Malware Analysis Report

2024-11-30 05:31

Sample ID 240709-lvlplazfqa
Target 1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de
SHA256 1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de
Tags
lumma stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de

Threat Level: Known bad

The file 1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de was found to be: Known bad.

Malicious Activity Summary

lumma stealc vidar discovery spyware stealer

Detect Vidar Stealer

Vidar

Stealc

Lumma Stealer

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 09:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 09:51

Reported

2024-07-09 09:53

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\HDGCGHIJKE.exe N/A
N/A N/A C:\ProgramData\IDHCGDAFBK.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2588 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\HDGCGHIJKE.exe
PID 2588 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\HDGCGHIJKE.exe
PID 2588 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\HDGCGHIJKE.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2624 wrote to memory of 1936 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2588 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\IDHCGDAFBK.exe
PID 2588 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\IDHCGDAFBK.exe
PID 2588 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\IDHCGDAFBK.exe
PID 1340 wrote to memory of 3348 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 3348 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 3348 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 4552 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 4552 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 4552 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1340 wrote to memory of 2432 N/A C:\ProgramData\IDHCGDAFBK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2588 wrote to memory of 4932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 4932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 4932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4932 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4932 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe

"C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\ProgramData\HDGCGHIJKE.exe

"C:\ProgramData\HDGCGHIJKE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\IDHCGDAFBK.exe

"C:\ProgramData\IDHCGDAFBK.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIDGDAKFHIEH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.131.75:443 steamcommunity.com tcp
US 8.8.8.8:53 75.131.82.104.in-addr.arpa udp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 8.8.8.8:53 167.27.217.95.in-addr.arpa udp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 77.105.132.27:80 77.105.132.27 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 8.8.8.8:53 stationacutwo.shop udp
US 172.67.172.239:443 stationacutwo.shop tcp
US 8.8.8.8:53 27.132.105.77.in-addr.arpa udp
US 172.67.172.239:443 stationacutwo.shop tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 172.67.172.239:443 stationacutwo.shop tcp
US 8.8.8.8:53 239.172.67.172.in-addr.arpa udp
FI 95.217.27.167:443 95.217.27.167 tcp
US 172.67.172.239:443 stationacutwo.shop tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 172.67.172.239:443 stationacutwo.shop tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 172.67.172.239:443 stationacutwo.shop tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 8.8.8.8:53 tea.arpdabl.org udp
NL 185.107.56.204:80 tea.arpdabl.org tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.226:80 survey-smiles.com tcp
US 8.8.8.8:53 204.56.107.185.in-addr.arpa udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.131.75:443 steamcommunity.com tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FI 95.217.27.167:443 95.217.27.167 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4376-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

memory/4376-1-0x0000000000210000-0x00000000005B8000-memory.dmp

memory/4376-2-0x0000000004FF0000-0x000000000508C000-memory.dmp

memory/4376-3-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/4376-4-0x0000000005090000-0x00000000051EA000-memory.dmp

memory/4376-5-0x0000000002900000-0x000000000291C000-memory.dmp

memory/4376-9-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-25-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-65-0x0000000002900000-0x0000000002915000-memory.dmp

memory/2588-68-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4376-70-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/2588-66-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4376-63-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-61-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-59-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-57-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-55-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-53-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-51-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-49-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-47-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-45-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-43-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-41-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-39-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-37-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-35-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-33-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-31-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-29-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-27-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-23-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-21-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-19-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-17-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-15-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-11-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-7-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-13-0x0000000002900000-0x0000000002915000-memory.dmp

memory/4376-6-0x0000000002900000-0x0000000002915000-memory.dmp

memory/2588-71-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2588-76-0x0000000000400000-0x0000000000648000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\HDGCGHIJKE.exe

