lumma | 67042f0de57638c97d125bf1c9897fdfa295566761fe17c80bfe05e19461a98e

Analysis

max time kernel
29s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

282KB
MD5

80d8b1bfdaf8085595c83d95e1b50a4a
SHA1

c4a9c9765d296159c0b882ee952418f4208a8f6b
SHA256

67042f0de57638c97d125bf1c9897fdfa295566761fe17c80bfe05e19461a98e
SHA512

e124f0303de3e4bc9519ec6d9c0fbb19bacafd4bc52aeb7ae04e0c2cf3db845a9e3d8504223da7f910453b58041913b8165aa5ebdd87e73499cbcf27e897ecbe
SSDEEP

6144:KCjGhD5daDWqd+wQG5u1x5miq6gXGG07ejs0uK0HuEO:1IDH7wQkuD5GRGG0KA0uKUuEO

Score

10^/10

lumma stealc vidar default credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://grassemenwji.shop/api

https://preachstrwnwjw.shop/api

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

Detect Vidar Stealer 15 IoCs

stealer

resource	yara_rule
behavioral1/memory/1804-7-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-8-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-9-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-18-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-16-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-12-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-159-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-178-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-208-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-227-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-358-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-377-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-420-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/1804-439-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/560-671-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2000	GCGIDGCGIE.exe
2068	HIEHDAFHDH.exe
2456	HCFIJKKKKK.exe

Loads dropped DLL 16 IoCs

pid	Process
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 1804	1884	file.exe	31
PID 2000 set thread context of 832	2000	GCGIDGCGIE.exe	37
PID 2068 set thread context of 2740	2068	HIEHDAFHDH.exe	41
PID 2456 set thread context of 560	2456	HCFIJKKKKK.exe	44

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HIEHDAFHDH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GCGIDGCGIE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HCFIJKKKKK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1832	timeout.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
1804	RegAsm.exe
2740	RegAsm.exe
1804	RegAsm.exe
2740	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1884 wrote to memory of 1804	1884	file.exe	31
PID 1804 wrote to memory of 2000	1804	RegAsm.exe	35
PID 1804 wrote to memory of 2000	1804	RegAsm.exe	35
PID 1804 wrote to memory of 2000	1804	RegAsm.exe	35
PID 1804 wrote to memory of 2000	1804	RegAsm.exe	35
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 2000 wrote to memory of 832	2000	GCGIDGCGIE.exe	37
PID 1804 wrote to memory of 2068	1804	RegAsm.exe	38
PID 1804 wrote to memory of 2068	1804	RegAsm.exe	38
PID 1804 wrote to memory of 2068	1804	RegAsm.exe	38
PID 1804 wrote to memory of 2068	1804	RegAsm.exe	38
PID 2068 wrote to memory of 2268	2068	HIEHDAFHDH.exe	40
PID 2068 wrote to memory of 2268	2068	HIEHDAFHDH.exe	40
PID 2068 wrote to memory of 2268	2068	HIEHDAFHDH.exe	40
PID 2068 wrote to memory of 2268	2068	HIEHDAFHDH.exe	40
PID 2068 wrote to memory of 2268	2068	HIEHDAFHDH.exe	40
PID 2068 wrote to memory of 2268	2068	HIEHDAFHDH.exe	40
PID 2068 wrote to memory of 2268	2068	HIEHDAFHDH.exe	40
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 2068 wrote to memory of 2740	2068	HIEHDAFHDH.exe	41
PID 1804 wrote to memory of 2456	1804	RegAsm.exe	42
PID 1804 wrote to memory of 2456	1804	RegAsm.exe	42
PID 1804 wrote to memory of 2456	1804	RegAsm.exe	42
PID 1804 wrote to memory of 2456	1804	RegAsm.exe	42
PID 2456 wrote to memory of 560	2456	HCFIJKKKKK.exe	44
PID 2456 wrote to memory of 560	2456	HCFIJKKKKK.exe	44
PID 2456 wrote to memory of 560	2456	HCFIJKKKKK.exe	44
PID 2456 wrote to memory of 560	2456	HCFIJKKKKK.exe	44
PID 2456 wrote to memory of 560	2456	HCFIJKKKKK.exe	44

