stealc | a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47f

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe
Size

216KB
MD5

ea754070163f8eca914b259096d834f0
SHA1

cebf2eccad67deaf6ac9b8dc71118ad474b16868
SHA256

a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47f
SHA512

2a75b505780c6670204f5c4e2818bb1b027c88e98c9c45dde39aed786afaeff60215afb278fdd89eed58639c9eccf901836da4329d3c62c03911992b923ca225
SSDEEP

6144:I/NKt5fv5P2tInQP5loWIUKp6KgjfOc2PEO:IFuxv5OinA5lJQ6Kgb6EO

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/4308-114-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-118-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-117-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-183-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-194-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-221-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-231-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-248-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-261-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-328-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-336-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-361-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-369-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RoamingKKFCAAKFBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	IDSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_419f30ab01f04204b0e77699a0dab89c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_dbbc52a68a644f4fa0df23edd65b3c53.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_da6d4adb4e954a96a6302be1b5c65d63.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6bd955cf78704ae49424d02d48a559fe.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8d55d06b3b1541ddb4fe78f769d4f0d0.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fc12e97bc0ad452ab84f2a80df2feb27.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d861005ee9794de3a09d161328eddcaf.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_dff03aa331364731a0ff889c565833ab.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_221fb12e22c04adea94f4334ae3c8ff1.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c6b198561f6445e0b4fbbea6067c0290.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b86c47f336a4421d9f721b5d82c002c1.lnk	RoamingKKFCAAKFBA.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_72f3765365e04e2088e6c3e45053bbba.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c9161e200b254c8d85ef81881e54dc18.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_eadaa75a9c0748cdbfb3b6fe6b3f09ea.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0831fb39e09f4781b1304ee11546858f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e68dbc286ac8490e9253f163971ddb83.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_576833f652f7468ba03087a3201deb71.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5cb5fa66ccc34194bdf1b98adc0bc8d3.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c4d8cb9dea214ed6a7775dac43aa2167.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0c01e5302a684ab58692de4ad7fe16e8.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b83186ded9714b09bd6d0fea3da97f1f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_17d00422d09d44acba1e70ec11b7cf36.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9b0b89e3c3674ce6a2722c9f5af67926.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_816331ad8fdd479787e8b8bccb8ac29e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_71468efbb5a1440db53e0697f70a83d7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_86ad9d85f69143228a01c49e1e01a88e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_593f61a2b5df4ac0968c7ec9db2e418b.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_18d7b6435eea496cb6c54a796bdafc61.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_aff03c8d66ac4ebc9a575a70d017fb83.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b1c8671f7751443a9b65fa9b0011954f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5f0d22a28ab4459f82dd8dd5e573e15a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6e033c9c852c46a9a34df9ff83b5127a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4b742f8ad71a4ab28dcddb6ab45000b1.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2c1a7488c0c046dbadde8f6e2cb43034.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7619f6ea6d4749d4b0e94777d8be4cc7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_198d57a26bb445c59220269cb2a971ca.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a3eae81f67bc490e864c214a26c11b61.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ca16985fa41048458928faf18ca30b5d.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_96db389e7b0f4308b400fc9883c2bd1c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fe3cc12a8d694b04a21a04029611a071.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6e362368016747b8b06f8fdc14ea6267.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e7bbfcc5a5ca4029976aa32b5c1348e4.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_13b521054d2c4d4ba75cb3253051fc3f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6249dc66d501477b920528a97a831cee.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3c147256b7384938854a462f2e2a7912.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ab649fded4b8431a85570e04dcffc395.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_924d193b782b44deac72461273980b1f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ab37dd66d6a0492581f804912034885b.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_33fa4756edb44bcfb229399283ae3f8e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_246290bb47034332a63bc1883df3b2e0.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9f10d766d5f74c5d936b3e4e51e7a83b.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4eb1eb3d5bee4db8b1e5ea9e466d0559.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ed4e7ab5bdec4b2a90f252ac5949061d.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_74b9ebccd48e48e2893cc8d22db758f9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1036db69f81d4e9c9e00082b0aed2272.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_743eedc8e09f4e37943e24c4db59e5f1.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_29026699643148cca7d062c83cb32b5b.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f3928d42bfe0426a8eabd966b9606b9f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1d154feb612c42fba29239ee4f6dd2c7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f917fbd93af649b7ba212ecceef9b9b4.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1cf850d870f448eda28af6b96ed646c9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ce8434f9343144f387b04abad6f0ecf9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_179808498add42bfb6aba44cbb2293a3.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4beeea521853416ca43c229e1d1ea172.lnk	IDSM.exe

