lumma | a0add2ff01fd0b1c7a259a9b0f0bdee713a7edbbf12fa18820fc95a373254e3b

Resubmissions

21-09-2024 22:18

240921-18dcpsxbqc 10

21-09-2024 22:18

240921-179draxbph 10

21-09-2024 21:32

240921-1dpggsvflp 10

Analysis

max time kernel
21s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66eef0cc8034a_sdgdfs.exe
Size

216KB
MD5

9a29528b1463ae389bd3e03e4e686a56
SHA1

0cefb61f8615c6ed5606360db20adecdedf4c59c
SHA256

a0add2ff01fd0b1c7a259a9b0f0bdee713a7edbbf12fa18820fc95a373254e3b
SHA512

34743dd19630de9802258476e6c9aacd14b7338c9e1c22c0369e759844b3248570b272c7edbc89079fe5eb8f375c7e2680e71f88ab5b8a4c01ba4d7ef116f9ae
SSDEEP

6144:mebX1UAoZZJAttlJ7VTUEioaTwfyhv3pVdPRigEO:mejOA0ZJutHNI106hfpRhEO

Score

10^/10

lumma stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://appleboltelwk.shop/api

Signatures

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral2/memory/3208-122-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3208-125-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3208-127-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3208-223-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3208-227-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3208-250-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3208-260-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3208-269-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 4 IoCs

pid	Process
2720	AdminEBGCFBGCBF.exe
2964	AdminAAFBAKECAE.exe
372	AdminCFHIIEHJKK.exe
4692	AdminKKKJEHCGCG.exe

Loads dropped DLL 4 IoCs

pid	Process
1208	RegAsm.exe
1208	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 860 set thread context of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 3488 set thread context of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 2720 set thread context of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2964 set thread context of 3208	2964	AdminAAFBAKECAE.exe	118
PID 3492 set thread context of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 2364 set thread context of 3380	2364	66eef0cc8034a_sdgdfs.exe	129
PID 372 set thread context of 1688	372	AdminCFHIIEHJKK.exe	139
PID 4692 set thread context of 1860	4692	AdminKKKJEHCGCG.exe	141

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
1468	4800	WerFault.exe	115
2664	1688	WerFault.exe	139
3876	1688	WerFault.exe	139
2540	1688	WerFault.exe	139
3336	4344	WerFault.exe	156
4196	4800	WerFault.exe	164
5092	1772	WerFault.exe	178
1532	1772	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eef0cc8034a_sdgdfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eef0cc8034a_sdgdfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eef0cc8034a_sdgdfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eef0cc8034a_sdgdfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminEBGCFBGCBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminCFHIIEHJKK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminAAFBAKECAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminKKKJEHCGCG.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1936	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 860 wrote to memory of 1208	860	66eef0cc8034a_sdgdfs.exe	91
PID 1208 wrote to memory of 2392	1208	RegAsm.exe	104
PID 1208 wrote to memory of 2392	1208	RegAsm.exe	104
PID 1208 wrote to memory of 2392	1208	RegAsm.exe	104
PID 2392 wrote to memory of 2720	2392	cmd.exe	109
PID 2392 wrote to memory of 2720	2392	cmd.exe	109
PID 2392 wrote to memory of 2720	2392	cmd.exe	109
PID 1208 wrote to memory of 4792	1208	RegAsm.exe	111
PID 1208 wrote to memory of 4792	1208	RegAsm.exe	111
PID 1208 wrote to memory of 4792	1208	RegAsm.exe	111
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 3488 wrote to memory of 4136	3488	66eef0cc8034a_sdgdfs.exe	114
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 2720 wrote to memory of 4800	2720	AdminEBGCFBGCBF.exe	115
PID 4792 wrote to memory of 2964	4792	cmd.exe	116
PID 4792 wrote to memory of 2964	4792	cmd.exe	116
PID 4792 wrote to memory of 2964	4792	cmd.exe	116
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 2964 wrote to memory of 3208	2964	AdminAAFBAKECAE.exe	118
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 3492 wrote to memory of 4236	3492	66eef0cc8034a_sdgdfs.exe	126
PID 2364 wrote to memory of 3380	2364	66eef0cc8034a_sdgdfs.exe	129
PID 2364 wrote to memory of 3380	2364	66eef0cc8034a_sdgdfs.exe	129
PID 2364 wrote to memory of 3380	2364	66eef0cc8034a_sdgdfs.exe	129
PID 2364 wrote to memory of 3380	2364	66eef0cc8034a_sdgdfs.exe	129
PID 2364 wrote to memory of 3380	2364	66eef0cc8034a_sdgdfs.exe	129
PID 2364 wrote to memory of 3380	2364	66eef0cc8034a_sdgdfs.exe	129

