lumma | f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

197KB
MD5

8f51409e0119d80da56d1bcddbe960b7
SHA1

5ddf8d0198b0646472038f887caaee50f35f4f2e
SHA256

f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d
SHA512

bafc8becd7958405e3d6ec195483d2e20bd6eb52a89845ad9fcc0351d54525d03599f66bdf0440f421e25f1ad482a2bc85eb017d8239b7525944be908af391d1
SSDEEP

3072:yrsR+CX0WGYN8vWneNvsR4cByR28jzzlpcJO9hVpfCV0MY7QxFJn2IK:wsP0WGY7jR4ccfe0P7qJ2

Score

10^/10

lumma stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://surroundeocw.shop/api

https://racedsuitreow.shop/api

https://defenddsouneuw.shop/api

https://deallyharvenw.shop/api

https://priooozekw.shop/api

https://pumpkinkwquo.shop/api

https://abortinoiwiam.shop/api

https://covvercilverow.shop/api

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/3552-108-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-110-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-106-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-255-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-265-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-288-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-297-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-313-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-326-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-393-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-403-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-430-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3552-438-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	IDSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RoamingCFIIIJJKJK.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2ff4ff6c45a8497893e9fa03d42cbefd.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_60e866b03fc24447b3f5c0d8b0b5fcc2.lnk	JKKFIIEBKE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3dc8624552b04320a30060590afc2128.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f1417d56225f44bba222376f2d796615.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_27a4456fb8a74a87b09f9ecc42f5c40c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_df9afb79d7874d618b5cee5ed9262120.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6bc2c2b3fac14fe3bacd3c4cc5960f0f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9bbeb3b078cd40a6b639b54f6e756573.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7f53823907024cb2a4042147c4f6a23c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_60fcb774e5804176b938fa963f329fe2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_020c4cf96ca348a1b7307276f0cdebc5.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ad862422adaf4995bbd0376ced5bf9c8.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2cc5e29f231841fdbea45ded582181d9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_76c5aedcc3e247e7a4ca7fe9a09db632.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_420246f6a5874a2d82c614c63997ef44.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5fca7ff87c814822a52bfb2079a5af50.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1f8f6721a4924f1abc2c691f888b3273.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_193c6c11c07949108f8ed0a2fcbd2800.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_dd245604999046acbfff93e7f8be671c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_170d98d3074b4cb582b0a3afae0bd125.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0e411e41af984146917a2e4a436e6ff3.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b8c6a5ff2ee349f197ac880d5b964421.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_896ad7db23fc487d86c7c073cd1229d5.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5dac8a30490e4d5b831d5d4dc76ffb02.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ad4d7b147e044128a958c95d81e4c614.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_dc226e8b92b5429381278f51568741e9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_923b122148dc4dc494bf67bfb06fd72c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_af4c0220f28c4acfa9a643f6a750a3fe.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fd468c1079634e7ba6bdcf08f936629e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_538c366ef92a4f4fa94d4417972ee4ca.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4ba868e6644b43c5a3be0d5f25f542d9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9cf6512e46344c949a3d331aada8a1d1.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3d2304debb3b4cd5995e8f7592e4cad2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9afb83a8bd0e40f49b9fdd002e2b0f05.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9fa65d5d72284c86ab005ddb173e9f34.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9a2ebeb16fab4188887ebe7d4714753b.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fdc44cf03a944b0c91517327527fd99b.lnk	JKKFIIEBKE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ecd26de6cc2c4bd1be356a37f51b5ce7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4ae836d6b9964c029fce00727f193947.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d8b9ebff8b4649b2a12ecb0fc4911af2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_cc0da2cb975c4193986c420437f69bbe.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_076255fc02d54a6396a1d60ce4848bf5.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4602bceba2eb40ba9f5ead477c0ab691.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_06893b3d0a2a4e558f5e3fb783d03644.lnk	JKKFIIEBKE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_80e9ff88011b43ffa0219d05e84c9bb3.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7f64d6cbf26144b6b7faddbd26bca7e3.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e292543d107646c2ae61cb31d41f6113.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_398fb8cc33ef421cada291e5a1509e86.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fbfa8c878cd94c789e7e4e4db56a2018.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9d48e6b5d93447cd8b15d608c8c52dbd.lnk	JKKFIIEBKE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3ccc9036e79540c89ee628ce0f2515c2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4e98dc75bf64488bb2d6b8fefd238306.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_811f5aa35385456b9941ea3b489c5ce9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d4ccb55037214b638a8beeb8d2f3c685.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_60ea3472be3a43949079855c1b9337ee.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_34d55efb618e4dbca895e906e34450da.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ae61a459eb99428e9ae1acc89b6f9e16.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_698b2031c101403fa971b5f06d674c3b.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6509beaf759d4b358240d71cb7251f03.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f3d0effa549342d9bdf2f5277bc84b42.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2b7d0062d1e6402ebbed1d614fe68e83.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5f24735a81374923b0f329dc0a16ca86.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fefa23d78ce64af985b31bb9baadc9bb.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ce261114b335420da0e8a0955e900607.lnk	IDSM.exe

