Malware Analysis Report

2024-09-11 15:21

Sample ID 240612-befhjaxbqm
Target 09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe
SHA256 09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e

Threat Level: Known bad

The file 09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Detect Vidar Stealer

Vidar

Stealc

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing potential Windows Defender anti-emulation checks

Loads dropped DLL

Executes dropped EXE

Reads data files stored by FTP clients

Checks computer location settings

Checks installed software on the system

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Delays execution with timeout.exe

Runs ping.exe

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Process Discovery
T1057
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:03

Reported

2024-06-12 01:05

Platform

win7-20240419-en

Max time kernel

106s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing potential Windows Defender anti-emulation checks

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2608 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2608 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2608 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2608 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2608 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2608 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2608 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2608 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2608 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif
PID 2608 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif
PID 2608 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif
PID 2608 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif
PID 2608 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2608 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2608 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2608 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe

"C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Filme Filme.cmd & Filme.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 620735

C:\Windows\SysWOW64\findstr.exe

findstr /V "EvenAttributeWatershedCumshot" Professor

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Ron + Treasure + Dept 620735\d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif

620735\Joe.pif 620735\d

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif" & rd /s /q "C:\ProgramData\CGHCFBAAAFHJ" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 yfIcivbsLajhLLbIUcwWdV.yfIcivbsLajhLLbIUcwWdV udp
DE 5.75.212.114:443 tcp
DE 5.75.212.114:443 tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Filme

MD5 32b89cdd98765294a865d24d3ff416bf
SHA1 6b2d48789c1d3c383c9e76246046bbed55d226a3
SHA256 fb5fdc4d1276303ff4651a7177e9b1bbcbdff2438c50df99b946e87c568e84ab
SHA512 2a4af9e316711062c26e3455f5c1d45fb66683c13668067b6319c89440b4d8b59c40f4704a25b31c9c37f4223e69aeab1a2eca7783b40ab9feef6785edfb9fd1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Professor

MD5 9a3ceeeba34e0ce1353bb1e45603884a
SHA1 994c2352530052684dca2706ec8707e87e78c3fa
SHA256 0b78d958972123238bb1ee439aa4ac30b1bff93071daf362bc1e171ab22f9a13
SHA512 f291ee3ba3fedd739cb5ef863fb75a7659c12765b9baa3b2861b43c879e2f5424c68ad0b5e2a9bcfe526f45f5727ac8e50b0af3d842d9d27cdfe95bad94e94b1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Barely

MD5 a14c7999ff4fc32e3b7f76a62e29709c
SHA1 66e47e7dfed689d11f977175de1003b0a9014001
SHA256 7dc5dd261a1271d218148b42eee51eaa70b89e29fccfdece5cc33fcee1305e58
SHA512 22b16f41e1b4148ee38b9e519696414296a2ebf3ead9acb3d56b1fbbb590bbc45f09e221a9996b648516cbbb8b0d859d8b32d681acef1ce9a17f671b253711f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Periodic

MD5 5baf13b9d96b426d60fe331154f4c915
SHA1 2e6b30d41da7d15953741d7da4a3c11b5abb9eb8
SHA256 13bd87051bf93fdf2ea085d3776a0f1981c9f45ed1fdfc6bae3487f0023f588a
SHA512 bf9923fa7ed914f65cc21fa0719736dc94bb64ebd7c351918cb898d9122a3b8362d309597c92c2220bef87e1cb29cd1b51e37c9086cce4bb74263630b82092ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Triangle

MD5 81d946f263006eb46f2cb8b8a2173d65
SHA1 6e77d3cefddf5ce5c63adc1c5bdbc345f582dcd8
SHA256 4e9c4c1b63c3a2f7095a7bdbaa60667a45001d5ec64d0c888813d2b65f35fba7
SHA512 1a291efc4780c55818d4656cfc243711a700aaeb4fa773734ea653bf57c8d6aa611d15c94f830d4fd4b7e24fa96b3810aa5ff14edeee86f00cecc92404012bf2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Future

MD5 de457f7cb457e1f9d9cc08426f48d35c
SHA1 5ac37406be1d140096596b26acc95fcbcfbc6445
SHA256 34ceb19d2286d7d9d26bbab78044f71a629bc75a25bc097805d5bb07add510bf
SHA512 79581b6fd033ae0690689083136109eb4c15843f4b597a671ad9d56ad243f63c3beeb52e11119980c8b9bbef46c477af2dfd64b09b79792b42c43ff510a2ffc0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Giant