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\ProgramData\GCGIDGCGIE.exe
    "C:\ProgramData\GCGIDGCGIE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:832
- - C:\ProgramData\HIEHDAFHDH.exe
    "C:\ProgramData\HIEHDAFHDH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2268
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGDBKJDGIJE.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCAKEBFCFIJ.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:496
- - C:\ProgramData\HCFIJKKKKK.exe
    "C:\ProgramData\HCFIJKKKKK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GDBFHDHJKKJD" & exit
    3⤵
    PID:2244
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DBFBFBGDBKJJKFIEHJDB

Filesize
6KB

MD5
e4c8958742a6ad48dff70ff13da01b64

SHA1
d58958d304755c61f5670a6c244ab547ef9434c2

SHA256
ca887d2a834c8ccf229f34bc6086ad9046cfc9dee5ff761346db6f2435642004

SHA512
24e2a82131cd414966c947d1eb6b5a7c906cce6a1f002ba495cab64815ee36d9dae1b741973d35bd3af369b49f64f03565f23b8a4306b5526c2067889b4ea3aa

Download Submit
C:\ProgramData\EBAAFCAF

Filesize
92KB

MD5
6093b9b9effe107a1958b5e8775d196a

SHA1
f86ede48007734aebe75f41954ea1ef64924b05e

SHA256
a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0

SHA512
2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77

Download Submit
C:\ProgramData\IECBGIDAEHCG\GIJDAF

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\IECBGIDAEHCG\JJECFI

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\freebl3.dll

Filesize
225KB

MD5
a0abc7129e6e1c70d861561c1979a149

SHA1
9c84cde19bce0a0e1873b47aed0793f07e7222d4

SHA256
5a19ca5fe212b70b91f49d29e4c59337a6aa86158bcba6798f8ecec6d79e67b5

SHA512
e1d5f4af4db07c61c79b18d333209649aa1976cda84fdae680d6af085461436a18e4bf71f66fddfbfb969707989283a64e2d0bf2cc0e1d9e26476ceefce87837

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
13KB

MD5
e416a22acaeff6cec5aa36a72becbede

SHA1
9fefce2eafd2e79ce0f0c60e2174b0052bfd0d2f

SHA256
edc0250d8dfe5b4049a64b6171d12ad701784f4650484d35315ab5286384e79e

SHA512
8ab549504e9c7f787e4ace97bcce5eed5bd9758b8cc223eae537e5ba3dc0f22ddd84802b1c43c2e947aa0a97742793b8cd09a5563ccd21820fa00bb5c1294421

Download Submit
C:\ProgramData\softokn3.dll

Filesize
13KB

MD5
16c75e764a9b70ca06fe062d5367abba

SHA1
b69856703cc2633f6703368ada943f2ce1e1d722

SHA256
3ef27598650d34ccca435d9eb54db0a0ba7c25d6325e17665d7905dfa2423f9f

SHA512
edd7391aea11ca27b88c84046e1e88623998f638a0ab7d978aec98e36d7d773f19acbf3c55fefa9ccdaa19adb28124c80431309d21dab2deec152ca2e356aec5

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0255CEC2C51D081EFF40366512890989_A2266F534D44FEE6BC8E990C542C69B4

Filesize
471B

MD5
a3a730aee52549b673746d0dbbc59531

SHA1
deb5b7d626272c1bc7b88f3476caaf1d64534972

SHA256
94ed1105931e5f86b887032ceb8b4f61e6f275487b7fa36220fd9ec520b82493

SHA512
354b4558b2a187117635e91d8d360c752c11844757be413349e5e701b1fa10294f55ea70053d49f46401bc4e7218991bde096d6c7179070963e636e3fccd3cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
2KB