Executes dropped EXE 7 IoCs

pid	Process
3924	AdminIIEBGIDAAF.exe
2772	AdminDHCAECGIEB.exe
624	RoamingCFIIIJJKJK.exe
3748	IDSM.exe
4464	MSDNG.exe
4344	KKKJEHCGCG.exe
4348	JKKFIIEBKE.exe

Loads dropped DLL 4 IoCs

pid	Process
3024	RegAsm.exe
3024	RegAsm.exe
3552	RegAsm.exe
3552	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7411d01edeea4f378ad2ebe1c5ace43f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c5096e9549e74e10b4368ab567dd0102 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b17e4719b5634bb5834023f5db63b3a5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_38d2620359474eed8c5f5a2286cabf37 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_8c7c28c9d9ad44cba719a699f1bc90bd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_93a38301062a46ac9c0dc88cff7fdd6d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0ee74d19debd42f09b029f118442d704 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_538b62cde41f44929b2505af3003b5a8 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5415ec0a3e6e4dae80c76d99ae95246e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_cba706e05baa487e94b5f6e145a529a1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_1938eda576034d4eb9583706fbdd1d93 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c8ea4930e0724cfcb9615926d65bc07b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_cbe9c01fb5f44b019f145975b5b1fa5d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7f5c0f7a24be41c2a862fc547ff38260 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_26f9f47892c94053868ffe42796d0b0b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f77e79ff9d6141819fac80354077b95b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c30b74ecea82444e931ac10e155d7662 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_139688cea34d4e758228d43d4a072f73 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_db4b0d2112b34ea8874a53976037b737 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d5f5a1fd4a554610a92e7960c8f82244 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9df80fd158ea4e92b9c74cd60075a6d3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c0d8797696aa4982bf5f1b3ee655b3c4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b571aa0b5d0d4d5483dab489eb46d34e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ed11f4d2d2b64b7a8d15c364f4e3a9ae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_1795291237c144cd918e8faa8154d33a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3855a1526a5c4068a920ec8101f50667 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d503f79584834108b12a3971116c64b7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_bc1ba13bb3c740d1a765abc9d29dc229 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f2d459ff73394042867b2708697a0a86 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2ca64731a252461384f959c20c8c6496 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f6f306e7089d4c37a56abdd54fdfd5bd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_df82fc04d95f477798401786b4830012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f442836940ad42b19afe9caa0e402e7a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3fc5b9e3d430410e904ef20c12597acd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3a93813f05fd4f8da77af6982da1f053 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_caf57a79719d45a89ae3351538884c88 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a23ee19700d745189320391b2904fd41 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_32c824b548004452bd27c0491b7a51e0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3ad58245465a415f87271f383d675cc8 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a872f96c3dce4ba68e21f8cd8a417f5f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2892e82efb9840c2bebd19cf1872af13 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_8a070019421d47269560f03ecbe23f32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_408ce7ceaec04ab4805004ac999a59ed = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b6d2dbe2e1704f079e41ceaa09636cab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_759a4ac7a3474076b9ee08382b9844be = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a7858bcb4a6a4f7a9474dfba7e71840f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_237eb48018a3475196654db2bc2dd4f5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c7bd31f017ec4c07bcfa586ca38badf5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_871994e2fc584d9eaeb6f159bf9c7c7e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	JKKFIIEBKE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_324ad6e6c5b34852a018ab123d41df81 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_27413934e5df41778a14aaf1419d1559 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f86ab23b5915487c8c902fc44d8750cf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3b38acd7dec144c68a8dd820a9398f67 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_70e7e934bbbe40868bba6bd8ba8742f3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d86a5d315e2c457699a83a4bc7cb7aeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_842f0fdee2a1459087c12d4a6a093a1d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_4539f2cbe6aa4e519596e22da3120ba7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_761bbdf458eb44f5a6fd4179bc5fc782 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ceca1c49b0a44924ba430e328c3ced77 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f2571f2eac2c40a4aa7800fda7be41eb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f91aabfb8e134efa96188964976e8721 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a7c49e0fe81a47ec8308231fa2a776e8 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_77c9770807104e8689c14e42c5eb8720 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c6f7abc62fd64eeabac097fec7f68a6e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	api.ipify.org

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 812 set thread context of 3024	812	file.exe	83
PID 3924 set thread context of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 2772 set thread context of 3552	2772	AdminDHCAECGIEB.exe	105
PID 4344 set thread context of 3044	4344	KKKJEHCGCG.exe	117