C:\Users\Admin\AppData\Local\Temp\66eef0cc8034a_sdgdfs.exe
"C:\Users\Admin\AppData\Local\Temp\66eef0cc8034a_sdgdfs.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEBGCFBGCBF.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\AdminEBGCFBGCBF.exe
      "C:\Users\AdminEBGCFBGCBF.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1384
        6⤵
        Program crash
        
        PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAAFBAKECAE.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Users\AdminAAFBAKECAE.exe
      "C:\Users\AdminAAFBAKECAE.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3208
      - C:\ProgramData\HJDGHIJDGC.exe
        
        "C:\ProgramData\HJDGHIJDGC.exe"
        6⤵
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1388
        8⤵
        Program crash
        
        PID:4196
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IDHDGDHJEGHI" & exit
        6⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=4272,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:3
1⤵
PID:3896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\66eef0cc8034a_sdgdfs.exe
"C:\Users\Admin\AppData\Local\Temp\66eef0cc8034a_sdgdfs.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCFHIIEHJKK.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
  - - C:\Users\AdminCFHIIEHJKK.exe
      "C:\Users\AdminCFHIIEHJKK.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:372
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3352
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1344
        6⤵
        Program crash
        
        PID:3876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1372
        6⤵
        Program crash
        
        PID:2664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1412
        6⤵
        Program crash
        
        PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKKKJEHCGCG.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3492
  - - C:\Users\AdminKKKJEHCGCG.exe
      "C:\Users\AdminKKKJEHCGCG.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:220
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4800 -ip 4800
1⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\66eef0cc8034a_sdgdfs.exe
"C:\Users\Admin\AppData\Local\Temp\66eef0cc8034a_sdgdfs.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBAAEHDBFID.exe"
    3⤵
    PID:4100
  - - C:\Users\AdminBAAEHDBFID.exe
      "C:\Users\AdminBAAEHDBFID.exe"
      4⤵
      PID:1132
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1372
        6⤵
        Program crash
        
        PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKFIJJEGHDA.exe"
    3⤵
    PID:4368
  - - C:\Users\AdminKFIJJEGHDA.exe
      "C:\Users\AdminKFIJJEGHDA.exe"
      4⤵
      PID:4936
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:220

C:\Users\Admin\AppData\Local\Temp\66eef0cc8034a_sdgdfs.exe
"C:\Users\Admin\AppData\Local\Temp\66eef0cc8034a_sdgdfs.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCGIDAAAKJJ.exe"
    3⤵
    PID:2620
  - - C:\Users\AdminCGIDAAAKJJ.exe
      "C:\Users\AdminCGIDAAAKJJ.exe"
      4⤵
      PID:4344
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1384
        6⤵
        Program crash
        
        PID:1532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1332
        6⤵
        Program crash
        
        PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDGIJDAFCFH.exe"
    3⤵
    PID:2124
  - - C:\Users\AdminDGIJDAFCFH.exe
      "C:\Users\AdminDGIJDAFCFH.exe"
      4⤵
      PID:1820
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1688 -ip 1688
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1688 -ip 1688
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1688 -ip 1688
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4344 -ip 4344
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4800 -ip 4800
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1772 -ip 1772
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1772 -ip 1772
1⤵
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FBKJKEHIJECGCBFIJEGI

Filesize
11KB

MD5
5bd1fed72848797ec185dbb03725c459

SHA1
1833e9c709d57da3282a965a98f2ac3c7b957d61

SHA256
0445a0a88ecae324b2b73a573cd68582fead70200819e8ff2e40209c9202ef4c

SHA512
0397d2f421a7ca4067a10409e5129da21338ed8213ab9e73ca9f26b867a41f03680c139da6ba962a189754fe5218db14aa365bc51bada7b21237eddd45db2465

Download Submit
C:\ProgramData\HCBAKJEH

Filesize
114KB

MD5
6e389da3969c19b6dbfb95013149bbb5

SHA1
f02ff8f1f1b353e36e4f609d39815c17eba8cee3

SHA256
4928d3109995b2faee203bc67184c892e9633fc7df6ad619f5852cf680c36ed4

SHA512
af965dc6aa1c26442f883e2d916509bc7766b425768e6a482223fdd1d3a5133c3b1955ad91bd578c387cc260efee4f738095d8ed7bafb7ed953edcc948313636