MD5 48e6960e7c881d6d5c41457b7d1abcce
SHA1 b0ae8dbcd5f165091c2b5b295b92d8d704064692
SHA256 4bc581cb17ffe5b5e148f36019ae5bac5c7f8f97e6db740e1f4b95294d6a10f1
SHA512 00202707218357e1e43c1fea798eb8555d954baec94312378f933fca3844b95ab705855ba336add935801f084f3b3b5ad6355bc046db567a942fde4255f61ba4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Unix

MD5 49a19fd12501352b42a9ba87c3a2230e
SHA1 23960e63c6bed0d7867480f51754adff56e31598
SHA256 f650622c690d896bba73ebce76b4d71e0103337734eb8bbf6e32e9fea184929c
SHA512 45f013e34f75dfb8042a957b0edce907696b6b3f0aa99960c6c5628b769a361653b77bcea63540ae38365cbcb00776d343bc0749bb0da25ac12a10608126c09d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Switches

MD5 7386c0c41ac1bbf52dff08b41058154a
SHA1 e1bc5026757358fddef544b6a5ae940c9a5db152
SHA256 2bea5f056f09480542b7ae221801fc9d1a6872e3f032e2b7f8b8cdb91b978c28
SHA512 5f597b3ad0658a776eeddb6e057a6652023ad2729279f74d0da91d7845db47a61cf940ee6529f5d6bbd36550ce4ad26f11298a49b93f5bd9f23b009a65ccbb4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fri

MD5 2c3df2fa120a9510e81161e271b5b8bf
SHA1 be13265571f051ce0b4b7b6f0f53dfd279f6fbda
SHA256 267391ed6c73a010e7a26bafc6b285b2726b22b8f52a17d2d50551d6ca9c0b0d
SHA512 8d65d9287d64a97389cc2fd7ed955a52f953c05b9bcf15149f566de7e0075efe6f8203c5412a2cf51567ec798cd31cb68a5df778edd294d73770ed38da4571bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Public

MD5 8a5d414718c02e5ce2506a8cadd86f87
SHA1 d48d0190fed7c5f09605e78d6819fce0c7c33c8d
SHA256 e880506f49a2868fe5aa8e8678ab36683dd2884b748452d0018e486d9825f274
SHA512 6efabefb7c6d674adb4f48e04ffc769f85fd1f69776ccd1dafd6e8d64238173581da02caaf9e42bf48b6f63d7c2b37583752e724aac52e79eff00fdedc4d9a41

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Appearance

MD5 78b150be4d0f1b2b2065e5b7e0b24c78
SHA1 f5a40bbb78de278a3275df00d705836c66b20398
SHA256 0e2c878fa125b22abc9eb8a68584560ec7102779928a05d3643ef09bd518f63b
SHA512 e58cfd473c63ccf3c271203aa46e553f93acb9c3a25f91d01c3a7240d6195bfb6365bf886b72a930676c7e13cca53e6acd3fe0ff98b57d43f9a7d3c50b9ba2ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Resumes

MD5 c3c150db3cd73c20a412ebd3da0671a5
SHA1 8ff704187a9d072d3f52d4f8487024bee6085f32
SHA256 60a10e46b7192fbe909d09768298111b02a77ea32f10c4f98934a5a37a149f52
SHA512 ad972dbb1bb2a0dcacb6574a4e6936136d6bd97c8bee590849ff3be78a294536af563fc2be5899bf613e963db90934ec3ddec962a6f671f247c8dd5e23c8532c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Frequent

MD5 344f8759460f7592df30385354132e8d
SHA1 222aed99d7a1064968a96c1ddbffe4d08678a9d1
SHA256 838c929d12e9d1a835cf4b188639d4316d9f40bf9201241d695cfc3e64242a24
SHA512 d58524540408b326177893d7f28a5b768f8a0187da5899c2f7ae84ff6ef19a680dcb572bbaa521aa7202dae84eccbd617681db8df93ea036717c50f995a9113a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sky