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminIIEBGIDAAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JKKFIIEBKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKKJEHCGCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminDHCAECGIEB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingCFIIIJJKJK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDSM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSDNG.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
656	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	RegAsm.exe
3024	RegAsm.exe
3024	RegAsm.exe
3024	RegAsm.exe
3552	RegAsm.exe
3552	RegAsm.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
4464	MSDNG.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
4464	MSDNG.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
4464	MSDNG.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
4464	MSDNG.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
4464	MSDNG.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
3748	IDSM.exe
4464	MSDNG.exe
3748	IDSM.exe
3748	IDSM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	IDSM.exe
Token: SeDebugPrivilege	4464	MSDNG.exe
Token: SeDebugPrivilege	4348	JKKFIIEBKE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 3024	812	file.exe	83
PID 812 wrote to memory of 3024	812	file.exe	83
PID 812 wrote to memory of 3024	812	file.exe	83
PID 812 wrote to memory of 3024	812	file.exe	83
PID 812 wrote to memory of 3024	812	file.exe	83
PID 812 wrote to memory of 3024	812	file.exe	83
PID 812 wrote to memory of 3024	812	file.exe	83
PID 812 wrote to memory of 3024	812	file.exe	83
PID 812 wrote to memory of 3024	812	file.exe	83
PID 3024 wrote to memory of 212	3024	RegAsm.exe	89
PID 3024 wrote to memory of 212	3024	RegAsm.exe	89
PID 3024 wrote to memory of 212	3024	RegAsm.exe	89
PID 212 wrote to memory of 3924	212	cmd.exe	91
PID 212 wrote to memory of 3924	212	cmd.exe	91
PID 212 wrote to memory of 3924	212	cmd.exe	91
PID 3924 wrote to memory of 3896	3924	AdminIIEBGIDAAF.exe	93
PID 3924 wrote to memory of 3896	3924	AdminIIEBGIDAAF.exe	93
PID 3924 wrote to memory of 3896	3924	AdminIIEBGIDAAF.exe	93
PID 3924 wrote to memory of 4956	3924	AdminIIEBGIDAAF.exe	94
PID 3924 wrote to memory of 4956	3924	AdminIIEBGIDAAF.exe	94
PID 3924 wrote to memory of 4956	3924	AdminIIEBGIDAAF.exe	94
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3924 wrote to memory of 1156	3924	AdminIIEBGIDAAF.exe	95
PID 3024 wrote to memory of 1412	3024	RegAsm.exe	96
PID 3024 wrote to memory of 1412	3024	RegAsm.exe	96
PID 3024 wrote to memory of 1412	3024	RegAsm.exe	96
PID 1412 wrote to memory of 2772	1412	cmd.exe	100
PID 1412 wrote to memory of 2772	1412	cmd.exe	100
PID 1412 wrote to memory of 2772	1412	cmd.exe	100
PID 2772 wrote to memory of 4200	2772	AdminDHCAECGIEB.exe	102
PID 2772 wrote to memory of 4200	2772	AdminDHCAECGIEB.exe	102
PID 2772 wrote to memory of 4200	2772	AdminDHCAECGIEB.exe	102
PID 2772 wrote to memory of 2528	2772	AdminDHCAECGIEB.exe	103
PID 2772 wrote to memory of 2528	2772	AdminDHCAECGIEB.exe	103
PID 2772 wrote to memory of 2528	2772	AdminDHCAECGIEB.exe	103
PID 2772 wrote to memory of 3704	2772	AdminDHCAECGIEB.exe	104
PID 2772 wrote to memory of 3704	2772	AdminDHCAECGIEB.exe	104
PID 2772 wrote to memory of 3704	2772	AdminDHCAECGIEB.exe	104
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 2772 wrote to memory of 3552	2772	AdminDHCAECGIEB.exe	105
PID 3024 wrote to memory of 1636	3024	RegAsm.exe	106
PID 3024 wrote to memory of 1636	3024	RegAsm.exe	106
PID 3024 wrote to memory of 1636	3024	RegAsm.exe	106
PID 1636 wrote to memory of 624	1636	cmd.exe	108
PID 1636 wrote to memory of 624	1636	cmd.exe	108
PID 1636 wrote to memory of 624	1636	cmd.exe	108
PID 624 wrote to memory of 3748	624	RoamingCFIIIJJKJK.exe	109
PID 624 wrote to memory of 3748	624	RoamingCFIIIJJKJK.exe	109
PID 624 wrote to memory of 3748	624	RoamingCFIIIJJKJK.exe	109

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIIEBGIDAAF.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\AdminIIEBGIDAAF.exe
      "C:\Users\AdminIIEBGIDAAF.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4956
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDHCAECGIEB.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\AdminDHCAECGIEB.exe
      "C:\Users\AdminDHCAECGIEB.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4200
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2528
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3704
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
      - C:\ProgramData\KKKJEHCGCG.exe
        
        "C:\ProgramData\KKKJEHCGCG.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
      - C:\ProgramData\JKKFIIEBKE.exe
        
        "C:\ProgramData\JKKFIIEBKE.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIJDGCAEBFII" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingCFIIIJJKJK.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\RoamingCFIIIJJKJK.exe
      "C:\Users\Admin\AppData\RoamingCFIIIJJKJK.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe" --checker
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GIJDGCAEBFII\DGCAAF

Filesize
11KB

MD5
f96ce2db299a61255e44b1f505f8ef46

SHA1
08267d4ccb08baf3a2fd5217ee20aadbf76eec68

SHA256
aae3d157fec5866deb93c009b5cb3d0ab99ba8ae9d4037ecfe4e26ce82522c4d

SHA512
c51b4a54030a442bc19c1e7960a967bf425f2419b7c4529b31f5ef5ec937a7b21f4ae15e8dc1986b796babd3725b638120966dcfe0f0be8855e961b517ea719e

