fb75a7659c12765b9baa3b2861b43c879e2f5424c68ad0b5e2a9bcfe526f45f5727ac8e50b0af3d842d9d27cdfe95bad94e94b1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Barely
| MD5 | a14c7999ff4fc32e3b7f76a62e29709c |
| SHA1 | 66e47e7dfed689d11f977175de1003b0a9014001 |
| SHA256 | 7dc5dd261a1271d218148b42eee51eaa70b89e29fccfdece5cc33fcee1305e58 |
| SHA512 | 22b16f41e1b4148ee38b9e519696414296a2ebf3ead9acb3d56b1fbbb590bbc45f09e221a9996b648516cbbb8b0d859d8b32d681acef1ce9a17f671b253711f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Periodic
| MD5 | 5baf13b9d96b426d60fe331154f4c915 |
| SHA1 | 2e6b30d41da7d15953741d7da4a3c11b5abb9eb8 |
| SHA256 | 13bd87051bf93fdf2ea085d3776a0f1981c9f45ed1fdfc6bae3487f0023f588a |
| SHA512 | bf9923fa7ed914f65cc21fa0719736dc94bb64ebd7c351918cb898d9122a3b8362d309597c92c2220bef87e1cb29cd1b51e37c9086cce4bb74263630b82092ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Future
| MD5 | de457f7cb457e1f9d9cc08426f48d35c |
| SHA1 | 5ac37406be1d140096596b26acc95fcbcfbc6445 |
| SHA256 | 34ceb19d2286d7d9d26bbab78044f71a629bc75a25bc097805d5bb07add510bf |
| SHA512 | 79581b6fd033ae0690689083136109eb4c15843f4b597a671ad9d56ad243f63c3beeb52e11119980c8b9bbef46c477af2dfd64b09b79792b42c43ff510a2ffc0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Triangle
| MD5 | 81d946f263006eb46f2cb8b8a2173d65 |
| SHA1 | 6e77d3cefddf5ce5c63adc1c5bdbc345f582dcd8 |
| SHA256 | 4e9c4c1b63c3a2f7095a7bdbaa60667a45001d5ec64d0c888813d2b65f35fba7 |
| SHA512 | 1a291efc4780c55818d4656cfc243711a700aaeb4fa773734ea653bf57c8d6aa611d15c94f830d4fd4b7e24fa96b3810aa5ff14edeee86f00cecc92404012bf2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Unix
| MD5 | 49a19fd12501352b42a9ba87c3a2230e |
| SHA1 | 23960e63c6bed0d7867480f51754adff56e31598 |
| SHA256 | f650622c690d896bba73ebce76b4d71e0103337734eb8bbf6e32e9fea184929c |
| SHA512 | 45f013e34f75dfb8042a957b0edce907696b6b3f0aa99960c6c5628b769a361653b77bcea63540ae38365cbcb00776d343bc0749bb0da25ac12a10608126c09d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Giant
| MD5 | 48e6960e7c881d6d5c41457b7d1abcce |
| SHA1 | b0ae8dbcd5f165091c2b5b295b92d8d704064692 |
| SHA256 | 4bc581cb17ffe5b5e148f36019ae5bac5c7f8f97e6db740e1f4b95294d6a10f1 |
| SHA512 | 00202707218357e1e43c1fea798eb8555d954baec94312378f933fca3844b95ab705855ba336add935801f084f3b3b5ad6355bc046db567a942fde4255f61ba4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fri
| MD5 | 2c3df2fa120a9510e81161e271b5b8bf |
| SHA1 | be13265571f051ce0b4b7b6f0f53dfd279f6fbda |
| SHA256 | 267391ed6c73a010e7a26bafc6b285b2726b22b8f52a17d2d50551d6ca9c0b0d |
| SHA512 | 8d65d9287d64a97389cc2fd7ed955a52f953c05b9bcf15149f566de7e0075efe6f8203c5412a2cf51567ec798cd31cb68a5df778edd294d73770ed38da4571bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Switches
| MD5 | 7386c0c41ac1bbf52dff08b41058154a |
| SHA1 | e1bc5026757358fddef544b6a5ae940c9a5db152 |
| SHA256 | 2bea5f056f09480542b7ae221801fc9d1a6872e3f032e2b7f8b8cdb91b978c28 |
| SHA512 | 5f597b3ad0658a776eeddb6e057a6652023ad2729279f74d0da91d7845db47a61cf940ee6529f5d6bbd36550ce4ad26f11298a49b93f5bd9f23b009a65ccbb4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Public
| MD5 | 8a5d414718c02e5ce2506a8cadd86f87 |
| SHA1 | d48d0190fed7c5f09605e78d6819fce0c7c33c8d |
| SHA256 | e880506f49a2868fe5aa8e8678ab36683dd2884b748452d0018e486d9825f274 |
