vidar | hxxps://github[.]com/dezumoe/Logitech-G-Hub/releases/download/Download/latest-x86[.]zip

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/dezumoe/Logitech-G-Hub/releases/download/Download/latest-x86.zip

Score

10^/10

vidar 98488d7eaaec81be7d2ca43b1d67bdcc credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

9.9

Botnet

98488d7eaaec81be7d2ca43b1d67bdcc

https://t.me/ta904ek

https://steamcommunity.com/profiles/76561199695752269

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/memory/5892-662-0x0000000007DE0000-0x0000000008029000-memory.dmp	family_vidar_v7
behavioral1/memory/5892-663-0x0000000007DE0000-0x0000000008029000-memory.dmp	family_vidar_v7
behavioral1/memory/5892-688-0x0000000007DE0000-0x0000000008029000-memory.dmp	family_vidar_v7
behavioral1/memory/5892-689-0x0000000007DE0000-0x0000000008029000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Shine.pif

Executes dropped EXE 1 IoCs

pid	Process
5892	Shine.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
5356	tasklist.exe
5472	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shine.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5944	PING.EXE

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Shine.pif

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5552	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5944	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
4128	msedge.exe
4128	msedge.exe
2084	identity_helper.exe
2084	identity_helper.exe
5096	msedge.exe
5096	msedge.exe
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5356	tasklist.exe
Token: SeDebugPrivilege	5472	tasklist.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
5892	Shine.pif
5892	Shine.pif
5892	Shine.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 468	4128	msedge.exe	82
PID 4128 wrote to memory of 468	4128	msedge.exe	82
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 5052	4128	msedge.exe	83
PID 4128 wrote to memory of 2728	4128	msedge.exe	84
PID 4128 wrote to memory of 2728	4128	msedge.exe	84
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85
PID 4128 wrote to memory of 624	4128	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/dezumoe/Logitech-G-Hub/releases/download/Download/latest-x86.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd480846f8,0x7ffd48084708,0x7ffd48084718
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11385212957242478150,11579563735692188356,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2684 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\Temp1_latest-x86.zip\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_latest-x86.zip\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy Room Room.cmd & Room.cmd & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5356
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5364
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5472
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 304707
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5532
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "proceedsscholarsbeingsattempted" Priorities
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Impact + Spray + Highs + Ceiling 304707\z
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5820
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\304707\Shine.pif
    304707\Shine.pif 304707\z
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\304707\Shine.pif" & rd /s /q "C:\ProgramData\JKJECBAAAFHI" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:5488
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5552
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 15 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ede4601041dcbefbf3785835e77fa4d

SHA1
db60f0a258a3fd05bea77fc9daeb7f21cfa1f00c

SHA256
4c99eca0f2f13efce686a776cd3f640cb14d54d6b41618db76678360f67b2ecb

SHA512
2941b403eeea5dde9841f8b74dfa5264a0f41582379c9b3fc7b2f0e838b4cc3da7067e61405f7415f4c0a2656057291a3f9e0e39dcd46c2a09d568178f8f7217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3218a55bf9a27866a070e33049bdf980

SHA1
bfcd66b051b57e2002dfa7105c4d4edfd82a74cf

SHA256
80fad1666c6dcb579bafbd04f106dfad5cd4c4cffc2dcb0421536962c572acf1

SHA512
704c472c826ce81a2a561716e6f86d8b0704bbec80d286d358986ec680b08aa5578d72ee60c23760aeb313c0acd2844750a880ad5440b04736fcbb4f4f24e96a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
047266212462353b33f6822b91279e8c

SHA1
cc579530799ab770666a5dd5deb9812a2bd9db9a

SHA256
3c110cbf175549688e7c7de82a48a95618b52c5d7bea970bfa7989db9b4693f4

SHA512
5ee79d464c84db0ec65d23fb07e4c5d314f2aeda0531f9ded7d01bd590cec58146865d7be51ca87dd8341031bebbcd87dbc7aba307bbcbe44db2011f9890ce92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
251ac79c4ccba5ae5609c80595f23494