Download Submit
C:\ProgramData\GIJDGCAEBFII\HJECAA

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\GIJDGCAEBFII\KFHJJJ

Filesize
114KB

MD5
503d6b554ee03ef54c8deb8c440f6012

SHA1
e306b2a07bf87e90c63418024c92933bcc3f4d7f

SHA256
4c407af4d5326d1ea43e89945eda0b86c81ad0d12bd5465b327c0fd1df56f7d4

SHA512
3490b51dfe2e8f6efa3cdeee7bc08c03072597861c1a2f88dc830139abb7611c671ddad345c2af97bb1e88927c09467ed92b5feafe6696d7e2b31b3bd3447437

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminDHCAECGIEB.exe

Filesize
394KB

MD5
c41324a0ed75ade060a048d20be4bb0b

SHA1
cb60c01d5de4c7666095e61553573e813625d177

SHA256
ef0ad84528750e2dc891ed819018c7c0d28fe038c92fd2612a5f26ad9863736c

SHA512
7874707dfb5c2107f24d6889b4720fe8bc127028f49b6a88869b0769f8956bb4135a3a3b926e03adfcfb5dddf5475451ad7ec7bac106751eb34015e4b9ee116c

Download Submit
C:\Users\AdminIIEBGIDAAF.exe

Filesize
362KB

MD5
583886f724d722f72c3ae477b0d2d40f

SHA1
7234b70620f127f291e3755385299dfe6d3fdfbd

SHA256
1957ace1277b9ac0b49bdce7485dfb01cdd208dc489e9ae079b528ef212b39ec

SHA512
499dc5703f327ef774eb44ce500b7219f102b44b6622e14fa01c02c8e399ebaae3021bbe992606677a0df64fb213f0932ca4e6d28e3e46ab08a4431aa5dc662b

Download Submit
C:\Users\Admin\AppData\RoamingCFIIIJJKJK.exe

Filesize
409KB

MD5
39af78c7dafc5b1b5b42268fd412b6fd

SHA1
f91d6871cb72874f02d58a8ca099941696b69729

SHA256
3878f5b404de6159915d9eb4e00a59dd303c2e36ec1d36a883c47e0d51462556

SHA512
bd7fdf9dd91c0039da3e1c5427c4afb2558ed2e375583dbdb39dfd2578ab2e204f0d7d92e79d178ebf06cc30ce38f169998554129aec73ee8c244e09ff685f4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_10e8bb04c6544fd084eb70e51cc8b88d.lnk

Filesize
1KB

MD5
50b8562307f84a71a37abcf709d47492

SHA1
c1b277af01bcf54bd21486f109333327a84c4d02

SHA256
938a112a5812c83ec4a8a356a5d8fc765fb4e2a8c49dda494967a0b716f2167d

SHA512
74f3765a86cecc4c582dd67484fbb01f3ed6c06ec9ed7e0853efcdf43e3abf8ad914d9feb0af128c1dd6f082b0be8b8a0d0c78a624b95e91e489639bfe2e5479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_113135915c7b49f1a9830417b4541ca9.lnk

Filesize
1KB

MD5
4cdcfcbf05ed638ca3915fc390de6912

SHA1
b76eb3b9ce2c355a1e7c30d54ecf734d050c7781

SHA256
6c62422ee5c170b35056de1b0dca0d34367e6156df2c9f3aa31dde00bae2f000

SHA512
3420cd18e51dedb8a0575ab3862c0f2908007e153f5b2e6686f3661e9f7cbf3d11393d7684da55e428e64db8866d0c85bfaeb9a8d4a1e8da0cae62372f0d8106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_145eceb9d9974f24a6fbf75ea45db91e.lnk

Filesize
1KB

MD5
52429e95a63d16227df9d8bdd496f780

SHA1
cfc80b2f5b393f2021fc6413f59001c5283a274a

SHA256
79000180d0374ea0cf25373b52cf11f6b2cb6905223c6c0ecb63107be0fb22e3

SHA512
bac28ffa719baa194d16e7978c2d4fbe312bbccd2a832e89d5e0de7fbe524bff0c1681e2a3d3ccc4555c510bd3af73dd157d608de0611072f5d3ad7b1214e4f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_16b9b57f60634a759939139812196b74.lnk

Filesize
1KB

MD5
701465833038e0af8ea84e0532573c18

SHA1
262a03a3d8344166b93941253e86acd5309dfe7d

SHA256
6b0ee261b8fcd974706e94fc3c648ee60f2a6d0692c09bbac312b5876875fdf0

SHA512
866782c682229621b3094240fde00c8de9c610d5fbad22a1dc81d150fe9a10fe861f393a52066a951861cc0ecdf0a0bc3a58cdd6d704ffa124c12b51d76e69ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1b0719103e734a37918fe2cb37c2d886.lnk