Executes dropped EXE 7 IoCs

pid	Process
3544	AdminGCGDGHCBGD.exe
3320	AdminJJKJDAEBFC.exe
3100	RoamingKKFCAAKFBA.exe
3568	IDSM.exe
2104	MSDNG.exe
1928	CGDBFBGIDH.exe
4024	CAKKEGDGCG.exe

Loads dropped DLL 4 IoCs

pid	Process
2396	RegAsm.exe
2396	RegAsm.exe
4308	RegAsm.exe
4308	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_99514e984883427592ce7df7cbb89e89 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_380e2332e12f487fb9425a7a166fd22f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_47e888f9a9904638b2aef43534c64d09 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_56ae98bf142044a2a54838a46fd060f6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_6fa5f40dd67043d58a5f10dcab0c0d4d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0b7a2a6d78134c3f95c62b95704daf96 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ed4c22a6575b4c90a193fd5d83df3091 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b7ff8557d73a4b5d957bd1e2ad1e358b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_afb13e3d3a1948269659822bf14efdbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9d194d1439ff48e28ce008c3bef4b4fb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_72b02d7af5fc4afdb01de5a6255c8ac4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7c13a9a5d2564ae282f018b4f21e3dcf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_66f124baa1d74e6f9fade67c9a5c8418 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_6a440ac4d344423280784981ad51e3a5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_74ac3c1d93624b788a85eeebefd2c297 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_019954b2fe3f45bfbb3fcd13ec600158 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_891cbfdd095a4365b6508bb1017d2dbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_6e2c194209664384842fb6bcdfd482eb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_633365133a3d44faa4a2c928f7201072 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_1ad1b22b469840e3a4e366ae9570febd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_fdeb5360ee0f43f1951a126639fd1ad3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a9f53117d5ad413596ddd1d899e46bdd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ec382ac02147450e8c07b3e872d0fac9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_078713e75b7a45bb90820fee8b192d74 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7cbdd0e875374535b6b88f63d27a27d0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f462946aeef24718b9d582e8bb6ad0e7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_1ea9a7fee933428db6d695dae9e1acb9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_6d7ecd3744be45558c6dc0cfa1c5c35c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b699412e52af47979d515f2102285a6a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c8a59ae04cd54a65b8490866a06299a9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_916977be7b2a4bfd909cca31a416f869 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a78068f827ab448598b37f267e71af98 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_570a7d024575452d84485719cac2217f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9fbd5989d1994a4f986637c3d8c97062 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_df5014a0afb6484d9d96b1919f1f5081 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_aeef9c11be944680b1f660d68d070743 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a7eee1285f3d43aca6fa743a0f69e4bd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_55ff918953b9429c9cd11b886cd86cc9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_1e2301f1604b448abdcc6d54eefc36e7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b564d13b7ba745feae38c7a2deee8db9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2c2fcf1eb61c473bbbc4f61108e8dce2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_8db99f65b64e4a4f88092a5919a8d4b6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0028e6a038d04486b2c1feb911a13902 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_373d508f6c0f40d2bfdca6fa0fc5a024 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_daa996118c524fd496c88c3bc125f19f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_fbaa32cccc2a431884397eca02720d11 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_db4654c907c046b4a29fc23ed9612789 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_06531b12bc8d4b7d9252d94b200fc515 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_6bc7e3e1426a49cbb0e32d9680581701 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_bb2581202b5240a3979287206c5ba4f3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0e63d100b5fc4aa8ac920861a94c1ad9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_656b1e90bbf646fc81b11ed89e1ebb08 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3eb5d1d11a82490f97c9268f04f52f6a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a38f046d28fd40589b8d1f53c6791aa6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9097a07d2d764c8c901a253084c68393 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_26db7d396801433eae34fc11a12bd287 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_033e1b5431744edc94e8434cdca24b87 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c21c6192126b4a7284b9b608c1bd4d5f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_62cad4c335714100ba09e50ca2ce6e70 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_747acfe7172c4e789719e80d68a78e36 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2eba871760054dcb8b91913d8e0b3aea = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_adbedb08b077424b801c411344e672b9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_681c9aa540c1450aa7afe017a8bdc00d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_47733e53fbe9482198493e882dd3e9e6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	api.ipify.org

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4836 set thread context of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 3544 set thread context of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3320 set thread context of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 1928 set thread context of 1504	1928	CGDBFBGIDH.exe	116