MD5 fe8ed675ad3b1c287832b698ff88ce68
SHA1 0ffe5ac683c2acfb24c15fff721bd851c62c547e
SHA256 9e3c9261bad186dc4313dad5f7bf75bcba10fc5ef0210ca2af68cb2f4e1e06c7
SHA512 b599c7965aff9db03faf3791caa31d2e21afabc3e76cc54fbed898099232e9ddfdb99044b2ff45a89a3636146f20effad03839cd48c69a60ee04c86fb18da74e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Directory

MD5 0e71805320ce820e8a0fcf9ed10296a7
SHA1 877dc110151acd54bb89aa89a55e0c5292e3fef1
SHA256 fe66a53c1b920f5312d0d8f2f7d37e1614d6776111f4d12e7cabe9e23c39ab5a
SHA512 633b04cb46be64ba9089966aadb2cc4f2085d89cb86674c3beb3e930b07b6e05ea0680de0c837729363468066562dd525e01a91002b7e2dbe80201d9dc0d5c66

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bros

MD5 50d7b3138896b3dec2a052bab3d2a29a
SHA1 1d7dc8c41e83ebf35ee3e6eab35e7a0ee7e4d93d
SHA256 ff646b437a7bee76ff369e310881a238411c6774827ffcef71e1554f5b3e76a6
SHA512 7276fb5521655b86697aa46d1dc9a520ed38c4e335f8ba8b520e679137f85ac2981e33448426f01599af1cfe3abcf8ceec56f73124462c22748a1884c9706a31

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Iraq

MD5 bfaf2d299bdd465ffa3a5d42e46e025b
SHA1 ca781b9099eb11de7a672cc7dc0d5c48f14d3865
SHA256 8aea50ccfbe95fe490d9021f90e9a1af30e14093363d8cf7711f3ff3c9de694b
SHA512 2a3ab6c2fec3fb64256f4820b4cb606959bf22d33cfd0439128bc1f0d2db31499164ca73de5bf8248587147c8749b13801374acd38681aa53846841eb7ed523c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Very

MD5 156d49c96e480544061f89a4cc92b9a0
SHA1 5f4036d3028a81eb8c1dbb4c64e616e5db9d7cde
SHA256 cff8c7cd73d289821ba6896070519f2c28bf5060caa64db55145b12630e8ee14
SHA512 799dc1419ed48be7d26861989cf6be85cce24905819f2c8b0725715aae627f931ba6e0af8322803f5e7f1845a5b0528e74048764884e776fd8ef08c4f88ccc2f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Detail

MD5 aacce588e7ca3a293424ef3c45cda11f
SHA1 ac09508c18894d937df859676b5b65d8a0af712b
SHA256 54365bb8ad9817cdbbf95154157a67626eb99ea3c88b3f5b295d66bfab692078
SHA512 1e146feae37a9da8e167f285e5f1dfe4b43e51eb8e257b3fe025ca7aa0171c9c8f2a038428124b19574ae2eca95635153ff7ae0cb91c9dbc953fe97204f3c700

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wellington

MD5 c758d0d897a17ae1344789cbd6d2315d
SHA1 e59c8d272e020ec06793c02f7161dd6f3934cf18
SHA256 331d9c0aa037672726ef2e7e120e8bc15d0ec32293fd102733d7d23ac5dd4119
SHA512 705ea1d1124b62866fbf0cf414883b979e06fef5632381ed34c45a5158c8c2dbecbaf2f68be5ab0a4ede19df18990478279ac70e762cfa4bdc113fd33ae81832

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Truly

MD5 e6b141ed920de3bdce0371b7e1cb0780
SHA1 88b447c8508edf6935840efe3a0be52b2860590c
SHA256 2bcadebab748765fba52f83a8f90d380213c70cb5335208debe8b6311465ce79
SHA512 5284c6529f064e0576e0fd01ec8b4f3e6fc60e0ba591d94129e4145e8379098d182837949a7ca7acc78706031efbd92731759a92f5f99ceb5a94a76383ef89da

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Interest

MD5 3345f2cdd61b5e9af9902ee8558e04f9
SHA1 3aca625fbb299f9299a5e0790022e7627cbd9dad
SHA256 9735f972650ae5d350f79edc82be9c01edfc7477bc30484f2f65374760c865dd
SHA512 570f580f80bb2f2a306773c06afe2109236fd2839ba5d8307beb00fb2a1b14a53d2cc917c1f76a42df41adf9a57717312bff1f2006be2ec487926be5a78250c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Interact

