stealc | f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe
Size

197KB
MD5

8f51409e0119d80da56d1bcddbe960b7
SHA1

5ddf8d0198b0646472038f887caaee50f35f4f2e
SHA256

f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d
SHA512

bafc8becd7958405e3d6ec195483d2e20bd6eb52a89845ad9fcc0351d54525d03599f66bdf0440f421e25f1ad482a2bc85eb017d8239b7525944be908af391d1
SSDEEP

3072:yrsR+CX0WGYN8vWneNvsR4cByR28jzzlpcJO9hVpfCV0MY7QxFJn2IK:wsP0WGY7jR4ccfe0P7qJ2

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/2140-94-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-98-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-96-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-186-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-196-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-244-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-253-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-270-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-292-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-382-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-389-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-430-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2140-439-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	IDSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RoamingGDGHIDBKJE.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8a8b21663c7c47608f258ad1c7dd92c5.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7bdc5d039d8143d7b5016c2276ee8d5a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_39751a1a2c994f6ba38815b632c9f152.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6327baacc70f4ff1b143c963268affae.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a856e791cbdd4346b3a06583ba26429f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f2d82a72606a4d639ebf919baafe10b7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d01dc989758a4353a750682c09006dc9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_28e4119aaf5c475e8abde3642f9b4e22.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1aaf89a8adee474786e75be610e14479.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_bff5b1de19df4a9fa236a6c427d8117d.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4232012f7e3b4eab8cab1d9a2e34ed28.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_22987a0b20344c3ca87e7be321abce4b.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5a41b2069066442486007b5a72fa763c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3fa44b9eb3624ecd8680f6dfdedd9899.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_797c31ea79604ae0b9cf12f9396463d9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a9f9ece704ec468c8ae49a35920282c9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c71d34620901492fb88910958f33314a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_93cd17553ad44685a74a4382450fc718.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_724a9b3c4abe4f06be28b8fe752563bb.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f23838c0101e4286b5b1ad16e4873374.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1767c0eadc3a4f1ca978325d2d7e5de9.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_66e3ee1076a64f2fb106bdcf4d851d05.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e6f0bff143ae4f418eb355c48f3ea54f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_977440d3fe834ebaa5f7f6c137e81eac.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f589669559d14f9ab89ceca96a9db781.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d830c8a077c744a09016653ebad5a385.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ac3e7276a12345ad94ca5b9ae293fd59.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1d9bb3eb537646c99dbc9b6d0fc25839.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_24f66194eb994b81b81aa694201efeb7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_306b6e5271a24732a35e63d0ba8a146c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b5f63644f3464b409d19a5f3b26b3000.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_061a6e603e01427d92d392f9a3cd9eca.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_62c22959ad03453097db514d52bc1a2c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1ec4ab75125a47f59d42ef294309f348.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fc42a5c004224ee0940669744642a7d3.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_219d365d0b274bfabd1004116a05d1e2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_490ea76c36f3482e80e6c0d28238b178.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4ea70ffb3f524986adb31840bf70a72c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6f31691992544a719ae6356cc3ff55fa.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_05a81f487f354314a2cdad5ec47f4a6f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3efd90785575481285844515efc7fdc7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_18a2890054914d06a721081110553185.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4710d426eb5e4b4e8c31acb1bf715c40.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6e96195bf45a47909c16d996f90d9765.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3df4387f12314c06a696863ced6d8a68.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ee0294b932b046fa885d6fcce8a5bee4.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_388c8a6913434ac28f55ba80c7152fc2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e08111bb0f534a82b8d626363373a452.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_434685cf32c04e488bcbbaa2868261aa.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d15fc7233e1a4839a526fd35e1a943b8.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e783d47322df464d9b6a0b3a078e6005.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_62eae13978ac4cf2b6fb4f72ae023c82.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ce0eace6aff04e47830bbc5e2d1939d0.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_70bcfbf299004c68a2315ca568590880.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_bd95616c3e9442b78bd38231c71f5217.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_aa697daeead24f7eb20993ef93281a80.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_cfb24e77ce734cebadea35497256da09.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f7a84bd47b50466abe9fb88addfd3ede.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_861ca47c099f4c85a9bbafeb988a2b0c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b973b9b9e5454f4ab67b5f2a2f13b00a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_50424b97832a449d89a3cbc0bf46d754.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f15abc14f6ce4c36922e3e188b2377ab.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9e3df7cb44b04c21ae9ec55d9c62b879.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f31ce2a194ab47bd9d72f7c966c9dfe1.lnk	IDSM.exe

