lumma | 44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b

Analysis

max time kernel
22s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe
Size

282KB
MD5

f31d21c664ded57509d1e2e1e2c73098
SHA1

58abbe186f2324eca451d3866b63ceeb924d3391
SHA256

44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b
SHA512

5aff27d9ffb0568072f52e51679bbd9cb3c063d7bb1c3fe658c10241b633a66738d6bd7ee2111e065a1b93098bdaa1e5da6b9b8d063fe3f1ff1de7d71d32aa53
SSDEEP

6144:GsbHGb3gHx2vdWxR5TjWfEvi3v+QwzmGEO:iPvoxR5WfEveSKGEO

Score

10^/10

lumma stealc vidar default credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

Detect Vidar Stealer 19 IoCs

stealer

resource	yara_rule
behavioral2/memory/1840-4-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-10-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-7-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-27-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-28-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-44-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-45-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-61-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-62-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-86-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-87-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-94-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1840-95-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4332-267-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4332-268-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4332-283-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4332-284-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3708-286-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3708-287-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 5 IoCs

pid	Process
1916	AAFIJKKEHJ.exe
3636	KJKEHIIJJE.exe
944	IJJJKEGHJK.exe
2920	AdminKFCAFIIDHI.exe
4808	AdminDGHJEHJJDA.exe

Loads dropped DLL 4 IoCs

pid	Process
1840	RegAsm.exe
1840	RegAsm.exe
3168	RegAsm.exe
3168	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 1916 set thread context of 464	1916	AAFIJKKEHJ.exe	99
PID 3636 set thread context of 3168	3636	KJKEHIIJJE.exe	102
PID 944 set thread context of 4332	944	IJJJKEGHJK.exe	105
PID 2920 set thread context of 916	2920	AdminKFCAFIIDHI.exe	115
PID 4808 set thread context of 3708	4808	AdminDGHJEHJJDA.exe	119

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IJJJKEGHJK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAFIJKKEHJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KJKEHIIJJE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminKFCAFIIDHI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminDGHJEHJJDA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2088	timeout.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1840	RegAsm.exe
1840	RegAsm.exe
1840	RegAsm.exe
1840	RegAsm.exe
1840	RegAsm.exe
1840	RegAsm.exe
3168	RegAsm.exe
3168	RegAsm.exe
1840	RegAsm.exe
1840	RegAsm.exe
4332	RegAsm.exe
4332	RegAsm.exe
3168	RegAsm.exe
3168	RegAsm.exe
4332	RegAsm.exe
4332	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 4816 wrote to memory of 1840	4816	44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe	85
PID 1840 wrote to memory of 1916	1840	RegAsm.exe	96
PID 1840 wrote to memory of 1916	1840	RegAsm.exe	96
PID 1840 wrote to memory of 1916	1840	RegAsm.exe	96
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1916 wrote to memory of 464	1916	AAFIJKKEHJ.exe	99
PID 1840 wrote to memory of 3636	1840	RegAsm.exe	100
PID 1840 wrote to memory of 3636	1840	RegAsm.exe	100
PID 1840 wrote to memory of 3636	1840	RegAsm.exe	100
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 3636 wrote to memory of 3168	3636	KJKEHIIJJE.exe	102
PID 1840 wrote to memory of 944	1840	RegAsm.exe	103
PID 1840 wrote to memory of 944	1840	RegAsm.exe	103
PID 1840 wrote to memory of 944	1840	RegAsm.exe	103
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 944 wrote to memory of 4332	944	IJJJKEGHJK.exe	105
PID 1840 wrote to memory of 400	1840	RegAsm.exe	106
PID 1840 wrote to memory of 400	1840	RegAsm.exe	106
PID 1840 wrote to memory of 400	1840	RegAsm.exe	106
PID 400 wrote to memory of 2088	400	cmd.exe	108
PID 400 wrote to memory of 2088	400	cmd.exe	108
PID 400 wrote to memory of 2088	400	cmd.exe	108
PID 3168 wrote to memory of 1608	3168	RegAsm.exe	109
PID 3168 wrote to memory of 1608	3168	RegAsm.exe	109
PID 3168 wrote to memory of 1608	3168	RegAsm.exe	109
PID 1608 wrote to memory of 2920	1608	cmd.exe	111
PID 1608 wrote to memory of 2920	1608	cmd.exe	111
PID 1608 wrote to memory of 2920	1608	cmd.exe	111
PID 3168 wrote to memory of 3480	3168	RegAsm.exe	113
PID 3168 wrote to memory of 3480	3168	RegAsm.exe	113
PID 3168 wrote to memory of 3480	3168	RegAsm.exe	113
PID 2920 wrote to memory of 916	2920	AdminKFCAFIIDHI.exe	115
PID 2920 wrote to memory of 916	2920	AdminKFCAFIIDHI.exe	115