Filesize
1KB

MD5
048da95ac9ff1af89e3a6f3aa31ec1cb

SHA1
29b69b48dd9db2ccd977c4cd2dd368e3aed4b59a

SHA256
2d1311b5be1f1c7a7bc8c33473876b68cd6ceb7dcd565e377314e61b1a5b9976

SHA512
c827f0afeb6baa9c555e5dd7398dae5cd9c5be642ea849147854729ea216a173b1a622b3aef5764b254cf7dc4056c18ba9f0d31a223a672519a8953db7670ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2637c5221bd34fec91e997ba68b7f316.lnk

Filesize
1KB

MD5
eb92633b44f577f84428322c0da3af11

SHA1
a099c523d1db9765ebb0ad971bf6a5f9ea6e7923

SHA256
a811459d054e2afc96ee752d14701b1cf7c40eb78c50ed7a90b57fb936806fad

SHA512
bce80d799e45d966c75410fb4b755589433d7e3b0018c8d7c1f2aebd25f75709996eaf27ea59bc9bd0c57fcbbeaf2a8b02e8dd3db1f40d7917c9563f73459040

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_29cb80d5dfba450f8283fe4fe11fb147.lnk

Filesize
1KB

MD5
e3c7c28e142fa07c2f46b938acffde85

SHA1
6cae2930ba46799f1e66aafda7c1577ce243e10c

SHA256
65f05b3aff23c75b3f3a22729ed1c4eaa4c216dbb1c56345e862f00406232121

SHA512
2d82bd634067298b0a10b89747eada5ee6494d5a986513450192a62f3061a1492793b071e8a481164e3b652f83a053389f6e31153b3cd9d26faa790501040837

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2cc5e29f231841fdbea45ded582181d9.lnk

Filesize
1KB

MD5
ed0f08071f468ed63c98d680c72f0119

SHA1
e31e2dca36568dbabc6ba66a657814c25bdccbfa

SHA256
a891b2bb76c6a1dcf369884e05f84816309ca00e12783997e58e6dc6b0f93961

SHA512
1913be45d7488c60016450a2e8128a755afed1ceae9819f9b758718107da086a1a50608f814ef948e9db05e6862756856dbbb7b6d07c2d57dd8f2e55beb09bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3282882e8383431ea6b388b705d3bf50.lnk

Filesize
1KB

MD5
b18b6f6de6104b341eef257287f50ebc

SHA1
7f54e81f36907e82273ab39291eadde6f8aea4e5

SHA256
55287d3cd399ebe6f1aced154bbc3606d735f2a731a3403c8080814284680389

SHA512
47575c1e20d772a0b25f9e1d083109b41430904474af4934fa15a1d66ea34a7e976b29b553bb3bdd694bef8a147393b00fa00218329d0caa622683bf98342cb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_34d55efb618e4dbca895e906e34450da.lnk

Filesize
1KB

MD5
46414c00323beb64b041cd4098f16b1c

SHA1
cbbf959c495960914d35ac252b967cd666355bd7

SHA256
535820e78fefb36d9a3fc3235aa251abb0a7f215cf88ccdd369a7809033030bd

SHA512
ae2d8c3b64432647e0875ace1fe78c59eaa258138a5eabedf56980d13e2ae67a5baea7c83577dba05124ec0478334b09d4cabdbbcdaf3b1c59f349a640c3b70a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3ccc9036e79540c89ee628ce0f2515c2.lnk

Filesize
1KB

MD5
65cc5344710ee0c87d73539a17390610

SHA1
0e152afc464ad5e01eb702f4d103ddedb872e9b3

SHA256
b51595bd1eb8c8925672c33cb68dae546789f9b0e7f2dfabd6b4d7f6f2d2e929

SHA512
7d5b2fed501faaf599de70a7b5bdea796f89ebd151a1fd2eab532aece214d545314cac0ec5c6a8aa565e74570e06a8f428e81a7bf1d311c5f8202d8838694d91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_41d3ee47165e4d0eae3edb39ada3b238.lnk

Filesize
1KB

MD5
9e7b282655f502d9b6bb7c6da520c65a

SHA1
10ed60979ad01167d3530fc763941b1b65d7c817

SHA256
e4779b00b99391e725b9741eda7e7d771b69b35648ea529045bedd78ec2c46a2

SHA512
9cd88db028251d18d3d264803ecdd7da885de3ca708ccc52128bfe77075113a88a9df5031baaeaabf286cb7ee57ef04c124328d3342b857b2faeb1ad785a897a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_43e5f03e6dc34fcdb67ad17810bcd64a.lnk

Filesize
1KB

MD5
05b1b975df8ac179ae95809d4e57eebf

SHA1
bee8c678f9d113174e25b91892f54b3ee37e2c6a

SHA256
fc2a56d1843a3df4a9e91f7dd7f809af042dc9f9376fad853793ebc6f7a2575a

SHA512
af53714cdafa4c2cc1706721536e1ee9f5371844dad20e2cd88647c548f4b25a086d9bbb458f4028080656b36415bd7576fd3ad637590f2f0535f6aaf241dfa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_454c70c83bd04f77b658169d83a049d9.lnk