Executes dropped EXE 5 IoCs

pid	Process
1488	AdminGCGHIIDHCG.exe
1652	RoamingGDGHIDBKJE.exe
2540	IDSM.exe
412	MSDNG.exe
4944	CFCBAAEBKE.exe

Loads dropped DLL 4 IoCs

pid	Process
3532	RegAsm.exe
3532	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0a9f3c613bfd412e821eb5c8a4a6e01b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_68451c2231c94d31a16327e206a5dec7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ef8297dceafb4cde8f18552eb1263478 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2b2726ba7b6143a98ed7c2471fe6d1f3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_71339e1b06084e47a7fd098eec101d76 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_05fc4462f62e4f98be4fb7720e251423 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_95bccbee00c9416aa16723941ea65f16 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_07e1c829650f4fd3888bdb9506035f74 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2b20055fddbc4874bc4468010ef90baf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_22952883c9f34da5ae83887b426692b6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_aa68e16604ee4d3aa63be7b7b3092ded = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_dbd86e6343ff4466b7d281d35162bc03 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5c8effc0f0594c6fbaea88b99ddaf83c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_18da80f5ebc6455daa7a3bcc8628c4ca = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0e7ab4f2195e480395f044e5a4861e9e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_8dec203a02b94bde9563aceb26c41591 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e000324e958b40178e918387ac39e16b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_337f4c6a132247ac9ed2a0d2380a88cc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5490627160594dee921ea73ca90f81ed = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_573d481023894c7dad5c63be7ba83385 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3c53439b1d0a43f7a96fd1d82a7a9d30 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ebfe706d81f948fd9fda12a41b38c013 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_938f4acfab564c6f85dc985b77d5e42f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b2be7cacf31c461b911a3fe9a8c88b4f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0375bb0235c449298a28ba8a9dbb4925 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0d1fb60c3f734d3daa91b20cd99ebcc0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_06eef12a5e5742e38fe7e03dcce31cd3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_af34339f0d374ebfb5e3f2f2350e3768 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_fcda81cc742044b78adbe11f3d9ca6c8 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_289d0f6a610844af8ac8c231d2587143 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_801545dbe3f84f1283cc34aa8542f196 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9507e4666dbd4f84b56d236348041cc3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	CFCBAAEBKE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0a7a0d96f5d548da8be5008a59720748 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_33f49038678b4f8bacef483d0a7755e4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_907fd2351a0849adba8992d3bf4f9452 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a640efff6b34453083b76da1fafb4f67 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e3d991ecf4e14a3da651fe21677c68e8 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_281d23df0a8440199112ca5350db18bc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_1dc66a0ed302446790b81394c128b07e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_259dddf3deb04ed0891720018f3c8369 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_aede4855574846239b7a8c23c4d1082f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0afcd6be66844714987bb6970753e856 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_782c3a5c07364b838ca90090bc77e8bd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ce436b7d70cc4deb814937b52f149839 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_8eb8d36219a04bfeb20fcc736658c79e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_caf98f9de6404a3285c27689acd3c23f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_637b1f3dad294f38b4485a5d2106e0d9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a9774fe691a445d38f29b7a448ed11e1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d595b8dc980f42818ab38813b063a3ac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7bbecd21f524455fabe86155ab906bda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_6758198f46814832bc719ff00a766ff5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_55e0fe3e476a406381250ebe16dd0d4f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_14776c6e4a49441aa32bfb1123afa0fe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_344f11979bbf4b469cc5f8684c79b162 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d9da3cfc1f2e446f8aff68e982678f49 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d51a648547c44759a3d6fe5647a291e1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c6bc195f2f1d42e792a8aa7596db5468 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7f1b450b91534e9f99528cb811be3d13 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ea09b74a24094b9fa47226cb197e46db = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_911cdabaf33241ceba7bf38da1789abe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9a219f37aad54e278fa155d808e6d5fe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_1f48f56f09924047a3146552b905e7f9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a1066aa4f045405d86c2ee20e9c5fe63 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c7fca684d26e4039a4155327f6907500 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 1488 set thread context of 2140	1488	AdminGCGHIIDHCG.exe	100