| SHA512 | 6efabefb7c6d674adb4f48e04ffc769f85fd1f69776ccd1dafd6e8d64238173581da02caaf9e42bf48b6f63d7c2b37583752e724aac52e79eff00fdedc4d9a41 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Resumes
| MD5 | c3c150db3cd73c20a412ebd3da0671a5 |
| SHA1 | 8ff704187a9d072d3f52d4f8487024bee6085f32 |
| SHA256 | 60a10e46b7192fbe909d09768298111b02a77ea32f10c4f98934a5a37a149f52 |
| SHA512 | ad972dbb1bb2a0dcacb6574a4e6936136d6bd97c8bee590849ff3be78a294536af563fc2be5899bf613e963db90934ec3ddec962a6f671f247c8dd5e23c8532c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Appearance
| MD5 | 78b150be4d0f1b2b2065e5b7e0b24c78 |
| SHA1 | f5a40bbb78de278a3275df00d705836c66b20398 |
| SHA256 | 0e2c878fa125b22abc9eb8a68584560ec7102779928a05d3643ef09bd518f63b |
| SHA512 | e58cfd473c63ccf3c271203aa46e553f93acb9c3a25f91d01c3a7240d6195bfb6365bf886b72a930676c7e13cca53e6acd3fe0ff98b57d43f9a7d3c50b9ba2ae |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sky
| MD5 | fe8ed675ad3b1c287832b698ff88ce68 |
| SHA1 | 0ffe5ac683c2acfb24c15fff721bd851c62c547e |
| SHA256 | 9e3c9261bad186dc4313dad5f7bf75bcba10fc5ef0210ca2af68cb2f4e1e06c7 |
| SHA512 | b599c7965aff9db03faf3791caa31d2e21afabc3e76cc54fbed898099232e9ddfdb99044b2ff45a89a3636146f20effad03839cd48c69a60ee04c86fb18da74e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Frequent
| MD5 | 344f8759460f7592df30385354132e8d |
| SHA1 | 222aed99d7a1064968a96c1ddbffe4d08678a9d1 |
| SHA256 | 838c929d12e9d1a835cf4b188639d4316d9f40bf9201241d695cfc3e64242a24 |
| SHA512 | d58524540408b326177893d7f28a5b768f8a0187da5899c2f7ae84ff6ef19a680dcb572bbaa521aa7202dae84eccbd617681db8df93ea036717c50f995a9113a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bros
| MD5 | 50d7b3138896b3dec2a052bab3d2a29a |
| SHA1 | 1d7dc8c41e83ebf35ee3e6eab35e7a0ee7e4d93d |
| SHA256 | ff646b437a7bee76ff369e310881a238411c6774827ffcef71e1554f5b3e76a6 |
| SHA512 | 7276fb5521655b86697aa46d1dc9a520ed38c4e335f8ba8b520e679137f85ac2981e33448426f01599af1cfe3abcf8ceec56f73124462c22748a1884c9706a31 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Directory
| MD5 | 0e71805320ce820e8a0fcf9ed10296a7 |
| SHA1 | 877dc110151acd54bb89aa89a55e0c5292e3fef1 |
| SHA256 | fe66a53c1b920f5312d0d8f2f7d37e1614d6776111f4d12e7cabe9e23c39ab5a |
| SHA512 | 633b04cb46be64ba9089966aadb2cc4f2085d89cb86674c3beb3e930b07b6e05ea0680de0c837729363468066562dd525e01a91002b7e2dbe80201d9dc0d5c66 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Very
| MD5 | 156d49c96e480544061f89a4cc92b9a0 |
| SHA1 | 5f4036d3028a81eb8c1dbb4c64e616e5db9d7cde |
| SHA256 | cff8c7cd73d289821ba6896070519f2c28bf5060caa64db55145b12630e8ee14 |
| SHA512 | 799dc1419ed48be7d26861989cf6be85cce24905819f2c8b0725715aae627f931ba6e0af8322803f5e7f1845a5b0528e74048764884e776fd8ef08c4f88ccc2f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Iraq
| MD5 | bfaf2d299bdd465ffa3a5d42e46e025b |
| SHA1 | ca781b9099eb11de7a672cc7dc0d5c48f14d3865 |
| SHA256 | 8aea50ccfbe95fe490d9021f90e9a1af30e14093363d8cf7711f3ff3c9de694b |
| SHA512 | 2a3ab6c2fec3fb64256f4820b4cb606959bf22d33cfd0439128bc1f0d2db31499164ca73de5bf8248587147c8749b13801374acd38681aa53846841eb7ed523c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wellington
| MD5 | c758d0d897a17ae1344789cbd6d2315d |
| SHA1 | e59c8d272e020ec06793c02f7161dd6f3934cf18 |
| SHA256 | 331d9c0aa037672726ef2e7e120e8bc15d0ec32293fd102733d7d23ac5dd4119 |