Filesize
1KB

MD5
d9c86bbdf58e5e55553a54f5c22287a1

SHA1
a250ccddcacee3d6ea14346560575769bef8c47e

SHA256
27658362b44d55de006c9e02f83d379c75548ae22d5515e28003baba2614d65e

SHA512
ed4bfab58b32425859c8f8a04f48b50053f25291661b557fb992f6f80d80fbb1247a249b20257f0277d4312fb6f1f54f5e496cd8a3856b47221d687e674ec535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4dc4ae78204a4881a7675e676b21a82a.lnk

Filesize
1KB

MD5
679d0475e563413af28379cff5894c88

SHA1
5360ad593b038b7feef50315962c922ebc92e8ce

SHA256
e0793589577f055127fe6d949e17ca5a5f30462fe2120bb740edf10f514387a5

SHA512
d900c689c930848f4f8f93626b87af4ef473de14d1947a25322f4e651662293254af02b2a80fc38b1d196a9fa5267d4bd6d56ee2c5c8e084c87f7412d05dcce8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_520151992af34bef86e157418ece52da.lnk

Filesize
1KB

MD5
507349225bae5a8aa0bb046dd4d30561

SHA1
8d12291b2854d62dcdcf86b166ddcdb21db7566d

SHA256
5fa37fc6bcde3341c6d18a84947cfed7a5b691961c7ea1f5d10f7db23d2b82b8

SHA512
910ade04029cc0e40c2c216e8675ec3aea0ae459b73a32f1d58d07ced841db98efd8c55ce786abd8a9b0f3de9303f3a9c0dca2f5b90eddf1d07b60302deae293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_54e52465ecfe475fa438cc9549d527cb.lnk

Filesize
1KB

MD5
8820751d2486b82ae0f66d09e68319d1

SHA1
fc491832600e686428156f84bd6fa79a7c7fffcd

SHA256
33358d55944d3912f251faf21ec333894ddd6330e2caf8e56acbf291f508f16b

SHA512
82bdabea7e3d29d25a3bd44953c1893f87a6d88370bb2934e01c272a243364e7188b36fd3b2999ebe2447b7ca532ed0b268beb730cfd3e33f9ade4347f109f34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5536488bdfcc4d1c8174abfb3eef6aa3.lnk

Filesize
1KB

MD5
99be1ba76e9009a04e811ce4685175c9

SHA1
9c7c2e2918ba2d6552f58209e7e717ff9e098c4d

SHA256
7937300d43e1568f0b21bea676552f5bbbd517b6fcf831afe64d8d5ca98f7a1f

SHA512
8a3c3060d4cb319e442d0587b97d141dea9796418ad643f8e3a4eca6a9da0e7f727565b9d10621b5a273e98f726291329161715da21710d45efcaf952fda7e40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_601b5e88d2fe4117a76ba7a70c482e65.lnk

Filesize
1KB

MD5
84ddfc450b926a6b2d40cafaab8b078f

SHA1
83c4bc688c3773803e7d1e4f4cda61d0637f72a0

SHA256
d591873fd8dc3c05ed29f0679545f0eef2c2d4f8a49f5a492f2e26accb8c61ed

SHA512
58ddfd27f39d2b004a9bcf2dbd15ff13e557a5aed0eb0fe770c6f39567d295453de5e598afab2e7853e6062a355c27448eb70213eff3aa7e9910c706cfd02e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_60e866b03fc24447b3f5c0d8b0b5fcc2.lnk

Filesize
1KB

MD5
c7993b65022eab296822e3cae093c9b4

SHA1
9da2e70eece2a9c2e39ce2821573c0fed2e73719

SHA256
9877a13169f2589675b607622d36956d9b2435bc3fad5ad76e5dacc416bca7cc

SHA512
0e56470f4fe9865e4463df1fc239c0a8854975d4de34dc81449b454c8fb503bb8ab2261bffe2d16b1e9525152bff30a3a44b174cdc7020808e1048dc993a4334

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_616987f939a646a79bf2053ee9bad8f8.lnk

Filesize
1KB

MD5
73507654015953c466b3b5f936b5b597

SHA1
3be3ebf6cd9d5e84e1f1eb46871604c07c3a72fc

SHA256
c16848c9db75afe2867fc28a52a9c86dbfc2579bc338b4f75127675b9d39c533

SHA512
7c9a1c5011c8e573261100b6e2b309392d157012aa9a973df42f0f70291ac570cea75e8a91becb5c00b1a848bb547dc08b927b0f2eacbc75650c8d44e6cfda95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_658f86027dd44c2da3caf8942e3a0ac4.lnk

Filesize
1KB

MD5
7566d451b6ba6d5b07008b2d4bb70e77

SHA1
8c06c5798d2a5cd4d253d1ce81b2e585f7059747

SHA256
93c967c9750e4cf73a660ec8ca1651eb64e354aa66c66828cf3d3fbf15f74643

SHA512
be65e979531c5f41a79fc8416dbd17ed228ebc3feba22ece63def5d6e652360beaa640484107811da745b24af53b29e59591076b37617e2e8d6ff7290fed3014

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6826cc5c0d874f3ead26fcb7f20fc246.lnk