MD5 996cf7bf0146d63c4d415655994c6a94
SHA1 189ebd4f58887dccc02ab5db46deec1c5dac8145
SHA256 37da2ddaee7dc02018e16ed50acc79aabe79c4a4562a561733a6f447e2033849
SHA512 5b9296a12cf461afd44a64d19db35cf9345df16394b2639a94294f705fac0896224d788ef077cca98634976b57824f915b933336dd234e691f084a4c2348b823

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Struggle

MD5 205b5f07cbccaf204c27a25316166170
SHA1 865dee186ef4b5ff63cc35e62bf5c487889ed52f
SHA256 89dfb375f6adbaeed627d94e290883eccbaa21e26045759a81a8bdf81bce12d2
SHA512 99f27e28701ea137bd4da11411d9e0d2f31599f07a0c5b84586e6ca78ecd632218ff1048619d948dc97f808d5576834fb99ddd0701a6750e6c36e8dbc8b1b2f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Appliance

MD5 f56673f815351ad31aa3f00c7245c059
SHA1 3f48e22be046d0f0021e99adca8bcf304c04a296
SHA256 76c57b6c3ab9498bd15594bad148dd34e9a2600da3223dd053a5921ef64e6783
SHA512 6dd5fadc55b004020d65e4d02f4386278a1f9d0130fca6547c93648a64679d33929c4b05c3b0f2e52eecc497a737cd8dd49f4fdd8879de3e76b6312ffe27da26

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Welding

MD5 96ca4691b9a93102277a1c395a21e048
SHA1 881ee9f726112dcac4a357fc7a5390215c60b076
SHA256 c7787314c7423b0e69d1165194935a617e3adaee2b12b82134008d26c09e0cd6
SHA512 ffd3d43119d00a82ef4f2ade3f2f5d66c5ae5abce3b9a58bfed09ff8a8687119b399b65c2c8ce79c754329a7e2e328471d64281c5732354f898751a4a9dae946

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ron

MD5 6b2e81e49af868704424172e697ef28d
SHA1 907d657ef08e2c5bbe323a1a3c8661f48f080216
SHA256 2207d8c994bbd9734530a340cc7ebbb85fe907f5cfc3da49d3ef004f5b85f3af
SHA512 f5775348ea81815c79ece370a2534ee17261aa82a78aca301f2d7991c4ad52349038af6a0853ddd0eadcc9e6bd1a9cc60b725414395a7d801fdc720e5ca954cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Treasure

MD5 3b4b56b69acbe7d5be4688a301f8fb9b
SHA1 e742fe917aceb4e644e1ed527a52a90a5db13165
SHA256 edc1e95ea7f2c3bd473063eb675f51a223aa011c12ea250aea14f40ab118bce4
SHA512 98252fa254c4ddaf776aaa629d8e0907dd45fcfa0fb1031ed6e4d2e23658f9dc14867cebe5e6dc7392bfb41f9d1b71db484b2bbe3c151e706e55178a4e49455a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dept

MD5 e40b3c6634aebdc9d64c834850739f1b
SHA1 2496be6acf6c11c242a7b7356ce62c3badfa4298
SHA256 a386251d028f047e347d80b8943070315b43030144d3092272e8e02b82f41ac9
SHA512 11c077c9ca80d6ebeb3bc07b0ffe8cc31a4999574d38380b9aac48ea483f9578f0fff6bd5645f36767e2b90584a31b17499b511c25c925dca73654fc67a5a9c8

\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\d

MD5 da5b07c131a945c8a60447e1639d45d1
SHA1 ebc88a1dc887e5d4dabf1cdc7618b7bd82ab749f
SHA256 c671e116d75250abcea020c026b346e19a3698331482ac7094441b4688ba4746
SHA512 310cedb1735cc901ebd378cc3325edbb7f5baf336e7a40cd02ea40a2d5624dda13b986fc00db3776adddad35e99faa58684f848d95dc708bb4eb0b6ea89fce02

memory/604-656-0x0000000004350000-0x0000000004598000-memory.dmp

memory/604-657-0x0000000004350000-0x0000000004598000-memory.dmp

memory/604-658-0x0000000004350000-0x0000000004598000-memory.dmp

memory/604-659-0x0000000004350000-0x0000000004598000-memory.dmp

memory/604-660-0x0000000004350000-0x0000000004598000-memory.dmp

memory/604-661-0x0000000004350000-0x0000000004598000-memory.dmp

memory/604-662-0x0000000004350000-0x0000000004598000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:03