| SHA512 | 705ea1d1124b62866fbf0cf414883b979e06fef5632381ed34c45a5158c8c2dbecbaf2f68be5ab0a4ede19df18990478279ac70e762cfa4bdc113fd33ae81832 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Detail
| MD5 | aacce588e7ca3a293424ef3c45cda11f |
| SHA1 | ac09508c18894d937df859676b5b65d8a0af712b |
| SHA256 | 54365bb8ad9817cdbbf95154157a67626eb99ea3c88b3f5b295d66bfab692078 |
| SHA512 | 1e146feae37a9da8e167f285e5f1dfe4b43e51eb8e257b3fe025ca7aa0171c9c8f2a038428124b19574ae2eca95635153ff7ae0cb91c9dbc953fe97204f3c700 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Truly
| MD5 | e6b141ed920de3bdce0371b7e1cb0780 |
| SHA1 | 88b447c8508edf6935840efe3a0be52b2860590c |
| SHA256 | 2bcadebab748765fba52f83a8f90d380213c70cb5335208debe8b6311465ce79 |
| SHA512 | 5284c6529f064e0576e0fd01ec8b4f3e6fc60e0ba591d94129e4145e8379098d182837949a7ca7acc78706031efbd92731759a92f5f99ceb5a94a76383ef89da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Interact
| MD5 | 996cf7bf0146d63c4d415655994c6a94 |
| SHA1 | 189ebd4f58887dccc02ab5db46deec1c5dac8145 |
| SHA256 | 37da2ddaee7dc02018e16ed50acc79aabe79c4a4562a561733a6f447e2033849 |
| SHA512 | 5b9296a12cf461afd44a64d19db35cf9345df16394b2639a94294f705fac0896224d788ef077cca98634976b57824f915b933336dd234e691f084a4c2348b823 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Interest
| MD5 | 3345f2cdd61b5e9af9902ee8558e04f9 |
| SHA1 | 3aca625fbb299f9299a5e0790022e7627cbd9dad |
| SHA256 | 9735f972650ae5d350f79edc82be9c01edfc7477bc30484f2f65374760c865dd |
| SHA512 | 570f580f80bb2f2a306773c06afe2109236fd2839ba5d8307beb00fb2a1b14a53d2cc917c1f76a42df41adf9a57717312bff1f2006be2ec487926be5a78250c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Struggle
| MD5 | 205b5f07cbccaf204c27a25316166170 |
| SHA1 | 865dee186ef4b5ff63cc35e62bf5c487889ed52f |
| SHA256 | 89dfb375f6adbaeed627d94e290883eccbaa21e26045759a81a8bdf81bce12d2 |
| SHA512 | 99f27e28701ea137bd4da11411d9e0d2f31599f07a0c5b84586e6ca78ecd632218ff1048619d948dc97f808d5576834fb99ddd0701a6750e6c36e8dbc8b1b2f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Appliance
| MD5 | f56673f815351ad31aa3f00c7245c059 |
| SHA1 | 3f48e22be046d0f0021e99adca8bcf304c04a296 |
| SHA256 | 76c57b6c3ab9498bd15594bad148dd34e9a2600da3223dd053a5921ef64e6783 |
| SHA512 | 6dd5fadc55b004020d65e4d02f4386278a1f9d0130fca6547c93648a64679d33929c4b05c3b0f2e52eecc497a737cd8dd49f4fdd8879de3e76b6312ffe27da26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Welding
| MD5 | 96ca4691b9a93102277a1c395a21e048 |
| SHA1 | 881ee9f726112dcac4a357fc7a5390215c60b076 |
| SHA256 | c7787314c7423b0e69d1165194935a617e3adaee2b12b82134008d26c09e0cd6 |
| SHA512 | ffd3d43119d00a82ef4f2ade3f2f5d66c5ae5abce3b9a58bfed09ff8a8687119b399b65c2c8ce79c754329a7e2e328471d64281c5732354f898751a4a9dae946 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ron
| MD5 | 6b2e81e49af868704424172e697ef28d |
| SHA1 | 907d657ef08e2c5bbe323a1a3c8661f48f080216 |
| SHA256 | 2207d8c994bbd9734530a340cc7ebbb85fe907f5cfc3da49d3ef004f5b85f3af |
| SHA512 | f5775348ea81815c79ece370a2534ee17261aa82a78aca301f2d7991c4ad52349038af6a0853ddd0eadcc9e6bd1a9cc60b725414395a7d801fdc720e5ca954cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Treasure
| MD5 | 3b4b56b69acbe7d5be4688a301f8fb9b |
| SHA1 | e742fe917aceb4e644e1ed527a52a90a5db13165 |
| SHA256 | edc1e95ea7f2c3bd473063eb675f51a223aa011c12ea250aea14f40ab118bce4 |