SHA1
b1fc7bd23c4142a25ab104c4f834c3f9f8856637

SHA256
1be040eec41bc223dd6d14829b4fd7e1c6eb36fc57c003667d69542a71de6e8a

SHA512
366f1289205cecbfb9d13501049f1575a2e81d4c0746a4c74d404c143a92dec8fc0186f08aa6a11661d5c6834c853f6ff96dbd474bf9629625eae5ccbc993837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\304707\Shine.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\304707\z

Filesize
372KB

MD5
e7b272e4804e27bf9ff64f6fb88cd7e0

SHA1
7250958cd53b5f6f4de5676c16e33311a3d4b857

SHA256
6363324addcacdb08d9134b6005a9e99e4793dd927b8c4f3d67d250853440e5d

SHA512
b67440501b4e346e89ea3e41e9aa1bf06396fb75c114b34f95269f3392bf7befe9802bf08ca7c3b2fba066216f041bcff3a60821419eac278469501a27fcf56b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Albert

Filesize
20KB

MD5
079dfc5410b0a15d8a2c5a3771d4d6df

SHA1
142dea287ca569b08011a77af9f8c5453b132847

SHA256
f0d335312413f293c46796acfff3649c2cbb88f40e6d6e68fe367ed0f82922cd

SHA512
1e2e28c489b739b1027b0656c5cf0457261977b973774cf8786fa4ceaec7e5a64cb708cbb21d5285573e404d9eb8ffece80b315a537dc90b831c607c747ac5a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cambridge

Filesize
52KB

MD5
e4e4eb32d37126b0fefd144cfd0ca0cb

SHA1
de8e48aa3bb6c9662b4945b3a855c760274b9d72

SHA256
c5f686d90250df5f2e8615163a54b36056f9a6dbe8d8d73f8916f26784b1c97b

SHA512
4e51e93a9f53b83178e630344c73357f614c15921242242f113207ff7f3f96684fa7edaf301859561d92d5fb59750ece44865bc5e6b17e68aef16f9ccd0750db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ceiling

Filesize
50KB

MD5
50d3dbd0db78d2a8cc0ed58b4a4b39a6

SHA1
90162d2833882e597901331e2414b396b472bb21

SHA256
f56fc2515cb14a957ad25b69707f3614a9e48d3255191f43f0a92c8f80673765

SHA512
9637e71f39a7192a52a9bfd1ba0db0c93ccd9176b0f683135935564e5874fa28539e4e7449600442497eb2b3b05bf911dfe0f2349001dd5cd78f29b257618030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cnet

Filesize
29KB

MD5
bfc9d589bed3445f3a64c55ad61edb22

SHA1
28a1b7c62d5fdabf394a8774740529b8c237528a

SHA256
8abad5c8bf20f6d59ef831d5b6f068ab84b28e1e3cb99080500ed7e3d86752f3

SHA512
ff686ee8b01f0afbf7204648ec454f57507bdeafc5287317213d0459f1e45d558af6a59bdc28f8395174a6ebc14f0938d815ceb68a3d28e2c64819f0b0ac58c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Containers

Filesize
25KB

MD5
1d665d611f0ff7b056fa14f2964f3194

SHA1
cba5343ad045b2b6a44fff2e617aa63c232e45de

SHA256
8e79a421547ecb026103552ac6dc9981fae639ec8cf80ace0f5eb785700f3125

SHA512
d7ef6bf47946783a42d7cbdbc54b66b5279d2004c7c546b303cf68ff94323d1a3e3bcba0444418d368a0fdea170c76cc0a2d1a1487b948f59c3af1bc46d43842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cost