Reported

2024-06-12 01:05

Platform

win10v2004-20240508-en

Max time kernel

87s

Max time network

86s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing potential Windows Defender anti-emulation checks

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1424 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1424 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1424 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1424 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1424 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1424 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1424 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif
PID 1424 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif
PID 1424 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif
PID 1424 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1424 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1424 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4116 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1252 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1252 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe

"C:\Users\Admin\AppData\Local\Temp\09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Filme Filme.cmd & Filme.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 620735

C:\Windows\SysWOW64\findstr.exe

findstr /V "EvenAttributeWatershedCumshot" Professor

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Ron + Treasure + Dept 620735\d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif

620735\Joe.pif 620735\d

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif" & rd /s /q "C:\ProgramData\DAAFIIJDAAAA" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 yfIcivbsLajhLLbIUcwWdV.yfIcivbsLajhLLbIUcwWdV udp
DE 5.75.212.114:443 tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Filme

MD5 32b89cdd98765294a865d24d3ff416bf
SHA1 6b2d48789c1d3c383c9e76246046bbed55d226a3
SHA256 fb5fdc4d1276303ff4651a7177e9b1bbcbdff2438c50df99b946e87c568e84ab
SHA512 2a4af9e316711062c26e3455f5c1d45fb66683c13668067b6319c89440b4d8b59c40f4704a25b31c9c37f4223e69aeab1a2eca7783b40ab9feef6785edfb9fd1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Professor

MD5 9a3ceeeba34e0ce1353bb1e45603884a
SHA1 994c2352530052684dca2706ec8707e87e78c3fa
SHA256 0b78d958972123238bb1ee439aa4ac30b1bff93071daf362bc1e171ab22f9a13
SHA512 f291ee3ba3fedd739cb5ef863fb75a7659c12765b9baa3b2861b43c879e2f5424c68ad0b5e2a9bcfe526f45f5727ac8e50b0af3d842d9d27cdfe95bad94e94b1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Barely

MD5 a14c7999ff4fc32e3b7f76a62e29709c
SHA1 66e47e7dfed689d11f977175de1003b0a9014001
SHA256 7dc5dd261a1271d218148b42eee51eaa70b89e29fccfdece5cc33fcee1305e58
SHA512 22b16f41e1b4148ee38b9e519696414296a2ebf3ead9acb3d56b1fbbb590bbc45f09e221a9996b648516cbbb8b0d859d8b32d681acef1ce9a17f671b253711f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Periodic

MD5 5baf13b9d96b426d60fe331154f4c915
SHA1 2e6b30d41da7d15953741d7da4a3c11b5abb9eb8
SHA256 13bd87051bf93fdf2ea085d3776a0f1981c9f45ed1fdfc6bae3487f0023f588a
SHA512 bf9923fa7ed914f65cc21fa0719736dc94bb64ebd7c351918cb898d9122a3b8362d309597c92c2220bef87e1cb29cd1b51e37c9086cce4bb74263630b82092ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Future

MD5 de457f7cb457e1f9d9cc08426f48d35c
SHA1 5ac37406be1d140096596b26acc95fcbcfbc6445
SHA256 34ceb19d2286d7d9d26bbab78044f71a629bc75a25bc097805d5bb07add510bf
SHA512 79581b6fd033ae0690689083136109eb4c15843f4b597a671ad9d56ad243f63c3beeb52e11119980c8b9bbef46c477af2dfd64b09b79792b42c43ff510a2ffc0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Triangle

MD5 81d946f263006eb46f2cb8b8a2173d65
SHA1 6e77d3cefddf5ce5c63adc1c5bdbc345f582dcd8
SHA256 4e9c4c1b63c3a2f7095a7bdbaa60667a45001d5ec64d0c888813d2b65f35fba7
SHA512 1a291efc4780c55818d4656cfc243711a700aaeb4fa773734ea653bf57c8d6aa611d15c94f830d4fd4b7e24fa96b3810aa5ff14edeee86f00cecc92404012bf2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Unix