| SHA512 | 98252fa254c4ddaf776aaa629d8e0907dd45fcfa0fb1031ed6e4d2e23658f9dc14867cebe5e6dc7392bfb41f9d1b71db484b2bbe3c151e706e55178a4e49455a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dept
| MD5 | e40b3c6634aebdc9d64c834850739f1b |
| SHA1 | 2496be6acf6c11c242a7b7356ce62c3badfa4298 |
| SHA256 | a386251d028f047e347d80b8943070315b43030144d3092272e8e02b82f41ac9 |
| SHA512 | 11c077c9ca80d6ebeb3bc07b0ffe8cc31a4999574d38380b9aac48ea483f9578f0fff6bd5645f36767e2b90584a31b17499b511c25c925dca73654fc67a5a9c8 |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\d
| MD5 | da5b07c131a945c8a60447e1639d45d1 |
| SHA1 | ebc88a1dc887e5d4dabf1cdc7618b7bd82ab749f |
| SHA256 | c671e116d75250abcea020c026b346e19a3698331482ac7094441b4688ba4746 |
| SHA512 | 310cedb1735cc901ebd378cc3325edbb7f5baf336e7a40cd02ea40a2d5624dda13b986fc00db3776adddad35e99faa58684f848d95dc708bb4eb0b6ea89fce02 |
memory/2160-656-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-657-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-658-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-660-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-659-0x0000000003FB0000-0x00000000041F8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar8492.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2160-758-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-779-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-801-0x0000000010000000-0x000000001025F000-memory.dmp
memory/2160-815-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-836-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-1014-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-1038-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-1039-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-1060-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-1061-0x0000000003FB0000-0x00000000041F8000-memory.dmp
memory/2160-1082-0x0000000003FB0000-0x00000000041F8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66b54dc8397149fcffd2de7e1cd1b8ff |
| SHA1 | b21d6f3381858a89b9e746aabd4bc0500c17c354 |
| SHA256 | a8d4c5f9e1a415c45f898c2c531aac89fe0e5b791ac0bf3e840ab3f4c9bc0a54 |
| SHA512 | e8b207ec7dc891f1d9bffbf9ef253820aac64a0c99abc8fc263ccd98ecae83d4daf4a28e8924b490865cd7e560b98e9d6014b1e47a88f8a3326d1149820af01c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79fb2fcd76b69788330cb179916c808d |
| SHA1 | fa07e6cca689a5959c78ffc5828e5c24e653cea6 |
| SHA256 | aad4b5f6d039dbf2e8699d97c52acba14f2ba9be56640615772cca7fbc18fd1d |
| SHA512 | cc68e7e033a21146a0561af0076a27bb52f8601468dd602dccd644effe62a8454503cb819d220be146d67f7889bf8f9ed1a2a542185a8f50dddcff6a0796e77c |
\ProgramData\EHIDAKECFI.exe
| MD5 | b2d33941295f236bebee0d3c389a8549 |
| SHA1 | 76bfc480242219d14cfbbb8dd7628c3c9bde7f7d |
| SHA256 | cfa0a176bad0046bd498a5a7f5140ca92734b096c541a54acd1b002f228ec47c |
| SHA512 | c7a8a877a93590876221c9bf0c21e04b78a8a8af415c1a70c776744702d3442aa9ffab2d480cc5d6f78a444d74ed3b6eac0407f6b571ddd02e63058d5386aae4 |
\st\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
\??\c:\st\script.a3x
| MD5 | 0881a690ab76a93af7220a7cc376ac37 |
| SHA1 | b145db693476afe29417c3ea1a34f46e58389086 |
| SHA256 | 660156ab9a187a7da50dab8a825ef4b4d4507ca3e0e65a390a9730803ca35835 |
| SHA512 | aee7987aa3fc96101ba391f8582e4720ae97018d8a3911559b577f6f5e0c38d320c9189070ea9ffaa822c9c7a8c5fdf7350b90173b7af6e7f451fb94290d4cbd |