Filesize
1KB

MD5
2e8190a836b17ec6345bc4531fb3b7d0

SHA1
ab4302b51f2efab32762b8d464a2c582ef9d2535

SHA256
b5c18e34822ccd5d11baa376b7d65af367c327b6fc604580f7f47a68e2c38f96

SHA512
fe161a0253e915f5b0e4207e539ce05ab97418c63c2e29448fc804438605673b6e6615d3185bea227b78bfd254ca3b594acf765fc93e59d2909d7146ae0ee8cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6e22474e3ced400a98ed09a9c2722c0e.lnk

Filesize
1KB

MD5
0e1dafd4908fe1dce6488a138a2a5eb1

SHA1
9204bf6baba1b0a8720c40185b874fbf6dc1e870

SHA256
df92264cf9954c1fd58302456802908b9a1c7cbd22b5a1ae554dd906e08a959d

SHA512
5026ffecf06d1cab52df7b45e82a4696912474dd3259d6c5fe6c906c3606e644870443916e3796aca6e6a6d5a8448ee1f4321208aa0d36d100242705545ad1ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_76a7a39ae6894ebd90300d698c814340.lnk

Filesize
1KB

MD5
86e37f191c5c43855c32bc94a62ef0c4

SHA1
f8fb78f1d70226eba9eca2ff49ce3a042a718b23

SHA256
82f1f38c020f32405ba305af4c9280863a44368200651ea3d5d2e92f69d3681d

SHA512
6e3611db035e59873b16c6538e378f1caf2bfe3cce408bcb3cd11000790d4b6722f76a685befa0f1868b50bb02b95986e85ddfb4a642979733b38d27ba68a8de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_77881f00b5a9490c998c7afc43e9c370.lnk

Filesize
1KB

MD5
c7e2007e5e6531ddae98192a6c105084

SHA1
702216abee28d42a2089aedb19759cbaded90bf6

SHA256
df7aefb84e67b0860d550daf43027fb9cf8fa7e2b2f4799f1739acd9e51f30bc

SHA512
b63d17b9fe9c6e95751f8cedf6becb6c5d75bb6de236ffdb38dedcdc03b786abd66ed1f98ca6cd33576198f73b6d93eb4a0cf8cbab4de72818ae5f3cccb419bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7e27aaa155194e58b951fbb9cb77b565.lnk

Filesize
1KB

MD5
2ad2646cda0c5a28a010031690070a1a

SHA1
bc0dda7ec398c5fec4d31dc08e0bbb06fa6bcf2a

SHA256
0dff971ba56f622507fabecdaa291f98360568b563ad299f0ff3bf776fc6942c

SHA512
1abf3526f842b5d656f2ca011dc26a1e67dc86e8f83bde4b5ce9c83789875182679650e31f664c3fed3d28b85a25c4fe4413a8fdb2b9c976efe1031a88a63a7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7f53823907024cb2a4042147c4f6a23c.lnk

Filesize
1KB

MD5
14885536eef904852ca674e21fc480b7

SHA1
98c422b98a5c1a1dbbedb6f04390ab43fbad3ebb

SHA256
22fe688feaa0ac24a0e67c8f16e84aee2f68b5d84c25a8f6d8a506460ffae83f

SHA512
86659c7a234c0bc18d78c969c2f0fd4d5f46b4edba2416d655d20e2d4fa871b30ebee98cc822056731e8adff3c6cf09a2fe33b009e15912a329e2661cd0ed9ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_86f09790f0fd49f6b6bc590f71da464d.lnk

Filesize
1KB

MD5
c0de300fe84edaf0480914b2948edfb3

SHA1
220f4dc6b22b65c5d2409f9db0088b660670b070

SHA256
cfd7cd6cf8d49f110950395c41dffbd0093274c9a6e7f5d92a9e78d2db47979c

SHA512
7f03ef0e7ef612b22d842b0ee15d66ce85b201fb7225acbd229331de3094a1bd3c78f64044c5311ed58bd7c539eff799afe6fc708ae45d002cc691420d3d88f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8f4c187b8dad4697a39f0ffbdb2a62ae.lnk

Filesize
1KB

MD5
88e5b910223260aa053d4156abf18592

SHA1
af68e4028367e9179fa681b79f4b01d63c64dec1

SHA256
5494f6e1563fa2d5cae0c0141a3f179682644c4713b7179b328610705da5fb54

SHA512
00cc3619d9b27b3a12ffef6cbaede319c0a00a997564aae84c68ea68421ce715c5067601d0b8d19e09e88304ed8a5b4bc8491186f85c8e48da627aedaf6584ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9514984f5d45479eb9ef56992529e5fe.lnk

Filesize
1KB

MD5
b231604da147afe9e5c508a2b53e6ba5

SHA1
ad9b7baab134cae563c96770d62ec9496b570312

SHA256
b7e2cb67fa36a0355ad91f513b68e973fdebb17e39e225101b1439178a4bb3b1

SHA512
c1a760132d77f70df292f1ceaf1831922754665629a5f24c0fafc2108df11ac6da9f12a244276c8a54f2dd525b3967eef6dcbf74c783a79c0c2aeee291fc5b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9a5399f4d31847558ee71a02e3a2fa09.lnk