MD5 49a19fd12501352b42a9ba87c3a2230e
SHA1 23960e63c6bed0d7867480f51754adff56e31598
SHA256 f650622c690d896bba73ebce76b4d71e0103337734eb8bbf6e32e9fea184929c
SHA512 45f013e34f75dfb8042a957b0edce907696b6b3f0aa99960c6c5628b769a361653b77bcea63540ae38365cbcb00776d343bc0749bb0da25ac12a10608126c09d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Giant

MD5 48e6960e7c881d6d5c41457b7d1abcce
SHA1 b0ae8dbcd5f165091c2b5b295b92d8d704064692
SHA256 4bc581cb17ffe5b5e148f36019ae5bac5c7f8f97e6db740e1f4b95294d6a10f1
SHA512 00202707218357e1e43c1fea798eb8555d954baec94312378f933fca3844b95ab705855ba336add935801f084f3b3b5ad6355bc046db567a942fde4255f61ba4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fri

MD5 2c3df2fa120a9510e81161e271b5b8bf
SHA1 be13265571f051ce0b4b7b6f0f53dfd279f6fbda
SHA256 267391ed6c73a010e7a26bafc6b285b2726b22b8f52a17d2d50551d6ca9c0b0d
SHA512 8d65d9287d64a97389cc2fd7ed955a52f953c05b9bcf15149f566de7e0075efe6f8203c5412a2cf51567ec798cd31cb68a5df778edd294d73770ed38da4571bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Switches

MD5 7386c0c41ac1bbf52dff08b41058154a
SHA1 e1bc5026757358fddef544b6a5ae940c9a5db152
SHA256 2bea5f056f09480542b7ae221801fc9d1a6872e3f032e2b7f8b8cdb91b978c28
SHA512 5f597b3ad0658a776eeddb6e057a6652023ad2729279f74d0da91d7845db47a61cf940ee6529f5d6bbd36550ce4ad26f11298a49b93f5bd9f23b009a65ccbb4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Public

MD5 8a5d414718c02e5ce2506a8cadd86f87
SHA1 d48d0190fed7c5f09605e78d6819fce0c7c33c8d
SHA256 e880506f49a2868fe5aa8e8678ab36683dd2884b748452d0018e486d9825f274
SHA512 6efabefb7c6d674adb4f48e04ffc769f85fd1f69776ccd1dafd6e8d64238173581da02caaf9e42bf48b6f63d7c2b37583752e724aac52e79eff00fdedc4d9a41

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Appearance

MD5 78b150be4d0f1b2b2065e5b7e0b24c78
SHA1 f5a40bbb78de278a3275df00d705836c66b20398
SHA256 0e2c878fa125b22abc9eb8a68584560ec7102779928a05d3643ef09bd518f63b
SHA512 e58cfd473c63ccf3c271203aa46e553f93acb9c3a25f91d01c3a7240d6195bfb6365bf886b72a930676c7e13cca53e6acd3fe0ff98b57d43f9a7d3c50b9ba2ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frequent

MD5 344f8759460f7592df30385354132e8d
SHA1 222aed99d7a1064968a96c1ddbffe4d08678a9d1
SHA256 838c929d12e9d1a835cf4b188639d4316d9f40bf9201241d695cfc3e64242a24
SHA512 d58524540408b326177893d7f28a5b768f8a0187da5899c2f7ae84ff6ef19a680dcb572bbaa521aa7202dae84eccbd617681db8df93ea036717c50f995a9113a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sky

MD5 fe8ed675ad3b1c287832b698ff88ce68
SHA1 0ffe5ac683c2acfb24c15fff721bd851c62c547e
SHA256 9e3c9261bad186dc4313dad5f7bf75bcba10fc5ef0210ca2af68cb2f4e1e06c7
SHA512 b599c7965aff9db03faf3791caa31d2e21afabc3e76cc54fbed898099232e9ddfdb99044b2ff45a89a3636146f20effad03839cd48c69a60ee04c86fb18da74e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Resumes

MD5 c3c150db3cd73c20a412ebd3da0671a5
SHA1 8ff704187a9d072d3f52d4f8487024bee6085f32
SHA256 60a10e46b7192fbe909d09768298111b02a77ea32f10c4f98934a5a37a149f52
SHA512 ad972dbb1bb2a0dcacb6574a4e6936136d6bd97c8bee590849ff3be78a294536af563fc2be5899bf613e963db90934ec3ddec962a6f671f247c8dd5e23c8532c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bros