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminGCGDGHCBGD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDSM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAKKEGDGCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSDNG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminJJKJDAEBFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingKKFCAAKFBA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CGDBFBGIDH.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5060	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	RegAsm.exe
2396	RegAsm.exe
2396	RegAsm.exe
2396	RegAsm.exe
4308	RegAsm.exe
4308	RegAsm.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
2104	MSDNG.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
2104	MSDNG.exe
4308	RegAsm.exe
4308	RegAsm.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
2104	MSDNG.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
2104	MSDNG.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
2104	MSDNG.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
3568	IDSM.exe
2104	MSDNG.exe
3568	IDSM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	IDSM.exe
Token: SeDebugPrivilege	2104	MSDNG.exe
Token: SeDebugPrivilege	4024	CAKKEGDGCG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1924	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	86
PID 4836 wrote to memory of 1924	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	86
PID 4836 wrote to memory of 1924	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	86
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 4836 wrote to memory of 2396	4836	a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe	87
PID 2396 wrote to memory of 3504	2396	RegAsm.exe	95
PID 2396 wrote to memory of 3504	2396	RegAsm.exe	95
PID 2396 wrote to memory of 3504	2396	RegAsm.exe	95
PID 3504 wrote to memory of 3544	3504	cmd.exe	97
PID 3504 wrote to memory of 3544	3504	cmd.exe	97
PID 3504 wrote to memory of 3544	3504	cmd.exe	97
PID 2396 wrote to memory of 3660	2396	RegAsm.exe	99
PID 2396 wrote to memory of 3660	2396	RegAsm.exe	99
PID 2396 wrote to memory of 3660	2396	RegAsm.exe	99
PID 3660 wrote to memory of 3320	3660	cmd.exe	101
PID 3660 wrote to memory of 3320	3660	cmd.exe	101
PID 3660 wrote to memory of 3320	3660	cmd.exe	101
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 3544 wrote to memory of 5060	3544	AdminGCGDGHCBGD.exe	103
PID 2396 wrote to memory of 3888	2396	RegAsm.exe	104
PID 2396 wrote to memory of 3888	2396	RegAsm.exe	104
PID 2396 wrote to memory of 3888	2396	RegAsm.exe	104
PID 3320 wrote to memory of 336	3320	AdminJJKJDAEBFC.exe	106
PID 3320 wrote to memory of 336	3320	AdminJJKJDAEBFC.exe	106
PID 3320 wrote to memory of 336	3320	AdminJJKJDAEBFC.exe	106
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3320 wrote to memory of 4308	3320	AdminJJKJDAEBFC.exe	107
PID 3888 wrote to memory of 3100	3888	cmd.exe	108
PID 3888 wrote to memory of 3100	3888	cmd.exe	108
PID 3888 wrote to memory of 3100	3888	cmd.exe	108
PID 3100 wrote to memory of 3568	3100	RoamingKKFCAAKFBA.exe	110
PID 3100 wrote to memory of 3568	3100	RoamingKKFCAAKFBA.exe	110
PID 3100 wrote to memory of 3568	3100	RoamingKKFCAAKFBA.exe	110
PID 3568 wrote to memory of 2104	3568	IDSM.exe	111
PID 3568 wrote to memory of 2104	3568	IDSM.exe	111
PID 3568 wrote to memory of 2104	3568	IDSM.exe	111
PID 4308 wrote to memory of 1928	4308	RegAsm.exe	113
PID 4308 wrote to memory of 1928	4308	RegAsm.exe	113
PID 4308 wrote to memory of 1928	4308	RegAsm.exe	113
PID 1928 wrote to memory of 1504	1928	CGDBFBGIDH.exe	116
PID 1928 wrote to memory of 1504	1928	CGDBFBGIDH.exe	116
PID 1928 wrote to memory of 1504	1928	CGDBFBGIDH.exe	116

C:\Users\Admin\AppData\Local\Temp\a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe
"C:\Users\Admin\AppData\Local\Temp\a893e20fea08c8615de1775ad3559ea6eff35b5ec3b1ab6f463924285a84f47fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGCGDGHCBGD.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\AdminGCGDGHCBGD.exe
      "C:\Users\AdminGCGDGHCBGD.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJJKJDAEBFC.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Users\AdminJJKJDAEBFC.exe
      "C:\Users\AdminJJKJDAEBFC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:336
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\ProgramData\CGDBFBGIDH.exe
        