Filesize
37KB

MD5
9cb04b15fca51c4f9a44fff3966fed32

SHA1
1a4be360cc4f6c84d43cd870406ef63413d4d4c8

SHA256
b5ef3500532c83714548ca76cc3e596b56526fb8ec066ccbd09099a727e21659

SHA512
eae1680a0c22f3e765d123d0f22cbdf64f76b266ad840e83d652c4206e5dce1e838d99d2e265d78a9e59912211ade244b249bf1897576ac014db1137419a9161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cowboy

Filesize
40KB

MD5
02b78981c838968085bfe0de289b5215

SHA1
2f5ffb36bda5275bc4d9d0d47a542006b8b1584d

SHA256
c6d5ac7393f735ff356d1ec357090ef4041ee21e76442b8c56b72c81235d4d0a

SHA512
cdba8181407204f0a68d11ae62d0d5d08d35fb9bb8b74245c9bf84f83a5ddfd69a4fe71b1decd34349013adc5e24094e676ef0599fef0fb7363cb641d13866e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Earth

Filesize
30KB

MD5
4f3987c88027f24ae2e056b60ce0608c

SHA1
59287c9c72601e3af55d0fd9ff12688991d21c88

SHA256
826d54a4bfdaa6bf94f9aa539cef7500615aa3302269542d626bfcffaacd40e8

SHA512
9f357821e7474a72868dcf1b1e1d50219d5b1b6c2faa77c2a31e2ad244af133427a0b72720625cc936872fb4da72c191ecf1e075e169190092da8183b86783d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Echo

Filesize
38KB

MD5
81b866521f089d0754736909afe3acc1

SHA1
c5e2ac3d3c782399ea975825676c6c28d0cda4da

SHA256
d4f16caed11e8b0483e2fdff4f5a8ce4616c04329e1229f81b55c6fe3172ff92

SHA512
589e80f013a198b51444c3b7086988eaf4d347599ed82be449a18b765ec4b5045f6ce29bcaa658460746519b196ed278df51a2fd5350c3c39e169eb52fd3a392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Exceed

Filesize
17KB

MD5
8cd48b44bc6ef77ee3daa3f815292e4a

SHA1
781cf7e513f2b21f01bf63c64175c674dd0b6509

SHA256
a8b4c0b980f6ad61c96dec7980518abf53d52b7fc412369776d561b36efeff51

SHA512
fb3ce9190657af1cc35376075830d011b8c7ad3a5b1a63bd0fb14a762bc3e29a224f34d4daac66ba05ca3aaa1e5ebd42617622ea1c88b6da7dbd93b391936878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Exhibitions

Filesize
48KB

MD5
4845d3976da1b0dbfc8a7076b9b576fb

SHA1
26d8e94eecea60151426c0d2b2a2e32e6ef25225

SHA256
e43dd9cb0d3f2818af01e68f63634ee59755a9cfd4138193906216d88f10143d

SHA512
42b5e807785d66b95b850fcb4dc1aebf5884a402585334bb0636e3b143eced7d05a0c69cacf42cf57b72d2c27430e168c57e3699a6746ef28f66c845d637163d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gnu

Filesize
35KB

MD5
66749747269216de87084c7d52740112

SHA1
e92d51034059d49b087d5cbe2b0eabc7cb870017

SHA256
07e9af45d4dfdca450c1b4f022b32d05e5245f6bbe93bfdadfdd80ecc5c57c06

SHA512
e113c5380850c68f3e9ca74fe5a85a699eef85af08bd25adf780b7b9730983aafe9e0f9ad8e81815057db25e7b2942e9bd2a77fe2d1c3929a9cad29d6533e50c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Highs

Filesize
77KB

MD5
febbb47302f3651238136ba7231a9233

SHA1
a31f40aee6b7b34af5a32b1915cfe9c99b59b45f

SHA256
6e73ca78a3d5a9d458291b89f4ec69aef6f04483836092dae213cf6f951f8db6

SHA512
dbc0d4274e300b822f5107a5fc1135ee6accf718db8c28abdc7ec21ed9cbd6d51a4c7d1ebe66fe8781cb52bae7153601184f9eeec9826c7e4b01d1640750f7ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hostels