Filesize
1KB

MD5
f6fc1269ee52d75d31ef15c58fa4b7c4

SHA1
df5eb90902c10c0f429e26fbf25914e6b25f7c01

SHA256
8f20df395a3d26e6c71cbfe276f0cd885452b78d584ac358b33cd0559aeeb717

SHA512
2b9d86ec509d7b95c6b29e4c39a479bc3a83a124da91827ec74614c63161d2cbcbf1c683a8015d848b4601951844c57234afca9ebab5786783cdba7ca420255b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9d48e6b5d93447cd8b15d608c8c52dbd.lnk

Filesize
1KB

MD5
8d5d852448164046148925d644bc3d30

SHA1
eaf4ea875ebacc9463294b9ed8f7fe9546b04d83

SHA256
4efdf76811658b006ad4f73ee46b248599860a6474f2f71a1320f18bd525853a

SHA512
0beef4a5b6faaa5c9ac1592e8fd77f4aaeed05aba2559b8d2c6e14edcacbffc3eab8d5029007775c01211b3a7fee899cc5b6288f3b1daa5edec05c6e30833dca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a6dc5702704d4f8284a55fd014546add.lnk

Filesize
1KB

MD5
f9f30831e0cae5cab9dfd15b5bcbd9f8

SHA1
d9061d34965e8120d7c6feaa841031f741841cf5

SHA256
2ee7e569f039ca92974d55421265b45a6fecb7c16b0b703b85748ac0f0ecc76e

SHA512
1c7715eb428f2d23de4117268995dc23dd73e460585ce8ab45499fc51cb9412aa3febf7f5436e26da349c81bbc2763cd04f7146a889700cde2c847244d01c013

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ad91a4be83704b5c87fead957e74cf02.lnk

Filesize
1KB

MD5
974c43d9c2acfee3db35ad2b9dfd7544

SHA1
185758b4680d51c11c52833eded77e67d28cd1e4

SHA256
e47e4ec0a30e99d1cb5378c0044b177adf6746107cf57a67b5ad2fa741dfef48

SHA512
4de0193adf85464d77100b7d1d3cac9fc94c4006bc6bfc603a840479dd877b620c249708c53c1de5c502e3fc72a0914eecb30ca376f4582ecf07145e68b8bc7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d53041ef55da474fbdf5d9efe9cde388.lnk

Filesize
1KB

MD5
d98892e9db83b47406f9d2579801b6d3

SHA1
3628e219bcd9447bca479cc355007bbdf74d24f8

SHA256
335367ac5cd0966c1e75e8e96ebb46e3deaa82f9f01aa7b9741e162a413c4195

SHA512
4cb6778b3e666cecd56cc7ca11dd1b6050ea0ca9d25d61385d11b9bdc45298369b6476912267edcb081850e7b701ff44a01970e981fba401ab64e75053614e08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e3c418669f304a729303ba7595db21e4.lnk

Filesize
1KB

MD5
926b3ae0a9da8e4491c3fd9097710693

SHA1
5a4ffd9cb3324694fe31463ae1d87257eab52e7a

SHA256
b117aceb937c67f50b336e5608e80635f6c5596d8aeac1566a88b04887cee1e6

SHA512
8ae30b542a34af22086cb2b76eb73a3ec39529b423efc0d04b36f4309bd17bc8b784b5b318c8cfd9786c54908dbf590a7dddb888f8ea1973a21f126c62314675

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f2a5a2a66c344832b2e0b757f7f60d8b.lnk

Filesize
1KB

MD5
0a8d6e025d206116e882ce1cde86ef17

SHA1
05b823eb93bf501d04182e9022ca931517bc4d9d

SHA256
7c2530943198d85e7b5d85352266e2c9ede2a7d10c57aa499a7b34710ca1362b

SHA512
b3347a3724ac03d46543df28529e6bb4b60724e4627d92a35f8a0394bed88edc8ad0b260e1799e70792a9e9671ada596e80535971869c7844be9929e39ff0c04

Download Submit
memory/624-120-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/624-119-0x0000000000040000-0x00000000000EA000-memory.dmp

Filesize
680KB

Download
memory/812-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/812-7-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/812-1-0x0000000000390000-0x00000000003C8000-memory.dmp

Filesize
224KB

Download
memory/812-95-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1156-89-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1156-92-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1156-96-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2772-104-0x0000000000410000-0x0000000000478000-memory.dmp

Filesize
416KB

Download
memory/3024-9-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3024-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3024-8-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3024-100-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3024-6-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3024-123-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3044-520-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3552-108-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-438-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-430-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-403-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-393-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-326-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-313-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-297-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-288-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-274-0x000000001FEA0000-0x00000000200FF000-memory.dmp

Filesize
2.4MB

Download
memory/3552-265-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-255-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-106-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3552-110-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3924-97-0x0000000072F50000-0x0000000073700000-memory.dmp

Filesize
7.7MB

Download
memory/3924-94-0x0000000072F50000-0x0000000073700000-memory.dmp

Filesize
7.7MB

Download
memory/3924-87-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/3924-86-0x0000000072F5E000-0x0000000072F5F000-memory.dmp

Filesize
4KB

Download