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDSM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSDNG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingGDGHIDBKJE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CFCBAAEBKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminGCGHIIDHCG.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2116	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	RegAsm.exe
3532	RegAsm.exe
3532	RegAsm.exe
3532	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
412	MSDNG.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
412	MSDNG.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
412	MSDNG.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2140	RegAsm.exe
2140	RegAsm.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
412	MSDNG.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
412	MSDNG.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
2540	IDSM.exe
412	MSDNG.exe
2540	IDSM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	IDSM.exe
Token: SeDebugPrivilege	412	MSDNG.exe
Token: SeDebugPrivilege	4944	CFCBAAEBKE.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 2040 wrote to memory of 3532	2040	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 3532 wrote to memory of 3580	3532	RegAsm.exe	93
PID 3532 wrote to memory of 3580	3532	RegAsm.exe	93
PID 3532 wrote to memory of 3580	3532	RegAsm.exe	93
PID 3532 wrote to memory of 768	3532	RegAsm.exe	95
PID 3532 wrote to memory of 768	3532	RegAsm.exe	95
PID 3532 wrote to memory of 768	3532	RegAsm.exe	95
PID 768 wrote to memory of 1488	768	cmd.exe	97
PID 768 wrote to memory of 1488	768	cmd.exe	97
PID 768 wrote to memory of 1488	768	cmd.exe	97
PID 1488 wrote to memory of 4472	1488	AdminGCGHIIDHCG.exe	99
PID 1488 wrote to memory of 4472	1488	AdminGCGHIIDHCG.exe	99
PID 1488 wrote to memory of 4472	1488	AdminGCGHIIDHCG.exe	99
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 1488 wrote to memory of 2140	1488	AdminGCGHIIDHCG.exe	100
PID 3532 wrote to memory of 2636	3532	RegAsm.exe	101
PID 3532 wrote to memory of 2636	3532	RegAsm.exe	101
PID 3532 wrote to memory of 2636	3532	RegAsm.exe	101
PID 2636 wrote to memory of 1652	2636	cmd.exe	103
PID 2636 wrote to memory of 1652	2636	cmd.exe	103
PID 2636 wrote to memory of 1652	2636	cmd.exe	103
PID 1652 wrote to memory of 2540	1652	RoamingGDGHIDBKJE.exe	104
PID 1652 wrote to memory of 2540	1652	RoamingGDGHIDBKJE.exe	104
PID 1652 wrote to memory of 2540	1652	RoamingGDGHIDBKJE.exe	104
PID 2540 wrote to memory of 412	2540	IDSM.exe	105
PID 2540 wrote to memory of 412	2540	IDSM.exe	105
PID 2540 wrote to memory of 412	2540	IDSM.exe	105
PID 2140 wrote to memory of 4944	2140	RegAsm.exe	107
PID 2140 wrote to memory of 4944	2140	RegAsm.exe	107
PID 2140 wrote to memory of 4944	2140	RegAsm.exe	107
PID 2140 wrote to memory of 2308	2140	RegAsm.exe	109
PID 2140 wrote to memory of 2308	2140	RegAsm.exe	109
PID 2140 wrote to memory of 2308	2140	RegAsm.exe	109
PID 2308 wrote to memory of 2116	2308	cmd.exe	111
PID 2308 wrote to memory of 2116	2308	cmd.exe	111
PID 2308 wrote to memory of 2116	2308	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe
"C:\Users\Admin\AppData\Local\Temp\f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIJJDGDHDG.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGCGHIIDHCG.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\AdminGCGHIIDHCG.exe
      "C:\Users\AdminGCGHIIDHCG.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4472
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\ProgramData\CFCBAAEBKE.exe
        
        "C:\ProgramData\CFCBAAEBKE.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGDGCFBAEGDH" & exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingGDGHIDBKJE.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\RoamingGDGHIDBKJE.exe
      "C:\Users\Admin\AppData\RoamingGDGHIDBKJE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe" --checker
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CGDGCFBAEGDH\FCAAAA