C:\Users\Admin\AppData\Local\Temp\44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe
"C:\Users\Admin\AppData\Local\Temp\44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\ProgramData\AAFIJKKEHJ.exe
    "C:\ProgramData\AAFIJKKEHJ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:464
- - C:\ProgramData\KJKEHIIJJE.exe
    "C:\ProgramData\KJKEHIIJJE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKFCAFIIDHI.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Users\AdminKFCAFIIDHI.exe
        
        "C:\Users\AdminKFCAFIIDHI.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDGHJEHJJDA.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
      - C:\Users\AdminDGHJEHJJDA.exe
        
        "C:\Users\AdminDGHJEHJJDA.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
- - C:\ProgramData\IJJJKEGHJK.exe
    "C:\ProgramData\IJJJKEGHJK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEGIDHDHIDG" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAFIJKKEHJ.exe

Filesize
321KB

MD5
5831ebced7b72207603126ed67601c28

SHA1
2ba46b54074675cc132b2c4eb6f310b21c7d7041

SHA256
02097348db100eb22d46dc474a1078b5ddbb56ee916cc81f24fadd0a6938ac58

SHA512
a9924ef2373851156d981bc3c5b5d533e8b510abf6c3f12e62af0c019e740f0d077efb8f7f93699d797335df33013c72fd9ead3b2253dd82f14b7b330faacb8e

Download Submit
C:\ProgramData\BFBKFHIDHIIJJKECGHCF

Filesize
11KB

MD5
daa36e80700ee830cdbd67e661cca6d9

SHA1
628b1c73f2095064cba52652252ab43a84e60eac

SHA256
ba9e62cfd6ed07f59b91d8648c91d073417d1e87f85a831584ad07f3274c69be

SHA512
4ee0794442465d1dda996e15ea6d4b5963177e67e2ad4fc93357c12305fe883c0540bc76483be5e5c08f3ed86941f4311335593f05dd2876269e78aaa6b5b106

Download Submit
C:\ProgramData\BFBKFHIDHIIJ\BFBKFH

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\BFBKFHIDHIIJ\BFBKFH

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\BFBKFHIDHIIJ\FBFIDB

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\DHCBGDHI

Filesize
114KB

MD5
3cfabadfcb05a77b204fe1a6b09a5c90

SHA1
f106b5ed22265e64bc61dc5cf1e2d33ed12ec18d

SHA256
693617c470d7472e751d872341061cfb663f22ee95bdb42f9db01f02cb90df9c

SHA512
d5502023a17213919e2e991f5ba2d0d2c08223fd489d876a47a37239b637d03ace9cb9b92deb71460ae4030194ca49ce9e9752e0bf2ccbcd297dc5afe62a4e7b

Download Submit
C:\ProgramData\IJJJKEGHJK.exe

Filesize
282KB

MD5
f31d21c664ded57509d1e2e1e2c73098

SHA1
58abbe186f2324eca451d3866b63ceeb924d3391

SHA256
44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b

SHA512
5aff27d9ffb0568072f52e51679bbd9cb3c063d7bb1c3fe658c10241b633a66738d6bd7ee2111e065a1b93098bdaa1e5da6b9b8d063fe3f1ff1de7d71d32aa53

Download Submit
C:\ProgramData\JJJJEBGD

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\KJKEHIIJJE.exe

Filesize
206KB

MD5
68076ff4fb08f203da72e47f536db2d3

SHA1
c7d2df2f68fefa1b3b9ddc61809966eaa6daef49

SHA256
91f03b0ae9dcae932e3043b7cb19cf52541504e9a4510501d9cb2f1ddd6d10f4

SHA512
f400d2424839ae1ce5a362cddc759a46be3e0528d45ade309a182c202a03534acb24e90b9a02d17865c6f9a828d91d9d90927d0734ec8ffd8452a10b414ab5d6

Download Submit
C:\ProgramData\freebl3.dll

Filesize
132KB

MD5
efef10b6b8fa1646e75ecf3d9be2d7a6

SHA1
b8970fa4272062514fbb9ba5ed44add870eb0843

SHA256
6a598d863752d91ac0b74bf547af1a3995a21824c8b509ac06013e7984ee9563

SHA512
660e34dbe2f7f7dcdc58287f445d67988f86c8698c174095a266a655ed74d74b1dd941d0b1831e5c975d3a4392ad5583d7951995ef130be4dd9171e39f08ddfb

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
13KB

MD5
e416a22acaeff6cec5aa36a72becbede

SHA1
9fefce2eafd2e79ce0f0c60e2174b0052bfd0d2f

SHA256
edc0250d8dfe5b4049a64b6171d12ad701784f4650484d35315ab5286384e79e

SHA512
8ab549504e9c7f787e4ace97bcce5eed5bd9758b8cc223eae537e5ba3dc0f22ddd84802b1c43c2e947aa0a97742793b8cd09a5563ccd21820fa00bb5c1294421