MD5
ffec8069cabce0949aaee67665624e67

SHA1
d449a98b34103a9e80740ed9d7593c8115c3dc75

SHA256
340d048d7f46e25d83d97affa98d53d773e83e070b28ed67ea3472362a0a2993

SHA512
770d7b72772940699b4fb66ededa53a02fe580c5fcc5e050e2798e8e065c7a3505886d91d3ce05172e1d5c942069297934dd3c8c52f9e3d2be8f5d0c1ab851d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
67db8c5d484fe0b60abd574b0480e4c9

SHA1
bafea8ad167114a72854bfe78095155bb7c44f89

SHA256
5d2c8933104167dece16b77357813d01c861d0c00176057ab8fe93222b51141d

SHA512
5d71a6271cfdcbef50f51c083f1665baaa59e7d927051ec96086bc68ceb2334227d620ee777237fccb3954ae1a1691f79d7f73335e7c95179591a1cdd0e9c844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
35f4645a65bbee6d2b856a052ca1dbb7

SHA1
749ebeff180ba4554820a1e96c03bf4537729e0e

SHA256
3f1d823e5a04b742f7eb127a87e99aaeba4342c7d899d4ec8f719ab9ae10c989

SHA512
74543df0b14a18766d001cf1752f416dae69ee25d16e87f49f91ed5528a418176d89a648edbc555d1fa127126cbc258fb1d9aaf652e9944cb20853c9bf9abf7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0255CEC2C51D081EFF40366512890989_A2266F534D44FEE6BC8E990C542C69B4

Filesize
490B

MD5
923b0d39de30f06c514399d33fdd73aa

SHA1
46a68da4776fc2eead58a403470584d774b82f15

SHA256
e0ab62f616536321e628f42910d2226729814b6c3bbfb4eb5f031d5597059911

SHA512
850448ae8adcc7617a266388418d4c3441a6a457176ee49e3b3d338e392e65a07d25ec6d23c677abba6211dbfe1f5f14e132b3d8766065ca21b5c106d5e37710

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
482B

MD5
6510e4f4377a857433d6f0e067eb5e29

SHA1
6ee3f61c1992e97af02916c9c946c8c1196818ea

SHA256
f1dd1cea8e5c056bd61c671e3a7e35bf2bd7d4b5db3997d216f112de619ec7fb

SHA512
5d7f6ca69bfd7c567738f479a75e9177c12d02509676fb86d2211364664712562a29cc04d15ba6cd3d7282d478bd331b0b236b47f2c703f474e0e0b67ac97bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec81982126642a900bcec6d1715ba3b7

SHA1
d115af3c394e1ea4a1554611f64ed23e9b5fc874

SHA256
b31da8755724efd8b0bb39a8312f9cceea32ef2c7981af5b936b90262707d3e5

SHA512
9460ea8d31b22eb5a5c87cbf68a184ee5f6441ad1869ec4d7cc9407d949ba495f604ad0bb642fa123c6c105c19eefb5cf7712e80cb549cafbf6221e3c6868750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40fe804d1ff5d14ad47369f31798a482

SHA1
13966b34d1fc2a9df7513a938da1d7fe8925d6f4

SHA256
163be31f222c6f062d40526b370e597102dc9d51ad67e5ec9e59025cde00ab3f

SHA512
a1e4d67039b732a354a1c362d77e07d41217535f462ba2f1f32ee97fe0291f6ec8ae51ea0085cfb667d2e0e54f875f37043fab650d2ee85e0c90479fe0e18e28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
9065e58b78980fb67b224d264e021990

SHA1
b37c7db1598732a3dc377d94aeb3acf11963ac49

SHA256
223b7d7b93e993f2a1880b7558fd68509ed04a288345b203d0d990cabbc81745

SHA512
dc406bd4e61d0e01617223e44cecc8f176edb4b1c60681c18a04119c9b830487dd93b3f8c54c9a8ff308c2a823255a78363c7661a365e88f0711aa8dfe7b48e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
1481ad4b0f78e7aa949785a7fffa3ed7