C:\ProgramData\cehddef\hakbeah
| MD5 | c8bbad190eaaa9755c8dfb1573984d81 |
| SHA1 | 17ad91294403223fde66f687450545a2bad72af5 |
| SHA256 | 7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac |
| SHA512 | 05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 18:33
Reported
2024-06-11 18:35
Platform
win10v2004-20240508-en
Max time kernel
87s
Max time network
93s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d51ffcf06dd50b2b76721970c389dde2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
Reads data files stored by FTP clients
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d51ffcf06dd50b2b76721970c389dde2.exe
"C:\Users\Admin\AppData\Local\Temp\d51ffcf06dd50b2b76721970c389dde2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Filme Filme.cmd & Filme.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 620735
C:\Windows\SysWOW64\findstr.exe
findstr /V "EvenAttributeWatershedCumshot" Professor
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Ron + Treasure + Dept 620735\d
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif
620735\Joe.pif 620735\d
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif" & rd /s /q "C:\ProgramData\IJKFCFHJDBKK" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yfIcivbsLajhLLbIUcwWdV.yfIcivbsLajhLLbIUcwWdV | udp |
| DE | 5.75.212.114:443 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Filme
| MD5 | 32b89cdd98765294a865d24d3ff416bf |
| SHA1 | 6b2d48789c1d3c383c9e76246046bbed55d226a3 |
| SHA256 | fb5fdc4d1276303ff4651a7177e9b1bbcbdff2438c50df99b946e87c568e84ab |
| SHA512 | 2a4af9e316711062c26e3455f5c1d45fb66683c13668067b6319c89440b4d8b59c40f4704a25b31c9c37f4223e69aeab1a2eca7783b40ab9feef6785edfb9fd1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Professor
| MD5 | 9a3ceeeba34e0ce1353bb1e45603884a |
| SHA1 | 994c2352530052684dca2706ec8707e87e78c3fa |
| SHA256 | 0b78d958972123238bb1ee439aa4ac30b1bff93071daf362bc1e171ab22f9a13 |
| SHA512 | f291ee3ba3fedd739cb5ef863fb75a7659c12765b9baa3b2861b43c879e2f5424c68ad0b5e2a9bcfe526f45f5727ac8e50b0af3d842d9d27cdfe95bad94e94b1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Barely
| MD5 | a14c7999ff4fc32e3b7f76a62e29709c |
| SHA1 | 66e47e7dfed689d11f977175de1003b0a9014001 |
| SHA256 | 7dc5dd261a1271d218148b42eee51eaa70b89e29fccfdece5cc33fcee1305e58 |
| SHA512 | 22b16f41e1b4148ee38b9e519696414296a2ebf3ead9acb3d56b1fbbb590bbc45f09e221a9996b648516cbbb8b0d859d8b32d681acef1ce9a17f671b253711f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Periodic
| MD5 | 5baf13b9d96b426d60fe331154f4c915 |
| SHA1 | 2e6b30d41da7d15953741d7da4a3c11b5abb9eb8 |
| SHA256 | 13bd87051bf93fdf2ea085d3776a0f1981c9f45ed1fdfc6bae3487f0023f588a |
| SHA512 | bf9923fa7ed914f65cc21fa0719736dc94bb64ebd7c351918cb898d9122a3b8362d309597c92c2220bef87e1cb29cd1b51e37c9086cce4bb74263630b82092ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Future
| MD5 | de457f7cb457e1f9d9cc08426f48d35c |
| SHA1 | 5ac37406be1d140096596b26acc95fcbcfbc6445 |
| SHA256 | 34ceb19d2286d7d9d26bbab78044f71a629bc75a25bc097805d5bb07add510bf |
| SHA512 | 79581b6fd033ae0690689083136109eb4c15843f4b597a671ad9d56ad243f63c3beeb52e11119980c8b9bbef46c477af2dfd64b09b79792b42c43ff510a2ffc0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Triangle
| MD5 | 81d946f263006eb46f2cb8b8a2173d65 |