Download Submit
C:\ProgramData\nss3.dll

Filesize
104KB

MD5
8bb97bf6167051a2d2403a56faac9748

SHA1
cbbc99d590c656e8d4980f986f9b116db7c99ff4

SHA256
4dbc709637ebceeb5efe2d1101bff357e09093d2590470758cfdc63114c5690b

SHA512
fd5aee609ff1b8f01edfb14a6ac6086dff68c59ae44ac0d22bc8941a0a272a4f3c6a7420bfc95ac22f43a9c07c210f679b158becde844df1df7cc30f689e22f9

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
2KB

MD5
ef96d5be97bde25484b4ead9e398f048

SHA1
43585d5aec977637219d0aa3b6afaff495ea107e

SHA256
6ae523a64f736d2653f2f62a183b4e28e3bf9f123883c21de5343899d05a8490

SHA512
f8d526c18e339b478162700113a35362a2e4ed4c17f011583d60ce3815565145ca16543ef88487aee37b06bded76a313b7ec54f0ae8f9f5ace1039affe04a109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
20c76cb66f8445aae2e06a51d36214c3

SHA1
25fa813cac96b5075e0963de5dbc8ec5fb2d9126

SHA256
5ce954bfecef5d9967d1d3b5f05879615a75ec21af03940118ae7bcda569c823

SHA512
576f59686d06b06b9f2f46d6f3d703d9941208466b9d25f8ea54ef6b7faf20740eb4bb203ea0bae75dbea24b1553352d56c463d23540131053c179d96b83ae3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
605ba5b9f6e318cf5ff7e04ca692d865

SHA1
bffb9580f2445fce2ecbbe7136df2c7a0bd4cab8

SHA256
229b386c2065cfa8333f26ec11eef5b310191e3ea3c4e2faf8e352af03bbcf85

SHA512
f9ff561285b6b2b13562e3c557edfd427380106126c3d9da23b0e9a883a517d47f2431cbd80717329921967e13a23425967252e2186d528e1452cb3bdaa75adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
458B

MD5
6c2b7007c3201f57dd7b7f30373ad11c

SHA1
db5b21be43ecb24f3e54632d1a212edf463aefc8

SHA256
a5b1bf6dcc25ad1a079875cbe501c6e7c5e081e718b91bffb741a4340b16f9d3

SHA512
b82f3627e86406651ff28cdd599b2be56083cff515f94b41ebfb6964693dcfabcaeb4aa70a9e835776577a98af404cf969438eee87e41b32ebceedf6ffdc786f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
a9552c3d5df506badfd3902d27d9b237

SHA1
885b1d8325536b1ee7d88937af967e3c479d5ff7

SHA256
e448d9b8be3611df5ef0d2752ba6a399bba47bf847915a47b14264850d6a79af

SHA512
621c415cd780119d8d7b8f8cc97e9d71c6991d844a6c10cd2d5b7ac05900c59b2fb4d7988426a026af199e57ab41d7156fc985dc93c8ed7c230f0f922903fc65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
6b940004e602f072aea93cb76d40022d

SHA1
43974fcc5c48367682b3f160b68d24536aacc7c4

SHA256
23c346e8e7be314d5eb07ab1a07406a749c8d42caa2cb714b7512ad31c7c846f

SHA512
a91f8fe2038b154d780b04915e3128fd0c8653d819d8316503d33047b2ad0a0ed604b04adc33c9d19b17d58f840a2f909d41796fbaa2884681076788ed244139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminKFCAFIIDHI.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
memory/464-113-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/464-116-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/464-120-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/916-253-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1840-86-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-44-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-95-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-4-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-87-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-10-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-62-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-61-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-45-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-7-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-29-0x00000000225F0000-0x000000002284F000-memory.dmp

Filesize
2.4MB

Download
memory/1840-28-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-94-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1840-27-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1916-110-0x0000000000DF0000-0x0000000000E44000-memory.dmp

Filesize
336KB

Download
memory/1916-109-0x0000000071FCE000-0x0000000071FCF000-memory.dmp

Filesize
4KB

Download
memory/1916-119-0x0000000071FC0000-0x0000000072770000-memory.dmp

Filesize
7.7MB

Download
memory/1916-285-0x0000000071FC0000-0x0000000072770000-memory.dmp

Filesize
7.7MB

Download
memory/3168-137-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3168-164-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3168-139-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3636-134-0x0000000000540000-0x0000000000578000-memory.dmp

Filesize
224KB

Download
memory/3708-287-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3708-286-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4332-283-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4332-269-0x0000000022350000-0x00000000225AF000-memory.dmp

Filesize
2.4MB

Download
memory/4332-284-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4332-268-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4332-267-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4816-13-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4816-1-0x0000000000D90000-0x0000000000DDA000-memory.dmp

Filesize
296KB

Download
memory/4816-0-0x00000000750DE000-0x00000000750DF000-memory.dmp

Filesize
4KB

Download