SHA1
a3fbfd213175ebe8c073fa4ceaf6cdcd08a635b6

SHA256
84537568ee1a3de9ba8d6425c1cd2840748bd26eb18eb0d4d62dec5447d4a6d6

SHA512
e9fe858a13227360ab5aea930ffac407bf9b0189ff14dc308c88d95b0bfee323d8d4ec6675091eeb08db968e42648f71b0f9ede3b488ad111ea99e4d6f68d692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\76561199768374681[1].htm

Filesize
33KB

MD5
a87dd4c56da1d4a4470ada8e056405c6

SHA1
8f7bdd399a13b8084db53c27e88e2f6db54e1eb1

SHA256
8cb3d38e5999d8f1dd8a1c6508a8431a00c0ad36a53199f721e201ff82083786

SHA512
dfdc3c9691e872c237ac001a9a3ab2908bf038e55280d1979a5583cd8791e9b90a95db4517ade56ace3a524c6a8da0215944d372d11e083fc16d41ba058c36bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB34A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB36C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\GCGIDGCGIE.exe

Filesize
321KB

MD5
c54262d9605b19cd8d417ad7bc075c11

SHA1
4c99d7bf05ac22bed6007ea3db6104f2472601fd

SHA256
de3f08aad971888269c60afcf81dc61f2158ca08cd32c9f5dd400e07d1517b54

SHA512
9c3086190bcb6ac9dd1ce22e69cfaf814d4acb60140fbe9e0cb220216d068d17151cb79f8acf89567c9a7b93960479ce19ea7b86020d939f56d6fc24e4d29a3f

Download Submit
\ProgramData\HCFIJKKKKK.exe

Filesize
282KB

MD5
5dd74b81e1e9f3ab155e1603a2fa793b

SHA1
653cdaf8617c7fdec6f39db3334e858bec9a2d66

SHA256
5756eb17961a1facf1f1c972dde0185932f10f7e7a6b3e756ac785418887eb26

SHA512
9017f6797f998423e3cd88dcf1086f6e555797a9e6414ffd714dcb394cfd3f2b2fb5432c9ba38792021b5ba9e421454385f509c9363cedb7d3ac5919f66035fa

Download Submit
\ProgramData\HIEHDAFHDH.exe

Filesize
205KB

MD5
003978c8812e39ddb74bf9d5005cb028

SHA1
126f73c30469a1b7e9a04a670c35185b5df628bc

SHA256
06510b52e07e89b5781f4ee3c7b4d94ff84c03931b3d7d93224294860feaccf4

SHA512
7c0b7ec7dfe18f99cf850c80c3228f52537d5565b2950d4f0ef8cbbb7b19d1f5e2d128f3766dcede41711b4d3c5631c7f758dd61697b1e5978d596f98f54c31d

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/560-667-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/560-671-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/560-669-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/832-552-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/832-550-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/832-560-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/832-557-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/832-555-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/832-554-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/832-553-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/832-562-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/832-551-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1804-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1804-12-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-4-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-6-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-7-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-8-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-9-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-18-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-16-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-197-0x00000000205C0000-0x000000002081F000-memory.dmp

Filesize
2.4MB

Download
memory/1804-5-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-159-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-178-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-208-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-439-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-420-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-377-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-358-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1804-227-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1884-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/1884-13-0x0000000002190000-0x0000000004190000-memory.dmp

Filesize
32.0MB

Download
memory/1884-1-0x00000000009B0000-0x00000000009FA000-memory.dmp

Filesize
296KB

Download
memory/1884-15-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2000-538-0x0000000000110000-0x0000000000164000-memory.dmp

Filesize
336KB

Download
memory/2000-539-0x00000000731DE000-0x00000000731DF000-memory.dmp

Filesize
4KB

Download
memory/2068-623-0x0000000002310000-0x0000000004310000-memory.dmp

Filesize
32.0MB

Download
memory/2068-608-0x0000000000040000-0x0000000000078000-memory.dmp

Filesize
224KB

Download
memory/2456-662-0x0000000000DE0000-0x0000000000E2A000-memory.dmp

Filesize
296KB

Download
memory/2740-622-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2740-619-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2740-617-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2740-611-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2740-615-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2740-614-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2740-624-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2740-626-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download