Filesize
114KB

MD5
f0b6304b7b1d85d077205e5df561164a

SHA1
186d8f4596689a9a614cf47fc85f90f0b8704ffe

SHA256
c3aa800492bc1e5ff4717db8c82d1f3772b24579cde51058bdd73a9cc9822dc7

SHA512
d672ea182ddf56a331d3209dcf7b9af8c3ffad0b787b224fe9e3e4c80205e474a66914358fa253c170c85a8366da2f2c3aa9d42e1f6f3291a9e6bdd9ba51fb0a

Download Submit
C:\ProgramData\CGDGCFBAEGDH\GCAEHD

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\CGDGCFBAEGDH\JJDBGD

Filesize
11KB

MD5
2762528884c7c063994166752625e130

SHA1
579de7cf3eaa8552faafeb0304bd567d027f02e7

SHA256
121218ec29eaf7448261b752aedbf6223cd21bb740ea77d52f759b806551117d

SHA512
2011a8f52b7dda9d36d6c3ddfade5e1d9e4daf6b76335ebfcd751d91533fa3e0f2307142c72e3fb7911031bdd4a71bff205c899da53c1854143330198741d561

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminGCGHIIDHCG.exe

Filesize
403KB

MD5
82b844c817b508a93001bf5d7a92a16f

SHA1
9449fee27dee665a7ed7d144fa206889f721c87d

SHA256
7e31e78341d27bb711e8ac8b6867bab2f113830b6a57caea5b26f4a0771ec71f

SHA512
7807a0e983b1f9cdcaddc47dba93d293af2b34ff10a45d12368ae38e400d9218f0c62c5ba50f8dffe5ed4f22318080fd919edda885315cee21b338048caf3ce2

Download Submit
C:\Users\AdminHIJJDGDHDG.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\RoamingGDGHIDBKJE.exe

Filesize
410KB

MD5
85a11b316f726fa24547c289aa61092e

SHA1
b2e79c0f56b03f4213bab0b62190666e78940b82

SHA256
5864b9c1714f615fa1fa40f60b9e14cfb534ec217e9e4a013fa5959217adabe8

SHA512
4adf0998b395e502ee2d2e3ac9e58b64a537cd82a827175866522d642ec406c704665912e228f2f3e04a69d7b716da5801553dc71991f7ceac3c3b7444f13038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_056aec9b3f824d26b62251dbb2ec866a.lnk

Filesize
1KB

MD5
ff87778967314a8a90ebfdc735bf4425

SHA1
0e8a20ac37e46a741e65f1bbb3e3a0bf6c8e3d68

SHA256
9944055947756fe6ad1798b0a7c702c32adf57d22c4ed1402e178d037a89b020

SHA512
f5bca8bf37a41caec82a667df8c8d05f98e089cb9dd515428e48c1a600d65a45d46119a96e29cfb60a8f69914fb1edad7b9c5acb3aaae4d87bc67f29f48144c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1d9bb3eb537646c99dbc9b6d0fc25839.lnk

Filesize
1KB

MD5
8e38fda571298dbe1971973fd9ddc28f

SHA1
f8dd988914cf67fead5efe39f39326592c02f526

SHA256
5070f08e24741e862bb1eb655323cc06a28348538bc336750810bd92390e633b

SHA512
a9ff5ae296eb1426babc2a921b3e441d041f257db22b3f9d8671247f69989519243c4a406fbcb4df808a1b68808aeea74d48e5720653c7e73e86d94da37f2634

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1fbf8e3b4d254bebb1a644f5d106a2fd.lnk

Filesize
1KB

MD5
2d252b33f154a83da53bc7b14a418e8a

SHA1
ebc157966cf31e60327a059877fed910ea9d5301

SHA256
507ce64c63b6637040ec4e2d0a3e7fc0e3e1c1dd025abf1f8422c41a5eb76cfe

SHA512
86802e3d403ed58bd42a7535a70f8f712481134afeff5c2a42e4d17db19ac29339141cfaf2b1d7fa31c41b58d5c82d6f63b7538ed5659fa497635803c15cb3ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4232012f7e3b4eab8cab1d9a2e34ed28.lnk

Filesize
1KB

MD5
98c6ec32f29899fbdf03658e5631f607

SHA1
672f24c1d3170ed92af42113b4305805b259411b

SHA256
a3a4fb852b61fa29e05d2580e4dbf95b19f9ff3f01648c004bc9273fbb185855

SHA512
ccdc8a9f5a3a9c9ebfcffc74e7033292bb80426e686aca0a838a63574f34b1d1f1ca3beffb804ae605e4f1a3b8c555154537f3a7176c53630e59ed0ebd31deb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4b83ad912a3041ce9f7e67c13721ccd2.lnk