MD5 5dcb471423fbb62d7c218760aee4936d
SHA1 7d72a2295639a8702ecdb77cc020b7a9eef48b04
SHA256 837340da10b33b25bca1c15db3b273bfde18110b46949e8c545f31756e7b44bd
SHA512 d8febe1cc91bbacd1b0298eb88d0d25f7789ee962f4d4717cb74ca1d1081ecab78a4062923b31386bcae141900ee99c182836e52bbb4b9f362cd8bdf687dc736

memory/1936-153-0x0000000000400000-0x000000000044F000-memory.dmp

C:\ProgramData\IDHCGDAFBK.exe

MD5 0b4cc01ce62da8ed72b98a896c11c1dd
SHA1 eb87a11df4f7a0066389094ee9ba8a4e189794ad
SHA256 6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc
SHA512 b24fb55140210cc3c8d5f2dec84f36314a93397351a7109701b05dcb47cfbaf437c74fcafb551d8a96e845ea656a5c618b4a229c6acba8c2d0ed3849ccc48b8d

memory/1936-169-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2588-170-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2588-171-0x0000000000400000-0x0000000000648000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C5RYTORX\76561199735694209[1].htm

MD5 3663d83e2a8a6008e803cca081c7f08d
SHA1 378fc2af8721ed91ef481210328de91386b02cae
SHA256 cf679dcf825af4a9e53f841a7455465e97353add952bc8142e723574e70b5f00
SHA512 b405d96567bfe1d63043cd3e88490bcc49ad20075601db3cf654237427569c5dc91259ebc9dd9e22088adf742d0dd46cd4deec8ad0decc366f2210c9a7466290

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 1b7c0ea7d201f8667e748ab9e61a66e1
SHA1 c300e62c242ac5509cf5e65db9d0d11bb802859a
SHA256 8e31308f11e17652b3f36ae2e41f6cf30c4e324e530f78eaba08a7cf02832658
SHA512 546e4548b239cbc64ee0aacd9548aedae464d09b4b4751da27db64a50f9b257f6e0b80eb98cfc96cdb1d65e7c7ce7fd58fb30121f01f67354932b1a8054586a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 1305873efa734e66700f192fa3ba5a71
SHA1 89057c196af68b84ca883d9bad0b032f1aa02250
SHA256 db9a3ea3f1c769d9a03f663b39f11532c57eaa5a63cd9703dea1ff3c78627f80
SHA512 6bd0cf4ec9e1cb3d8b03a0edfd39ab0401ef9fb671b9cd9bc59accec55eed1833dfe1a399274da51918e99624529ad3d38c0f101bc2e1ce2d9296bb631162ccf

C:\ProgramData\DHCGIDHDAKJE\HDGCGH

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 09:51

Reported

2024-07-09 09:54

Platform

win11-20240704-en

Max time kernel

91s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\KFCFIEHCFI.exe N/A
N/A N/A C:\ProgramData\KKKEBKJJDG.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3832 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2716 wrote to memory of 3336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\KFCFIEHCFI.exe
PID 2716 wrote to memory of 3336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\KFCFIEHCFI.exe
PID 2716 wrote to memory of 3336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\KFCFIEHCFI.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1356 N/A C:\ProgramData\KFCFIEHCFI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2716 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\KKKEBKJJDG.exe
PID 2716 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\KKKEBKJJDG.exe
PID 2716 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\KKKEBKJJDG.exe
PID 3040 wrote to memory of 2392 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 2392 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 2392 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3040 wrote to memory of 3092 N/A C:\ProgramData\KKKEBKJJDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2716 wrote to memory of 448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 448 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 448 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe

"C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\ProgramData\KFCFIEHCFI.exe

"C:\ProgramData\KFCFIEHCFI.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\KKKEBKJJDG.exe

"C:\ProgramData\KKKEBKJJDG.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IEHDBAAFIDGD" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.131.75:443 steamcommunity.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.131.82.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 77.105.132.27:80 77.105.132.27 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 104.21.30.130:443 stationacutwo.shop tcp
US 104.21.30.130:443 stationacutwo.shop tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 104.21.30.130:443 stationacutwo.shop tcp
US 104.21.30.130:443 stationacutwo.shop tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 104.21.30.130:443 stationacutwo.shop tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
US 104.21.30.130:443 stationacutwo.shop tcp
FI 95.217.27.167:443 95.217.27.167 tcp
NL 185.107.56.204:80 tea.arpdabl.org tcp
US 199.59.243.226:80 survey-smiles.com tcp
GB 104.82.131.75:443 steamcommunity.com tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp
FI 95.217.27.167:443 95.217.27.167 tcp