        "C:\ProgramData\CGDBFBGIDH.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
      - C:\ProgramData\CAKKEGDGCG.exe
        
        "C:\ProgramData\CAKKEGDGCG.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBGHJEBKJEGH" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingKKFCAAKFBA.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Users\Admin\AppData\RoamingKKFCAAKFBA.exe
      "C:\Users\Admin\AppData\RoamingKKFCAAKFBA.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
      - C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe" --checker
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DBGHJEBKJEGH\AKFHDB

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\DBGHJEBKJEGH\BAKFBK

Filesize
114KB

MD5
f0dcd0735cfcef0c15ceda75deb5cb3e

SHA1
af257a650681983a6c9e087615165269a6d0ceab

SHA256
d3ca053889263104532ef68de1a1200f5e1b1177cfeea702e882c5c4075c35ee

SHA512
cc2a123eea72756ce0914ec7c2e077b9f14c6def40a3131fdc02d5f981c5c79bba7859d02296cb1a15e4ff2491818e91c3790706cf46fffdf9a7b7fcb5a33ec4

Download Submit
C:\ProgramData\DBGHJEBKJEGH\KJEGDB

Filesize
10KB

MD5
ab468164e971342d7a1d4b481a508d22

SHA1
91f7adb4ee08abde2a1adeaab9f29074a3d21343

SHA256
42a2b3f639bf98997a363831d2b715d8c55be7550e657fbe0cad7d92257e9883

SHA512
3650eb3ab5bfcf533ec089b44c9d6376d664e35f4b4ea0b720b6dbeee028acec64c98ef734d2fb92adcff3d6e5b65d70b7abf958337fc5cc911f5b2052bd106d

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminGCGDGHCBGD.exe

Filesize
381KB

MD5
f5a1956973dce107d4c0b6267ce88870

SHA1
79a19513d7c9cff939f2881c4172a05dbaef735b

SHA256
7b794c5bdb820791f0359da90a9a4f258412b8feef9c6e6a0411f6aead9d3a04

SHA512
f42180c75c0ae8dc083c6fff98a66c0d875fadb400d7945816ea330a54777632a3a7752d3e78b90e45f58ed3d04d6708b1dcea51d82711356e6d14e405a7c579

Download Submit
C:\Users\AdminJJKJDAEBFC.exe

Filesize
413KB

MD5
76b81bbaa929e92a0885267869e62fdf

SHA1
16ee3b53fd9d0fe6bd7fc75ac961a21bfd9fae51

SHA256
f59f82ea9cbaa95389bbec5f80b427daa2e575c2827eaaede006590810809f9c

SHA512
67d4fb8ed2c767871a307c54fddc86fa4df07ccfa943eeb61e6e8960c4038fb8a38118a69cbb7a6364dde6c11fd3139b8c5f91e029a437dad0d39202383ac3cd

Download Submit
C:\Users\Admin\AppData\RoamingKKFCAAKFBA.exe

Filesize
409KB

MD5
39af78c7dafc5b1b5b42268fd412b6fd

SHA1
f91d6871cb72874f02d58a8ca099941696b69729

SHA256
3878f5b404de6159915d9eb4e00a59dd303c2e36ec1d36a883c47e0d51462556

SHA512
bd7fdf9dd91c0039da3e1c5427c4afb2558ed2e375583dbdb39dfd2578ab2e204f0d7d92e79d178ebf06cc30ce38f169998554129aec73ee8c244e09ff685f4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0f39a1f16a7a44818db9ffec32e26442.lnk

Filesize
1KB

MD5
4c49cf297fcdb98133bec9dc4edbb798

SHA1
6b5652eb94d8fc8beae96f33625f93bd8efe0332

SHA256
b0ad8f39ceec6e497caf835a52ff276cad1170635c085e022cec9e90e48bc505

SHA512
9f62afb76b3aa8e09681de2859347a04e4cd241e3afce982ca230ffa1cce93b019739da9c128d4fb4e807c9b73153556a0c764e6f21538c913a0da26b56623af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_13bda7fa3da844148de1b26ecaefabd8.lnk

Filesize
1KB

MD5
6e750dd3acd36e3d48f3dab00e0aae2e

SHA1
a9580c83c293d7865a2130c21fd48a0514ab28e6

SHA256
a57b90d29a5ed43baf1b910bcd5de55d20536a895749a5e65cb512e45b836d7f

SHA512
2cdb479f90a8f1af2d4f96137d75dd1de2e915d4d32d2f2adc966505f58d4f5af2c23fb6a56b896ccc64f21015b27c94d53ac07a4adcecd012438b4ffccddc1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_13c1eb8f58954deb8d2dbe84e9283692.lnk