Filesize
1KB

MD5
46ea91b16b7245281a876d64d384f8f9

SHA1
423e1dbad8940dbdb2ebe3598c9e7826b8e80b94

SHA256
47b586ebc9b3d9edc84f56f4cb8f57f2ef74f3b906fd537881973ab18ec73319

SHA512
9ef579ec99b924ffd9b2868cea9e1b77f176e5c586c0be2a2c51c81ed777507b65fde3a6d11efbe6ba4ba78f38ab19b367d3e53e81949b6f66bd31a0e6b672af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4cbb0263c6014d819afe3a71e433b360.lnk

Filesize
1KB

MD5
ae2165408f0ea44c36e28ee8f06fd7de

SHA1
23c2daa0bbb2e0c110fac97f0c7fa9673c323ada

SHA256
84d6d402d3cfa7d66021c0d7350fe1bf3ddb3db3fcec38824255472c214b1d78

SHA512
d6f2121e045fca7e4851d8938cc0ddfb9feb89792518d0b6fd20a2b72ee202e1e567dadbe74016684479d46694e5e8acf89aa5e1b2c9b6efd3da9aa61f157c79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6f994c7a866746fd9e1e867c0151d2b2.lnk

Filesize
1KB

MD5
3ec9149c0e7e84b120d62e7ee8deec7f

SHA1
4b5467ed83f04ffcc4f065628c01114aa5224893

SHA256
5b6285d333be2f96a52eb583d2efdaccd843e15ae565fde59921cb1e32af115d

SHA512
8111ad49c59c043a9d6238ee0dd7a492190fd61261cbf9c7f186ff2a4dcdce9dbfa847c5acdb81f13065f032a97c853e988482e35c7a580eecbeb6a971962093

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7fdf6ca9721d4fceb1f5cac9fae94f01.lnk

Filesize
1KB

MD5
fd07156bfcbd101468e13f27c0b623a6

SHA1
49777b85aa23af5c29276793b767284064784a6a

SHA256
112ec3ed7eb35da90d5ea3801a207f21d1384df7d60f7d4dd93661e785bb56f1

SHA512
f8a10580b12fbb39cac9066fb94cf3eeb9f3fa4dcde76b48c0ab3868deea8e0aa4514c844aaa56265d46dd273a3e6f5406851d35752460af3ab01d1233cabfa6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8a9f2899e59e49869320592ec4644257.lnk

Filesize
1KB

MD5
6ebefa02c9a49e11856e607d71a7e527

SHA1
7d322e9390858d36afc542431dce968c365f8db5

SHA256
298d9661c55f4553781ac7f18d22e88c6b5105b2f900a207c3b595c9509ed33a

SHA512
e9db49981b28b6cee6036430fd8965b6881979d69a05649bd5032a0a8f5e1e12a2be57b5d7b5ddd4b7c84b7e9a37aa7961202e3b69b4180a037b9f88e6ca3b48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8eac382471f24ff58757a9e203f28e1b.lnk

Filesize
1KB

MD5
215d3f0e27a2d9c0c9508c1e1239f58e

SHA1
af5fae502743c301cc2a23e7604d2797603330b4

SHA256
4909e41580c5dc5434c852f02034364479b326b3a218cd0f8eadc321a6ece53c

SHA512
eaaf4a190cc8648e7f14738433dc0cb6d2854ab6e02f9ffc880a49cab65087093e85e6e451620e61037d310213ffcc93de4297b9846070129b0d9ac9d67a89bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_951f6c38833643178b52870fa8cb0903.lnk

Filesize
1KB

MD5
c6f2a32d3369171acc382bc762bc06bf

SHA1
d0be9568389b5ea8e1e4b1b0532033ce0a2e5c3e

SHA256
88dfbae2465c0b113b799e097fd396d159f430a956a41769d4718e5bb0e9d05f

SHA512
084abec19ebedca18e2f7163d6fa908916bfc8fd9e1e242ea0c1b08d7d9d5de6e16240c365f0724f580eefbc79823863bae9b405506468ea687fab0485503cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a79f29aff5a54ecebde95960da4e013b.lnk