| SHA1 | 6e77d3cefddf5ce5c63adc1c5bdbc345f582dcd8 |
| SHA256 | 4e9c4c1b63c3a2f7095a7bdbaa60667a45001d5ec64d0c888813d2b65f35fba7 |
| SHA512 | 1a291efc4780c55818d4656cfc243711a700aaeb4fa773734ea653bf57c8d6aa611d15c94f830d4fd4b7e24fa96b3810aa5ff14edeee86f00cecc92404012bf2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Unix
| MD5 | 49a19fd12501352b42a9ba87c3a2230e |
| SHA1 | 23960e63c6bed0d7867480f51754adff56e31598 |
| SHA256 | f650622c690d896bba73ebce76b4d71e0103337734eb8bbf6e32e9fea184929c |
| SHA512 | 45f013e34f75dfb8042a957b0edce907696b6b3f0aa99960c6c5628b769a361653b77bcea63540ae38365cbcb00776d343bc0749bb0da25ac12a10608126c09d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Giant
| MD5 | 48e6960e7c881d6d5c41457b7d1abcce |
| SHA1 | b0ae8dbcd5f165091c2b5b295b92d8d704064692 |
| SHA256 | 4bc581cb17ffe5b5e148f36019ae5bac5c7f8f97e6db740e1f4b95294d6a10f1 |
| SHA512 | 00202707218357e1e43c1fea798eb8555d954baec94312378f933fca3844b95ab705855ba336add935801f084f3b3b5ad6355bc046db567a942fde4255f61ba4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fri
| MD5 | 2c3df2fa120a9510e81161e271b5b8bf |
| SHA1 | be13265571f051ce0b4b7b6f0f53dfd279f6fbda |
| SHA256 | 267391ed6c73a010e7a26bafc6b285b2726b22b8f52a17d2d50551d6ca9c0b0d |
| SHA512 | 8d65d9287d64a97389cc2fd7ed955a52f953c05b9bcf15149f566de7e0075efe6f8203c5412a2cf51567ec798cd31cb68a5df778edd294d73770ed38da4571bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Switches
| MD5 | 7386c0c41ac1bbf52dff08b41058154a |
| SHA1 | e1bc5026757358fddef544b6a5ae940c9a5db152 |
| SHA256 | 2bea5f056f09480542b7ae221801fc9d1a6872e3f032e2b7f8b8cdb91b978c28 |
| SHA512 | 5f597b3ad0658a776eeddb6e057a6652023ad2729279f74d0da91d7845db47a61cf940ee6529f5d6bbd36550ce4ad26f11298a49b93f5bd9f23b009a65ccbb4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Public
| MD5 | 8a5d414718c02e5ce2506a8cadd86f87 |
| SHA1 | d48d0190fed7c5f09605e78d6819fce0c7c33c8d |
| SHA256 | e880506f49a2868fe5aa8e8678ab36683dd2884b748452d0018e486d9825f274 |
| SHA512 | 6efabefb7c6d674adb4f48e04ffc769f85fd1f69776ccd1dafd6e8d64238173581da02caaf9e42bf48b6f63d7c2b37583752e724aac52e79eff00fdedc4d9a41 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Resumes
| MD5 | c3c150db3cd73c20a412ebd3da0671a5 |
| SHA1 | 8ff704187a9d072d3f52d4f8487024bee6085f32 |
| SHA256 | 60a10e46b7192fbe909d09768298111b02a77ea32f10c4f98934a5a37a149f52 |
| SHA512 | ad972dbb1bb2a0dcacb6574a4e6936136d6bd97c8bee590849ff3be78a294536af563fc2be5899bf613e963db90934ec3ddec962a6f671f247c8dd5e23c8532c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Appearance
| MD5 | 78b150be4d0f1b2b2065e5b7e0b24c78 |
| SHA1 | f5a40bbb78de278a3275df00d705836c66b20398 |
| SHA256 | 0e2c878fa125b22abc9eb8a68584560ec7102779928a05d3643ef09bd518f63b |
| SHA512 | e58cfd473c63ccf3c271203aa46e553f93acb9c3a25f91d01c3a7240d6195bfb6365bf886b72a930676c7e13cca53e6acd3fe0ff98b57d43f9a7d3c50b9ba2ae |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sky
| MD5 | fe8ed675ad3b1c287832b698ff88ce68 |
| SHA1 | 0ffe5ac683c2acfb24c15fff721bd851c62c547e |
| SHA256 | 9e3c9261bad186dc4313dad5f7bf75bcba10fc5ef0210ca2af68cb2f4e1e06c7 |
| SHA512 | b599c7965aff9db03faf3791caa31d2e21afabc3e76cc54fbed898099232e9ddfdb99044b2ff45a89a3636146f20effad03839cd48c69a60ee04c86fb18da74e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frequent
| MD5 | 344f8759460f7592df30385354132e8d |