MD5 50d7b3138896b3dec2a052bab3d2a29a
SHA1 1d7dc8c41e83ebf35ee3e6eab35e7a0ee7e4d93d
SHA256 ff646b437a7bee76ff369e310881a238411c6774827ffcef71e1554f5b3e76a6
SHA512 7276fb5521655b86697aa46d1dc9a520ed38c4e335f8ba8b520e679137f85ac2981e33448426f01599af1cfe3abcf8ceec56f73124462c22748a1884c9706a31

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Directory

MD5 0e71805320ce820e8a0fcf9ed10296a7
SHA1 877dc110151acd54bb89aa89a55e0c5292e3fef1
SHA256 fe66a53c1b920f5312d0d8f2f7d37e1614d6776111f4d12e7cabe9e23c39ab5a
SHA512 633b04cb46be64ba9089966aadb2cc4f2085d89cb86674c3beb3e930b07b6e05ea0680de0c837729363468066562dd525e01a91002b7e2dbe80201d9dc0d5c66

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Very

MD5 156d49c96e480544061f89a4cc92b9a0
SHA1 5f4036d3028a81eb8c1dbb4c64e616e5db9d7cde
SHA256 cff8c7cd73d289821ba6896070519f2c28bf5060caa64db55145b12630e8ee14
SHA512 799dc1419ed48be7d26861989cf6be85cce24905819f2c8b0725715aae627f931ba6e0af8322803f5e7f1845a5b0528e74048764884e776fd8ef08c4f88ccc2f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Iraq

MD5 bfaf2d299bdd465ffa3a5d42e46e025b
SHA1 ca781b9099eb11de7a672cc7dc0d5c48f14d3865
SHA256 8aea50ccfbe95fe490d9021f90e9a1af30e14093363d8cf7711f3ff3c9de694b
SHA512 2a3ab6c2fec3fb64256f4820b4cb606959bf22d33cfd0439128bc1f0d2db31499164ca73de5bf8248587147c8749b13801374acd38681aa53846841eb7ed523c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wellington

MD5 c758d0d897a17ae1344789cbd6d2315d
SHA1 e59c8d272e020ec06793c02f7161dd6f3934cf18
SHA256 331d9c0aa037672726ef2e7e120e8bc15d0ec32293fd102733d7d23ac5dd4119
SHA512 705ea1d1124b62866fbf0cf414883b979e06fef5632381ed34c45a5158c8c2dbecbaf2f68be5ab0a4ede19df18990478279ac70e762cfa4bdc113fd33ae81832

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Detail

MD5 aacce588e7ca3a293424ef3c45cda11f
SHA1 ac09508c18894d937df859676b5b65d8a0af712b
SHA256 54365bb8ad9817cdbbf95154157a67626eb99ea3c88b3f5b295d66bfab692078
SHA512 1e146feae37a9da8e167f285e5f1dfe4b43e51eb8e257b3fe025ca7aa0171c9c8f2a038428124b19574ae2eca95635153ff7ae0cb91c9dbc953fe97204f3c700

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Truly

MD5 e6b141ed920de3bdce0371b7e1cb0780
SHA1 88b447c8508edf6935840efe3a0be52b2860590c
SHA256 2bcadebab748765fba52f83a8f90d380213c70cb5335208debe8b6311465ce79
SHA512 5284c6529f064e0576e0fd01ec8b4f3e6fc60e0ba591d94129e4145e8379098d182837949a7ca7acc78706031efbd92731759a92f5f99ceb5a94a76383ef89da

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Interact

MD5 996cf7bf0146d63c4d415655994c6a94
SHA1 189ebd4f58887dccc02ab5db46deec1c5dac8145
SHA256 37da2ddaee7dc02018e16ed50acc79aabe79c4a4562a561733a6f447e2033849
SHA512 5b9296a12cf461afd44a64d19db35cf9345df16394b2639a94294f705fac0896224d788ef077cca98634976b57824f915b933336dd234e691f084a4c2348b823

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Interest

MD5 3345f2cdd61b5e9af9902ee8558e04f9
SHA1 3aca625fbb299f9299a5e0790022e7627cbd9dad
SHA256 9735f972650ae5d350f79edc82be9c01edfc7477bc30484f2f65374760c865dd
SHA512 570f580f80bb2f2a306773c06afe2109236fd2839ba5d8307beb00fb2a1b14a53d2cc917c1f76a42df41adf9a57717312bff1f2006be2ec487926be5a78250c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Struggle