Filesize
1KB

MD5
c6d20d726fd854bfa3026ae9d1cb6843

SHA1
7b637507c4a2896a9b2dddeb2df2a08cf868f8a4

SHA256
f2ee29117d2ecbda2b407787c47c00d0448013dc11679217b14dc93f85575b41

SHA512
d371b630840a600b23a788153c20a7ef26cacef6dbed742811113b42bc47992bf41069c4aa8f3d7d5e1123d9921fb84d0050fa80a4ca5229e4a06c14b616ca2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a9b558d6c34a43d5998b75c12548e8e5.lnk

Filesize
1KB

MD5
e1c11278970524b3050aad5630722468

SHA1
4c24dec26a6895bffef1773a958a32d316ad1c0e

SHA256
962755ad4286d75cb171687649d7d0b4a72f1e4459b22efd951e58ff7dcabbee

SHA512
0cd9e9c035ca30d26ecf059f9dcf2fe4736e09f4b893cd023f7bc44732cd73cd27afb2e23fdb672ddacd29b17fcfea2ea01952dba16f5e42093733ccf2c9137a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ceb9cdeb8fe14bfd836ab597fd404173.lnk

Filesize
1KB

MD5
790131b2f50dcc6d1d0e0b4e35906480

SHA1
96be95f297572f1e9e3e93994a1579916a3ebc4b

SHA256
dc1d92e7412173f3cf07d1b5f9349d6018c72cf6cd2a2a0197863083bc162081

SHA512
c7b1b13b206b75abbf2e6029f9f3b4708eea92f86dbbc5883065d05d3d3f3d41d61bbf906322991b0f29b0d8fbb776b281edf8224b07fa684c9e3edd4dc750ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_da805702795e4d2fbe2f808a0ad41ffc.lnk

Filesize
1KB

MD5
2deab861047fb485c23f11833d1e370e

SHA1
e4de14371464dbd8c58a7df034c2ffddfcbeac0e

SHA256
6a9967b9a8e27209ea6df56caa8e178b5486ff1f0975fe425902c5defd8f8f26

SHA512
26873d92571256a09151c84df3df56e27974786491ef3e6fca6c24d9d6845558e0fa04f6badcfd9605063fd80e3d8a184adf6bc7f3a03cec3c1cf70090223296

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_dea296e7e31140f19123f2b5d48255e3.lnk

Filesize
1KB

MD5
56867f59567bcd9e28306ef1c88d4dfd

SHA1
97c60276b8349254ad07eeea4f440ed61572f722

SHA256
5277e86d08d47cf38321c5ddc6f50bd7dbbbb7d3caa16d980a84f7201f4e48ea

SHA512
43a2b706672e491c6c2cf6626597e785003ecb12e65b84918af8ba4ce09f5e54560c46b1a114c190fd8d11aa36e7db71ee40bb91be1c4d37c5d03f440cc85ec5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f43f8785dc414588a47fd424475871cd.lnk

Filesize
1KB

MD5
8e03959f12d1b3ca4f65d46568854ba2

SHA1
ac241f7348d16274816aa2455f15dd7c78f3f4ae

SHA256
0b5f2811c2039cbdf44d7bd72d5d19b2cc0de00cc57d851741b23eed7e16cb03

SHA512
7300d97de4f9c4bf37a565d701f91e6a14ab9c67bc54f258344426a83128224050aa52f3bc45e598108b22702226cf9b70db5d8fbdbd8308f51aee1f2bbfc14a

Download Submit
memory/1488-92-0x00000000003D0000-0x0000000000438000-memory.dmp

Filesize
416KB

Download
memory/1488-91-0x0000000072F9E000-0x0000000072F9F000-memory.dmp

Filesize
4KB

Download
memory/1652-114-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1652-113-0x00000000007A0000-0x000000000084A000-memory.dmp

Filesize
680KB

Download
memory/2040-1-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2040-7-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/2040-9-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/2040-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

Filesize
4KB

Download
memory/2140-244-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-94-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-439-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-186-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-96-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-292-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-196-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-253-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-230-0x0000000022920000-0x0000000022B7F000-memory.dmp

Filesize
2.4MB

Download
memory/2140-430-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-389-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-270-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-98-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2140-382-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3532-10-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3532-11-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3532-8-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3532-6-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3532-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3532-115-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download