Download Submit
C:\ProgramData\IDHDGDHJEGHI\FBFHDB

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\IDHDGDHJEGHI\HCFIII

Filesize
56KB

MD5
7872fbf0a1bb518682babda3d8dc7b4e

SHA1
9714d4f9f7e7c3b9a99f656b88b3a10cbd9c65e4

SHA256
a821fa964b5c5273f0e4696e98815f07113c85436cc468f41f39722e7d2767c2

SHA512
f91bb32e1675f822af53ebc91dc5764625b13bc2e365dcf795e1132525857e5d43a18b2f53b4bb70722aef7a0eafd5b3e4d1805f8567d325d34ae41c281832c0

Download Submit
C:\ProgramData\IDHDGDHJEGHI\HCGCBF

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\IDHDGDHJEGHI\HCGCBF

Filesize
5.0MB

MD5
5e85df8ce7f472220deb45090179b5ca

SHA1
ea98605242ca81d51eb887776858b36c5aafa43f

SHA256
0c57d343a8ba1d51f4f54eccfb49fadb783da48574c9642b214ffdf491c802ec

SHA512
c8f7d81db2709881c0cc837283ee829e27e0a0694f51448ca6608dbdaba607851d2d43f503f86ffd8312cbaff97a164c29bd82f36f04252d405d8bb2814dbb8a

Download Submit
C:\ProgramData\IDHDGDHJEGHI\IEHCBA

Filesize
20KB

MD5
174ad75a545accf0ed9d1bac9c578045

SHA1
0b7b7acc38a225effd132fa3bee0b481a22ecb92

SHA256
1544fad3c9a3ecc24cc3d7fac9c75943ef4f7e77ba1c8681e603cc5af88a8e0f

SHA512
6eda7207b7cb768ab59302d339f38951f7f0c4ffad912f6ceec5b139e1f1ab62ba80f4af44706afb560e7012c5d9c53ed04f1bf0a87afcc4d707aa5382d7abb9

Download Submit
C:\ProgramData\IDHDGDHJEGHI\JKEGDH

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\JKJDBAAA

Filesize
232KB

MD5
18794764b74e3048abfb8717dc0ce75c

SHA1
79cc17e975558be9b45d21afdcc4d2c8772de2b9

SHA256
12ec26aaca005f1596ac188d24927da466545bb4c969847afad374d592863f3e

SHA512
b6f5ad8d136a1a34f0d3a03e31fad95dbd0fa88431285b9f6696dc00e85094444297b88f10f7e7351fef7ccd3bba02ec329709f416f15d98558bb95e9c45eaff

Download Submit
C:\ProgramData\KFCFIEHCFIEC\BGIIEG

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\freebl3.dll

Filesize
3KB

MD5
187516752eda5b951a9ba84a1dfe1926

SHA1
eff245bf33126dd9f6c8ebe9e7f6eb4abbb80954

SHA256
835fff5903d3f44f2610e31d8519fa66320d4dbf58a665458446577498d105e7

SHA512
cecb340dd549a473aa4f8706dda64c1bd3606b8164218ad591b75af576a7c8fa9f0a770b0639af67b4288a0785c41233dd2d0a1a9ffd0f24f50c8b17fcd5bfec

Download Submit
C:\ProgramData\freebl3.dll

Filesize
134KB

MD5
5aa844f5a779cd06b6d06f62255b268b

SHA1
e14de34dd71c3502cacc8d340e059d97f5a02234

SHA256
34173e15e5220b6da6fe2741de798cc85e75bf285b4a21de5aed949cb848908c

SHA512
ecea108666407202a35933b81c7c1a7e4b1715030ce37ca7658173fa93a0085097815953d86a2d29196e62cdd76dd6c05d2986ed826824b800756fa9ec6a9a98

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
323KB

MD5
d8a9d436bc525ebf00053a03d48679fe

SHA1
2598b7b1b053f94935d0d7962400aaa9f016426a

SHA256
0aa8646a65a25becd9ae2ab5c8902cb3b666bb2133b29080fda2c8498880ee8d

SHA512
1ed3f41916a38efa4ca6a5d48052d9fa04c4272614ee0d1168ad482b6a96e3f90a74a8894445e6d7fc4060e25f2a8ee8c6420b130b5b3c9f3968e55c3c617994