Filesize
28KB

MD5
25794e1064554f83bb0c44b080622779

SHA1
c2168173df54449838625a9e2f3ea4234ea97287

SHA256
e512764af89828234d01597420478c9fb2e1d213f1f367aeda70933e15a8c375

SHA512
d7fc84cb0a1df3ec8c514bb65e1157dad7cabce6e96649213a4456dc64f9931d642bd8f9bb83e371229d0845ab3545e505ceea83a573abf9864b4d6217e3d362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Impact

Filesize
146KB

MD5
7fdd9548391e401bfbcb86c17e4c8c3b

SHA1
75091cd1eab616547c3703554a23df1ca98d1fc5

SHA256
7972ee49faae16910e0b7b318c8fb81c62f99138b6786bf2f169230db8b93912

SHA512
e344a19355cf0f9abf47a10d52cf81b8d0990189a772353b2602659f7590acb454e58a4b617f5040a4484843924c37a5f453e8be302074b6987e185f70562a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jungle

Filesize
15KB

MD5
a7eb66e52905dc186f036abc180a5046

SHA1
c1d15b635d6e750bd512de807c93847f2e0bfb13

SHA256
cf3f326aac1f32c2d53fc00958073398e3fa04ee9d1bb6a361013bc45e1e6f8b

SHA512
d0e55b6b144c02288b788661d6a4a4baa79a3e07cc529e66dee2d2c8d0b85831e33398c956b7749bceda225410ae097b0f81eff71e75c61aa2a38cfac394f633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kingdom

Filesize
13KB

MD5
3b3d4e1d4e0f8451c3902501ffe5d57a

SHA1
b21e4221fac05c9418202840fe2ac8ee2318cbec

SHA256
d9ebb830674e85027183ce2df03c62888030f4dae82c7471aadb832f22b5414f

SHA512
b79dae8b25a59a7f2ad628e17ec239c21db4c58fbfb655c2e92230f7699c41c7bbcf4135701b4e338fe15452c853b4d7f056fc5bb9be311768e668930843d3ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Min

Filesize
63KB

MD5
a770be5fc6716b098d24fb856b0aa629

SHA1
18a00d8143b2feabb267bb669cb66b8ac88a6aa2

SHA256
9e5923fe6745fc55747b94cdcd2dddb10dd8733a2dce1b85e428644793bf0380

SHA512
2eefdc9da45c12f8e81250e30467617265ea8e9f403867116c4a4bece820e074cc934cc110610f7d9754595b4a0a9ce0521107d521bb69390d0bc67c48eb6d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Moon

Filesize
15KB

MD5
a63d11c94944115efe9dcb8485a6d51d

SHA1
ad59f7e7ae4d84cb4bc9491d9cac1129598dcc64

SHA256
3541881a222a40c41a11c8215b52959fa661214f5a4a9c70bd49f834adafab71

SHA512
e9478f57acf62565c68467bc810589c13c8e8fe326726abfdd4157781390df3b3fb40145168580ecd6e12bf9e83bffa35b99cbc67a8eaf6b6ff873bdabb8c7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nick

Filesize
65KB

MD5
4e5672c282edd0e6a9a5f1cf57d332dd

SHA1
1986d3cb3f050f1aba5f4b51e1536d1aa99b4192

SHA256
b474c63f62a8e729e3527d64b84d37d560c865e03afd22d5f1c97cc9555a3060

SHA512
fbb1cd269795e83f465da1eb230eea999afec92233254cdbd1fce31cbea5f9596eb2d8664188d9447a6fb3ecf660ccd23fcf87d3a0bfe337650788f0892c71cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Normally