Files

memory/3832-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

memory/3832-1-0x00000000002E0000-0x0000000000688000-memory.dmp

memory/3832-2-0x0000000005160000-0x00000000051FC000-memory.dmp

memory/3832-3-0x0000000074B20000-0x00000000752D1000-memory.dmp

memory/3832-4-0x0000000005200000-0x000000000535A000-memory.dmp

memory/3832-5-0x00000000050F0000-0x000000000510C000-memory.dmp

memory/3832-64-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-65-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/2716-67-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2716-69-0x0000000000400000-0x0000000000648000-memory.dmp

memory/3832-66-0x0000000074B20000-0x00000000752D1000-memory.dmp

memory/3832-61-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-59-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-53-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-57-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-55-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-51-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-49-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-47-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-45-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-43-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-41-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-39-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-37-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-35-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-33-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-31-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-29-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-27-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-25-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-23-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-21-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-19-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-17-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-15-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-13-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-11-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-9-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-7-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/3832-6-0x00000000050F0000-0x0000000005105000-memory.dmp

memory/2716-71-0x0000000000400000-0x0000000000648000-memory.dmp

memory/3832-72-0x0000000074B20000-0x00000000752D1000-memory.dmp

memory/2716-79-0x0000000000400000-0x0000000000648000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\KFCFIEHCFI.exe

MD5 5dcb471423fbb62d7c218760aee4936d
SHA1 7d72a2295639a8702ecdb77cc020b7a9eef48b04
SHA256 837340da10b33b25bca1c15db3b273bfde18110b46949e8c545f31756e7b44bd
SHA512 d8febe1cc91bbacd1b0298eb88d0d25f7789ee962f4d4717cb74ca1d1081ecab78a4062923b31386bcae141900ee99c182836e52bbb4b9f362cd8bdf687dc736

memory/1356-156-0x0000000000400000-0x000000000044F000-memory.dmp

C:\ProgramData\KKKEBKJJDG.exe

MD5 0b4cc01ce62da8ed72b98a896c11c1dd
SHA1 eb87a11df4f7a0066389094ee9ba8a4e189794ad
SHA256 6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc
SHA512 b24fb55140210cc3c8d5f2dec84f36314a93397351a7109701b05dcb47cfbaf437c74fcafb551d8a96e845ea656a5c618b4a229c6acba8c2d0ed3849ccc48b8d

memory/2716-170-0x0000000000400000-0x0000000000648000-memory.dmp

memory/1356-173-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2716-174-0x0000000000400000-0x0000000000648000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1AJ0H6J4\76561199735694209[1].htm

MD5 8bbdb28aa0dc8ef45adf5982693f6e8c
SHA1 03791d7f3aa3b042836332e63b4352fa5118a68f
SHA256 afb75f8f59df4226d109c17b9c40b026c953d9c86916006911e8896db2b86495
SHA512 8cdcf86d301c69c5e8b731cac7493abb29ac8eda2b63294aea204f681c97ee5e23fc0f2f22cac9aeb65bc08347f3600406d3147cfb61048ea0c381029c795e28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 2e4476d23c0f28ac074f2de7ca10b209
SHA1 3134ce5e89705c6e2c4593b4da5ff2db4559345c
SHA256 18fe36d3918db86dc44641b5a6979d0411f0dc4f3a07a97fc92bd576641353c5
SHA512 0a8a770e16d93fec52beef7f8e2100b011b5534fe13ea0298fb9b2cb46781b48f5ffc2e173beb1b8f5b12454cd9a4cca8f99d9340fcbc84e96724212f674041b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 1305873efa734e66700f192fa3ba5a71
SHA1 89057c196af68b84ca883d9bad0b032f1aa02250
SHA256 db9a3ea3f1c769d9a03f663b39f11532c57eaa5a63cd9703dea1ff3c78627f80
SHA512 6bd0cf4ec9e1cb3d8b03a0edfd39ab0401ef9fb671b9cd9bc59accec55eed1833dfe1a399274da51918e99624529ad3d38c0f101bc2e1ce2d9296bb631162ccf

C:\ProgramData\HJDBFBKKJDHJ\DAAAFB

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7