Download Submit
C:\ProgramData\mozglue.dll

Filesize
291KB

MD5
9886cb6b89df826edd56e74aea289b88

SHA1
c43a7392fd300849d1b99d093b8a14ad6ed7339f

SHA256
8410c8d578c04f41c88ec122328eb261271e1c416f4af22afb52c31bcda4e60f

SHA512
6bd32be3536b0648e340ce02c489d14f10250a03828b6a813506daf0693b2c3e9228fca2eb67c24f585180b3a8a9cf9bc7df7024cb82910ba8f13707ffc6a502

Download Submit
C:\ProgramData\mozglue.dll

Filesize
185KB

MD5
f2babd30691ba249a37e74715aeae3cb

SHA1
d917fcebe843d6cc188ec5b2c4f29268d9b0af20

SHA256
1fddebce809f2327c7d79f52fed4d2884b0bec38c3e3469c474de21f7d94668e

SHA512
0a8bc2acb97add4ddc3be0244b2a3de8eaab41bf21bfe9ffb607f30fb90cbf3ba544a4135ecfe41e2da574d58a16e710bb0433ee737a8e2161d2d636b22d87bb

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
150KB

MD5
cf252101f4591f302071cee43ad7fe4f

SHA1
e7cfff62ae71dff4e3ca7a8d639175aed9d9b3e1

SHA256
1cacaec630c05abc70f81faa7c01f7ff90c2a3ba68e7b177619b2dd14de8c3a7

SHA512
dd597b2c1da26e4d87f9593dc9c55c3b892c35a5326a58c9bb0f194aa3e036c74f59245bd04aa7f2b5b50fac8968eb944835999f4122014e97d938211c0861f3

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
206KB

MD5
f4f268769c6f99a60a49831f4a99b4db

SHA1
4381e8d1e5aec2ef1ae38c605c64e8ca1281655e

SHA256
7b4e0e06137744224c010dabecb5567372118abc189c181cfbaf58b90279073f

SHA512
44ddf98560983490c0f0397a86ffb31b6ab9a5eed9aa16fe8b909b5cba307d493e247b598459064d9232a208052612ceae289776756ec400da486885eb6f273e

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
13KB

MD5
e416a22acaeff6cec5aa36a72becbede

SHA1
9fefce2eafd2e79ce0f0c60e2174b0052bfd0d2f

SHA256
edc0250d8dfe5b4049a64b6171d12ad701784f4650484d35315ab5286384e79e

SHA512
8ab549504e9c7f787e4ace97bcce5eed5bd9758b8cc223eae537e5ba3dc0f22ddd84802b1c43c2e947aa0a97742793b8cd09a5563ccd21820fa00bb5c1294421

Download Submit
C:\ProgramData\nss3.dll

Filesize
226KB

MD5
2b62bb942c312af4626169420780f5a7

SHA1
12994e7698aab596f3299ede740b6de6314b5430

SHA256
37403155bfe0becd1c8e39a8ab3795d2ee5ff70eefdf6c0f7d5d35b401a5adf0

SHA512
fcfc4bbd60e524497b5d4e67dcae13766ede9f5c12c8546dfdfd22d5697bc6d58e8425e3a14827588418e04a02c81c6de381f806c2e6d9dab59fe9e07bd8f073

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
124KB

MD5
cf43e4b9f7571393e77452852a336f20

SHA1
aa9244d825c7ddb0cf43b0d902d05d8365f65e8e

SHA256
811e05245ce079ddf0efd89b1fffff898350c331a6695a5f775f9ea7e43939ce

SHA512
e0040afa3502a205cb21be0b2c63b85ee82edeb231c6b01620fdf07af641d7b9f82c444d87fa93c6698c3aa1322a50f4003786b67c5758b6233a9ac16e32b2f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
149KB

MD5
6ef2c7b8518e66e57434d53e5df3adde

SHA1
746158a2371be763791e028527fec52074c8f626

SHA256
db7a8194c648bdd4e8310ebfe9d470b0d8434418eec561272114f36eb2819f6b

SHA512
729d8faff14c61722cf5a64c648e78ab99b92ca6e6624a8dcc2ed24db8d0dcd328cbd36dc6c89d1f216365080af577b1f39e0a240025ef7ed94176db44db6be8

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
13KB

MD5
16c75e764a9b70ca06fe062d5367abba

SHA1
b69856703cc2633f6703368ada943f2ce1e1d722

SHA256
3ef27598650d34ccca435d9eb54db0a0ba7c25d6325e17665d7905dfa2423f9f

SHA512
edd7391aea11ca27b88c84046e1e88623998f638a0ab7d978aec98e36d7d773f19acbf3c55fefa9ccdaa19adb28124c80431309d21dab2deec152ca2e356aec5