Filesize
66KB

MD5
596f6c72e34424040276d1ab55e0f7cf

SHA1
573d27da380ed02b269534d6638d554df57d7c3a

SHA256
a3b8e07b3be465a4258e890ecd71fb9d421768ba18c2346ff32eda3488a58df9

SHA512
65c411fb31f5ef60bc7ef02ab385d0076c1f1c98f4c29f1164a9394e2c309bab2b0dba321c89c63b27964c8984323deaa00d6e16af79781ca999119a11ec0376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nov

Filesize
47KB

MD5
88449540f6854b9763995e9010ead5f8

SHA1
062a6f1abbbaba46f4566c07fe36b0f1b4381fca

SHA256
eaa25673d8e4b9256f4ca127da71ae4c9180cd1e9f4d44d45a0d58c846f97bb3

SHA512
f789be1c5ecce00774a0f75aee3d1359a23a602f3b6930db1d3b3a377cd6eb8b62d0e4e6b44d2a893c4ea462741c7708c74cfcd95266ddf608edaa7534e2c355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Priorities

Filesize
92B

MD5
d87d9a6328a3d42c17c4133d956f517f

SHA1
b939d56760afb2315d0878f47741f96a6391dd81

SHA256
34c75ff522b8a9db076aae0e42e95ad0beb77bd6ffbfc16b6774b0d45b0b911d

SHA512
400876bd435f12dcc3f3b0ac604a0ee65bdda56ae6842a5e3070ba7b3d4928c15cf7bd933b4e1bb324f9e913886c3eeafa1e4e7e5482c208b38c5aa5788ed1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ray

Filesize
19KB

MD5
96af1b45854e9ab33fd769a79aa7cefd

SHA1
b63a6ba7840f7f62f23b0d4bbfbb90af40339282

SHA256
3a11c16b348481f39066ab3e0ec033dd477f29785eed2da0ada0bd2f3a9d03bb

SHA512
98aabc3143b4ea143e2a329daea97c1fe06386d72d2df8dc3a4e39588c4acc7cd6c86e4f1f0ac3be8c4cc0f5f3a5b5232f9526730648b52373ae0e0787d65cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Room

Filesize
23KB

MD5
b1f21c390c54c5c2a98fb55a35c63253

SHA1
fe8db69bf03544b698459337a355edea89ee83fa

SHA256
6d407c39e84b8f4edb6946fb7993d4055b781d8952200cb8e8c117f92c32e1d3

SHA512
a024afe79ab0a27f4627ccf099a4c5bcffe29d5536220a8743e7efd7001a3cbb8b7cc5c66c73a35cafc1bc360fa8aca12a0afa481a33469d2d1f036542c3bd70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rough

Filesize
34KB

MD5
c27db32d4242f01357e2db8a3dd1bb59

SHA1
03f04166ef84f72f6fa5472ae479acbfcbc101c3

SHA256
3b4ae6f80f9eba9189aaa2c7d79f5dd10a41ae91020db899b23131ea36d7a649

SHA512
3dd825e1125c5daf8aa0bd26cf15f264d7d94d7b18c4ec2a80c661526a36930b86a1d72538f5702d2f66e7ee060f63f0ea82ac8c9662d7f6cdfcb7986c185b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Screens

Filesize
42KB

MD5
c4b113a02186c7e7a70130b20ae383b7

SHA1
531635fe7ac78db49170d7aea5510ddb92542637

SHA256
eda59b06cea3af8fc01c8b51d364d89fe79e998336a4873555cee76fb4bd8d4b

SHA512
f5c171a39f1eff059eba6ab649912436de7b3eb399f022b2e13d0eab8454639a1b4216c54d20f3574473f8c8e1f640620a9a40c4f844ce19fc5a34c5510d51f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Skill