| SHA1 | 222aed99d7a1064968a96c1ddbffe4d08678a9d1 |
| SHA256 | 838c929d12e9d1a835cf4b188639d4316d9f40bf9201241d695cfc3e64242a24 |
| SHA512 | d58524540408b326177893d7f28a5b768f8a0187da5899c2f7ae84ff6ef19a680dcb572bbaa521aa7202dae84eccbd617681db8df93ea036717c50f995a9113a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bros
| MD5 | 50d7b3138896b3dec2a052bab3d2a29a |
| SHA1 | 1d7dc8c41e83ebf35ee3e6eab35e7a0ee7e4d93d |
| SHA256 | ff646b437a7bee76ff369e310881a238411c6774827ffcef71e1554f5b3e76a6 |
| SHA512 | 7276fb5521655b86697aa46d1dc9a520ed38c4e335f8ba8b520e679137f85ac2981e33448426f01599af1cfe3abcf8ceec56f73124462c22748a1884c9706a31 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Directory
| MD5 | 0e71805320ce820e8a0fcf9ed10296a7 |
| SHA1 | 877dc110151acd54bb89aa89a55e0c5292e3fef1 |
| SHA256 | fe66a53c1b920f5312d0d8f2f7d37e1614d6776111f4d12e7cabe9e23c39ab5a |
| SHA512 | 633b04cb46be64ba9089966aadb2cc4f2085d89cb86674c3beb3e930b07b6e05ea0680de0c837729363468066562dd525e01a91002b7e2dbe80201d9dc0d5c66 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Very
| MD5 | 156d49c96e480544061f89a4cc92b9a0 |
| SHA1 | 5f4036d3028a81eb8c1dbb4c64e616e5db9d7cde |
| SHA256 | cff8c7cd73d289821ba6896070519f2c28bf5060caa64db55145b12630e8ee14 |
| SHA512 | 799dc1419ed48be7d26861989cf6be85cce24905819f2c8b0725715aae627f931ba6e0af8322803f5e7f1845a5b0528e74048764884e776fd8ef08c4f88ccc2f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Iraq
| MD5 | bfaf2d299bdd465ffa3a5d42e46e025b |
| SHA1 | ca781b9099eb11de7a672cc7dc0d5c48f14d3865 |
| SHA256 | 8aea50ccfbe95fe490d9021f90e9a1af30e14093363d8cf7711f3ff3c9de694b |
| SHA512 | 2a3ab6c2fec3fb64256f4820b4cb606959bf22d33cfd0439128bc1f0d2db31499164ca73de5bf8248587147c8749b13801374acd38681aa53846841eb7ed523c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wellington
| MD5 | c758d0d897a17ae1344789cbd6d2315d |
| SHA1 | e59c8d272e020ec06793c02f7161dd6f3934cf18 |
| SHA256 | 331d9c0aa037672726ef2e7e120e8bc15d0ec32293fd102733d7d23ac5dd4119 |
| SHA512 | 705ea1d1124b62866fbf0cf414883b979e06fef5632381ed34c45a5158c8c2dbecbaf2f68be5ab0a4ede19df18990478279ac70e762cfa4bdc113fd33ae81832 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Detail
| MD5 | aacce588e7ca3a293424ef3c45cda11f |
| SHA1 | ac09508c18894d937df859676b5b65d8a0af712b |
| SHA256 | 54365bb8ad9817cdbbf95154157a67626eb99ea3c88b3f5b295d66bfab692078 |
| SHA512 | 1e146feae37a9da8e167f285e5f1dfe4b43e51eb8e257b3fe025ca7aa0171c9c8f2a038428124b19574ae2eca95635153ff7ae0cb91c9dbc953fe97204f3c700 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Truly
| MD5 | e6b141ed920de3bdce0371b7e1cb0780 |
| SHA1 | 88b447c8508edf6935840efe3a0be52b2860590c |
| SHA256 | 2bcadebab748765fba52f83a8f90d380213c70cb5335208debe8b6311465ce79 |
| SHA512 | 5284c6529f064e0576e0fd01ec8b4f3e6fc60e0ba591d94129e4145e8379098d182837949a7ca7acc78706031efbd92731759a92f5f99ceb5a94a76383ef89da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Interact
| MD5 | 996cf7bf0146d63c4d415655994c6a94 |
| SHA1 | 189ebd4f58887dccc02ab5db46deec1c5dac8145 |
| SHA256 | 37da2ddaee7dc02018e16ed50acc79aabe79c4a4562a561733a6f447e2033849 |
| SHA512 | 5b9296a12cf461afd44a64d19db35cf9345df16394b2639a94294f705fac0896224d788ef077cca98634976b57824f915b933336dd234e691f084a4c2348b823 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Interest
| MD5 | 3345f2cdd61b5e9af9902ee8558e04f9 |