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
6KB

MD5
b263c0c3715e29ac7789026b78ca367a

SHA1
b3453824c28c960328c17ee1d8136d42884a85f9

SHA256
4d82d40b6a8daf9ee61c785522444abce7b333189f534acb206f365ca297dbaf

SHA512
f9b0a9ce722abf8c29083b0d301ff3e61613d43947ec7c280a9ea96b16f6d8fd692ae45f7ba5918c679e05ef4cc2568ab78d235d847e7dcc7c66610cd18d4c39

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminAAFBAKECAE.exe

Filesize
413KB

MD5
76b81bbaa929e92a0885267869e62fdf

SHA1
16ee3b53fd9d0fe6bd7fc75ac961a21bfd9fae51

SHA256
f59f82ea9cbaa95389bbec5f80b427daa2e575c2827eaaede006590810809f9c

SHA512
67d4fb8ed2c767871a307c54fddc86fa4df07ccfa943eeb61e6e8960c4038fb8a38118a69cbb7a6364dde6c11fd3139b8c5f91e029a437dad0d39202383ac3cd

Download Submit
C:\Users\AdminEBGCFBGCBF.exe

Filesize
381KB

MD5
f5a1956973dce107d4c0b6267ce88870

SHA1
79a19513d7c9cff939f2881c4172a05dbaef735b

SHA256
7b794c5bdb820791f0359da90a9a4f258412b8feef9c6e6a0411f6aead9d3a04

SHA512
f42180c75c0ae8dc083c6fff98a66c0d875fadb400d7945816ea330a54777632a3a7752d3e78b90e45f58ed3d04d6708b1dcea51d82711356e6d14e405a7c579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
f8626eb69de84cdb8a7b7f84fc22041a

SHA1
54fbb8d594d4443ad99b43647810c78868eec882

SHA256
8110fbe292f1a73c18f1e673da71007cb1e07b0060acdcf1f494655c37d99b3c

SHA512
7e4894bb5a9cb41a3145e4013954056ce78322b9e0191ee75037941bdf99bf3c12770ef09e61b7199e485b0aadc5cdd2d301de5a6ece7ef31bf5883b99725cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
e7c33eccbe49ce1e42c7a17d85874261

SHA1
4a8a9b309f50beabdc241fa0832ab935b055763e

SHA256
ef01abf9b5132cb79866af7a1c089a61e4596d1af82641e78ce131a07999245e

SHA512
20a3e4427c252afa5fc0ffacb8d96f08519e0256c03ca83c0d7c05052d77b12fed243990c86e2c39f2c779af18dfa5eda2a22900b31793b6672975b8502f7ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\66eef0cc8034a_sdgdfs.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\76561199780418869[1].htm

Filesize
33KB

MD5
22ca7f9db215a386ea8265d484e9ceb4

SHA1
bc7d3e0f83480c2e957ef3bd3ceeb21ff0f19ef2

SHA256
a66b0d293b0f8e74db0a9467564087adcb2770e01def865608625169ff14b7b7

SHA512
79c8fdb095ddf6610dade86f55f3ce6c8fd683ba5d05191a637a3af719427c5c5d91c199a9ed4673da595a5490af502683031b5c7ca2be002438aa557e19c7ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCPU4OJ5\76561199780418869[1].htm

Filesize
33KB

MD5
13d3477ee49c9f676184919e40635b17

SHA1
695019fe4574d7f8df9a912b597016222c9c2746

SHA256
054d65bdfe0da29cd63ec2e62848e5c5997be31b3e676578d14ff1d18778aa6c

SHA512
6995f5afa5a27bdae81f981e3f70500b0d93183ded16c90f8771fb2cbc2ceec80ad109c87fa0f89d7500f023a9823113707fd86f05159c648f3ef0c1615a301d

Download Submit
memory/860-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/860-11-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/860-8-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/860-2-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/860-1-0x0000000000730000-0x0000000000768000-memory.dmp

Filesize
224KB

Download
memory/1208-105-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1208-5-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1208-10-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1208-13-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1208-12-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2720-101-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/2964-119-0x0000000000D50000-0x0000000000DB8000-memory.dmp

Filesize
416KB

Download
memory/3208-269-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3208-260-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3208-125-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3208-250-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3208-236-0x0000000022A50000-0x0000000022CAF000-memory.dmp

Filesize
2.4MB

Download
memory/3208-127-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3208-227-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3208-223-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3208-122-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4800-113-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4800-115-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4800-110-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download