Filesize
1KB

MD5
8e635cd6784548a83df5deb919182a65

SHA1
89384a7159ed6ff8e53203765855d8cdbd003209

SHA256
653bfd534c9f46e53b8338b4a7ac1a4178d3df2d5fdf641f495338104b82019c

SHA512
cedd00baa2bf80bac868a3c31779cff56cd285ecc1faf6d637aba63f09a3c9f2fddda2aa7b6198f686f9e785bbe1193f54831651b602a12476c715799191158c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2200351430d24ad7b674fcd14484d189.lnk

Filesize
1KB

MD5
b02786b0f58b90a3ccd6703849b9d4b0

SHA1
94441b467ae56186cfd8ac5452ccb8efbeb9c7bb

SHA256
167992f51624801bc65541223774dcd84dca834f3cdf1b00f443da81b88bde84

SHA512
dd9a2f9efea341a2b1572503a2db6d8eb74f4c7c58cf7582ce4e191a0e0e206319a34911607b351e5a9de337a3343c8307ab756e478e52411d5f0eb3ad79a74c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_40b675e232af4c04833e2fc4c7803eed.lnk

Filesize
1KB

MD5
3f38a68e117a35aaa16f29b7aeee1f3d

SHA1
f449ffb62369b615783ce6232afb3937403a8041

SHA256
8ed6299c245595fd2cfdbdfe210fac847d295fa6321c6262d0bedb30eda07fdd

SHA512
a9e941f5250dcd42cb202d045449ce76aba6982487c4bf3c1246373323a2c1158045d440dd8fd9a0973c35fd3b11c993c0202347a907c3bac620dec61b00560e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4eb1eb3d5bee4db8b1e5ea9e466d0559.lnk

Filesize
1KB

MD5
3568c2a3874b6fe7a7306cca10ecd767

SHA1
01f09bde638137003a9968b28b5419e0a7e258f4

SHA256
8855f1f2807bdb6cf6d0545ec053dddd384f224e60273e7b5c6f28634b747373

SHA512
3ec9f0a7c44892b9bf71b81d042ba8ad38c8f80e0f278707716dbfa1b3ff5a04b726947203a81830f66d7ea141a7a0f578548dbe7740743093ffb5ffa5e5f2c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b86c47f336a4421d9f721b5d82c002c1.lnk

Filesize
1KB

MD5
31e7a75e7fd6b278ce8f472c3c4fd691

SHA1
3721b64e82ab546ba33fdd9b9bff741740e5baf2

SHA256
e43b9d8045409770da7a0eef453ff0cc1783bd91fe97b4f1cd8b7a4127a950f0

SHA512
063b4e84e5c354e77c37cfce5d6630016c1249259f83c65a0ce2df702eff1378f758f2e97813a1324269a4461fafc75d9e439eda1d4da9a7589f2053c404f56c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d1958c7101de493a99df5897d490bf8d.lnk

Filesize
1KB

MD5
089f211bc4d26c60a64c36f2c33209d3

SHA1
a281d28b343e6ee6051db9a266c682bd1c901c10

SHA256
fc7a641a2d5c79045156c7ae0bacc9aa87d1e2cf021417df794a73aea1a811e8

SHA512
c5089ca999a294cc63e1dfb699d2806252ffac208bfee1e8f1ab391af1dba9fbbfcf4628d876aac02a09596f48f99ad22769801df328b4820b7af2c9252cf4ec

Download Submit
memory/2396-11-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2396-10-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2396-9-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2396-5-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2396-111-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3100-125-0x0000000000B60000-0x0000000000C0A000-memory.dmp

Filesize
680KB

Download
memory/3100-129-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download
memory/3320-105-0x0000000000080000-0x00000000000E8000-memory.dmp

Filesize
416KB

Download
memory/3544-94-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/3544-110-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/3544-92-0x00000000731AE000-0x00000000731AF000-memory.dmp

Filesize
4KB

Download
memory/3544-93-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4308-194-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-336-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-118-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-248-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-261-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-114-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-221-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-117-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-328-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-183-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-207-0x0000000022260000-0x00000000224BF000-memory.dmp

Filesize
2.4MB

Download
memory/4308-231-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-369-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-361-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4836-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/4836-1-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/4836-7-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-4-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-2-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-99-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5060-104-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5060-102-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download