| SHA1 | 3aca625fbb299f9299a5e0790022e7627cbd9dad |
| SHA256 | 9735f972650ae5d350f79edc82be9c01edfc7477bc30484f2f65374760c865dd |
| SHA512 | 570f580f80bb2f2a306773c06afe2109236fd2839ba5d8307beb00fb2a1b14a53d2cc917c1f76a42df41adf9a57717312bff1f2006be2ec487926be5a78250c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Struggle
| MD5 | 205b5f07cbccaf204c27a25316166170 |
| SHA1 | 865dee186ef4b5ff63cc35e62bf5c487889ed52f |
| SHA256 | 89dfb375f6adbaeed627d94e290883eccbaa21e26045759a81a8bdf81bce12d2 |
| SHA512 | 99f27e28701ea137bd4da11411d9e0d2f31599f07a0c5b84586e6ca78ecd632218ff1048619d948dc97f808d5576834fb99ddd0701a6750e6c36e8dbc8b1b2f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Appliance
| MD5 | f56673f815351ad31aa3f00c7245c059 |
| SHA1 | 3f48e22be046d0f0021e99adca8bcf304c04a296 |
| SHA256 | 76c57b6c3ab9498bd15594bad148dd34e9a2600da3223dd053a5921ef64e6783 |
| SHA512 | 6dd5fadc55b004020d65e4d02f4386278a1f9d0130fca6547c93648a64679d33929c4b05c3b0f2e52eecc497a737cd8dd49f4fdd8879de3e76b6312ffe27da26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Welding
| MD5 | 96ca4691b9a93102277a1c395a21e048 |
| SHA1 | 881ee9f726112dcac4a357fc7a5390215c60b076 |
| SHA256 | c7787314c7423b0e69d1165194935a617e3adaee2b12b82134008d26c09e0cd6 |
| SHA512 | ffd3d43119d00a82ef4f2ade3f2f5d66c5ae5abce3b9a58bfed09ff8a8687119b399b65c2c8ce79c754329a7e2e328471d64281c5732354f898751a4a9dae946 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ron
| MD5 | 6b2e81e49af868704424172e697ef28d |
| SHA1 | 907d657ef08e2c5bbe323a1a3c8661f48f080216 |
| SHA256 | 2207d8c994bbd9734530a340cc7ebbb85fe907f5cfc3da49d3ef004f5b85f3af |
| SHA512 | f5775348ea81815c79ece370a2534ee17261aa82a78aca301f2d7991c4ad52349038af6a0853ddd0eadcc9e6bd1a9cc60b725414395a7d801fdc720e5ca954cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Treasure
| MD5 | 3b4b56b69acbe7d5be4688a301f8fb9b |
| SHA1 | e742fe917aceb4e644e1ed527a52a90a5db13165 |
| SHA256 | edc1e95ea7f2c3bd473063eb675f51a223aa011c12ea250aea14f40ab118bce4 |
| SHA512 | 98252fa254c4ddaf776aaa629d8e0907dd45fcfa0fb1031ed6e4d2e23658f9dc14867cebe5e6dc7392bfb41f9d1b71db484b2bbe3c151e706e55178a4e49455a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dept
| MD5 | e40b3c6634aebdc9d64c834850739f1b |
| SHA1 | 2496be6acf6c11c242a7b7356ce62c3badfa4298 |
| SHA256 | a386251d028f047e347d80b8943070315b43030144d3092272e8e02b82f41ac9 |
| SHA512 | 11c077c9ca80d6ebeb3bc07b0ffe8cc31a4999574d38380b9aac48ea483f9578f0fff6bd5645f36767e2b90584a31b17499b511c25c925dca73654fc67a5a9c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\d
| MD5 | da5b07c131a945c8a60447e1639d45d1 |
| SHA1 | ebc88a1dc887e5d4dabf1cdc7618b7bd82ab749f |
| SHA256 | c671e116d75250abcea020c026b346e19a3698331482ac7094441b4688ba4746 |
| SHA512 | 310cedb1735cc901ebd378cc3325edbb7f5baf336e7a40cd02ea40a2d5624dda13b986fc00db3776adddad35e99faa58684f848d95dc708bb4eb0b6ea89fce02 |
memory/2296-654-0x0000000004DD0000-0x0000000005018000-memory.dmp
memory/2296-655-0x0000000004DD0000-0x0000000005018000-memory.dmp
memory/2296-656-0x0000000004DD0000-0x0000000005018000-memory.dmp
memory/2296-657-0x0000000004DD0000-0x0000000005018000-memory.dmp
memory/2296-658-0x0000000004DD0000-0x0000000005018000-memory.dmp
memory/2296-659-0x0000000004DD0000-0x0000000005018000-memory.dmp
memory/2296-660-0x0000000004DD0000-0x0000000005018000-memory.dmp