MD5 205b5f07cbccaf204c27a25316166170
SHA1 865dee186ef4b5ff63cc35e62bf5c487889ed52f
SHA256 89dfb375f6adbaeed627d94e290883eccbaa21e26045759a81a8bdf81bce12d2
SHA512 99f27e28701ea137bd4da11411d9e0d2f31599f07a0c5b84586e6ca78ecd632218ff1048619d948dc97f808d5576834fb99ddd0701a6750e6c36e8dbc8b1b2f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Appliance

MD5 f56673f815351ad31aa3f00c7245c059
SHA1 3f48e22be046d0f0021e99adca8bcf304c04a296
SHA256 76c57b6c3ab9498bd15594bad148dd34e9a2600da3223dd053a5921ef64e6783
SHA512 6dd5fadc55b004020d65e4d02f4386278a1f9d0130fca6547c93648a64679d33929c4b05c3b0f2e52eecc497a737cd8dd49f4fdd8879de3e76b6312ffe27da26

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Welding

MD5 96ca4691b9a93102277a1c395a21e048
SHA1 881ee9f726112dcac4a357fc7a5390215c60b076
SHA256 c7787314c7423b0e69d1165194935a617e3adaee2b12b82134008d26c09e0cd6
SHA512 ffd3d43119d00a82ef4f2ade3f2f5d66c5ae5abce3b9a58bfed09ff8a8687119b399b65c2c8ce79c754329a7e2e328471d64281c5732354f898751a4a9dae946

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ron

MD5 6b2e81e49af868704424172e697ef28d
SHA1 907d657ef08e2c5bbe323a1a3c8661f48f080216
SHA256 2207d8c994bbd9734530a340cc7ebbb85fe907f5cfc3da49d3ef004f5b85f3af
SHA512 f5775348ea81815c79ece370a2534ee17261aa82a78aca301f2d7991c4ad52349038af6a0853ddd0eadcc9e6bd1a9cc60b725414395a7d801fdc720e5ca954cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Treasure

MD5 3b4b56b69acbe7d5be4688a301f8fb9b
SHA1 e742fe917aceb4e644e1ed527a52a90a5db13165
SHA256 edc1e95ea7f2c3bd473063eb675f51a223aa011c12ea250aea14f40ab118bce4
SHA512 98252fa254c4ddaf776aaa629d8e0907dd45fcfa0fb1031ed6e4d2e23658f9dc14867cebe5e6dc7392bfb41f9d1b71db484b2bbe3c151e706e55178a4e49455a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dept

MD5 e40b3c6634aebdc9d64c834850739f1b
SHA1 2496be6acf6c11c242a7b7356ce62c3badfa4298
SHA256 a386251d028f047e347d80b8943070315b43030144d3092272e8e02b82f41ac9
SHA512 11c077c9ca80d6ebeb3bc07b0ffe8cc31a4999574d38380b9aac48ea483f9578f0fff6bd5645f36767e2b90584a31b17499b511c25c925dca73654fc67a5a9c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\Joe.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\620735\d

MD5 da5b07c131a945c8a60447e1639d45d1
SHA1 ebc88a1dc887e5d4dabf1cdc7618b7bd82ab749f
SHA256 c671e116d75250abcea020c026b346e19a3698331482ac7094441b4688ba4746
SHA512 310cedb1735cc901ebd378cc3325edbb7f5baf336e7a40cd02ea40a2d5624dda13b986fc00db3776adddad35e99faa58684f848d95dc708bb4eb0b6ea89fce02

memory/4116-654-0x00000000045C0000-0x0000000004808000-memory.dmp

memory/4116-655-0x00000000045C0000-0x0000000004808000-memory.dmp

memory/4116-656-0x00000000045C0000-0x0000000004808000-memory.dmp

memory/4116-657-0x00000000045C0000-0x0000000004808000-memory.dmp

memory/4116-658-0x00000000045C0000-0x0000000004808000-memory.dmp

memory/4116-659-0x00000000045C0000-0x0000000004808000-memory.dmp

memory/4116-660-0x00000000045C0000-0x0000000004808000-memory.dmp