Filesize
33KB

MD5
08f23532b187a07575dd8488ff23ec96

SHA1
074a26961791eb321f3e90e07fdd72b5316ec321

SHA256
31e35c0d393f73d20ecc3680528d17d9837d4913d391cd7cc85770e815a38735

SHA512
387111dcf8fb75203d9fe942a55a977b96f837c0c9e802706eea13a1ed60b4efeddb9156a0d7bf4f8cd9c7b50555b950520b6c9434238d5e35ed804dea70508b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spray

Filesize
99KB

MD5
1fc5385349c9ebc7599dca69a2f0c65c

SHA1
5f656ad103de6068741f43d721d9cec52bcb9c43

SHA256
868510635eeef94d64f712499091e79e09bcba0ee222894057b0e8941684b0aa

SHA512
20c0a843c7cc82180d032b200152c7c10553c4b802516e025ddd8b9d1be0736ebbaddc266be20eecf77f171c996fa8eddc257ffe3c1e30166dea35d46fb204c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Technology

Filesize
31KB

MD5
7a634447eb6b81519d99fc571f44009c

SHA1
44055368e8a817ea9833100e48059140cfc42fde

SHA256
626eaa6ed33fb5244d3484d53a06323302bf83dcefe9a6d09b1d94944acebdd8

SHA512
e616e39754bc6de364ba97e41cc1807f8ababdedda154b77a421ce117b695109981284f4839b00dde2ae3e6df1205b5f22f9822292f2e4db7c6d41e39554cb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Transactions

Filesize
22KB

MD5
a0d02e32ff4e9bfadf9a34ac1fc400b7

SHA1
ad101d77e9af1cd845ab7f7086d18c863ba005d3

SHA256
d961f3d6995e518d02190164efaeeca050ecd2badbd278481fc4ac8d0121bfab

SHA512
0ef72d33e3a4f95acde7e941cf67b2116e6e82f7c061f5ef30fd0ec9cf9769507df508833b91223347723e380e69bcc01f56e59554e8f687c79c10e5a95b8df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wallpapers

Filesize
51KB

MD5
1ee31954db32328f6e5d3eb676c1fcaa

SHA1
b5b84b64993aea5c06fcd53d9e8600db57c19df6

SHA256
229b4250fdbbfc9ee38717100e68d7e8b67ec20e309bf8e5c1d94e8c2c27d27e

SHA512
56474e7a5c84f41bdf29e01f8072ef7780a1a3817680a58e1711d617b17df178097f0650af41247140a8f1691da99b9dc944e1338af0a8c4baaed78cc3f5e693

Download Submit
C:\Users\Admin\Downloads\latest-x86.zip

Filesize
930KB

MD5
5c6dd1119b69bc5b636dfbf0fb5b8dbc

SHA1
3210b9dcc0475cd1e364a0615adaac6f6a35346d

SHA256
68474c19bdd63d5d4e4a7de4cd245cdb157a09bb20d1e0494a45db2e6bd18fa3

SHA512
dcfd85eb7cc304484dad2fee72feb7332a35b80f4b172a3251b3c74bfe64973280a44294b38daf990f20efcfa7e0c39c9e0fce341f6466b15ba6db03e1087a58

Download Submit
memory/5892-660-0x0000000007DE0000-0x0000000008029000-memory.dmp

Filesize
2.3MB

Download
memory/5892-661-0x0000000007DE0000-0x0000000008029000-memory.dmp

Filesize
2.3MB

Download
memory/5892-662-0x0000000007DE0000-0x0000000008029000-memory.dmp

Filesize
2.3MB

Download
memory/5892-663-0x0000000007DE0000-0x0000000008029000-memory.dmp

Filesize
2.3MB

Download
memory/5892-688-0x0000000007DE0000-0x0000000008029000-memory.dmp

Filesize
2.3MB

Download
memory/5892-689-0x0000000007DE0000-0x0000000008029000-memory.dmp

Filesize
2.3MB

Download
memory/5892-659-0x0000000007DE0000-0x0000000008029000-memory.dmp

Filesize
2.3MB

Download