stealc | f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe
Size

197KB
MD5

8f51409e0119d80da56d1bcddbe960b7
SHA1

5ddf8d0198b0646472038f887caaee50f35f4f2e
SHA256

f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d
SHA512

bafc8becd7958405e3d6ec195483d2e20bd6eb52a89845ad9fcc0351d54525d03599f66bdf0440f421e25f1ad482a2bc85eb017d8239b7525944be908af391d1
SSDEEP

3072:yrsR+CX0WGYN8vWneNvsR4cByR28jzzlpcJO9hVpfCV0MY7QxFJn2IK:wsP0WGY7jR4ccfe0P7qJ2

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/5016-119-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-123-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-121-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-198-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-211-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-236-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-249-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-265-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-276-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-358-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-367-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-394-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/5016-403-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	RoamingCGCFCFBKFC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	IDSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e9e26462a8194895bb4e153d7ca0a1a1.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ba8dbc2991db41ce93dce90e454db061.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1f80db9a956d4953bf7947dcd48758a2.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1483b172bcb94bc5ab1fcc03644124a8.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_23273f3b8adf47809da131ba6402e959.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_61c5d4fe3ce34cd794276019789468d0.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_292e09bb601040b0bff50506b6e98fbd.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_de1b740924f446d88e624334cc952c90.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_31073f52c66f47238b44f6bacfb63c41.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_29f10bc26dbd44eb964732907f473254.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_cb3aac062b54456ab887fcd2bba1b8c3.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_44b91921f2fd4081b2749f8e2d796e3b.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8d999dbf3f6549ca8c05bccb4c21fd89.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a8674d7161494cc1af13cc92b1ba9737.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c6646aed1c7d4d3d97db80d2e23afdd3.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d234735ecce84f3599ee6283b8ba4aba.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_eeb48a92c80b4497958a2240720cf71a.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1828a948af9141529646c39db3f3b266.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b225203f53c94475955ddebf7326e855.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ea16e89c3a7345a885c4f5862afbea30.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_868b9c86e0de4432b6c1138bb1d3c815.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8a297e5d3aeb4a0da31732ebe66018ca.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ea0d372a731344819c904c5e868c593a.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3dcf5d4d426044569bbada4d2db2f027.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_129b224936f441e3b47a87853c0298da.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_404270c089994efa9c2de867e1cfe4d0.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0bcfd62f99ff43d79232108236188609.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c968383dd7284204b596f685a6b5dcd6.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e46adcc41763460bb727c4b2dcf0c20b.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8636031c14cd458f955ee7cbfffaaaed.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c788e2972d8d4f9780a9d6477314c4ba.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_64ca2d52b8eb4266a59999598f883749.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_08cf195bf0b840d4b4acc391e1c18e20.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ca84a2cdd46141d48f79433e44d95819.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ec5aa7093a334e0b916b912b7431528d.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_61893ebb6c744237aac7234b43803ef1.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b6bf92024a2d4ecb83865d6faf8026bc.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_bf09ca5b8cd74801affd5effb8619e21.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_cacab2bcfcab4e35a0b63ccfa9c676de.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_bc3672822aad4f489951a686ce8aec34.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5d659acbfca0458793babcf5024ce4de.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5b1c21e2394d47ff843796da84e04846.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ee2826ce388d431b9b2b864253ff6015.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2a2a9ba0782647288e1d49ee62acbe4b.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2a9e6d7f65054483b3b4d9a0386e5805.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6c2a1c06ceb94888a8bc5d1304386209.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7e22d722718d4369921ff33a1c47eee1.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7244748f294345669bad4a477f8e225a.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6b473abb3b7248de808c32f90f424529.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9ed4410a439140c4af10f0425a66e6de.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2e651b2d55df4704a2b2ea2106958d29.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1ae9d0c125c64e0d8a760db4cf97f8d5.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f606780caa9f4984a31bfae9fd501de2.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ee0b4b0a38b7456e8dff0d833a902c27.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4097ad5a70c245c08d8fa7d09031bd00.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_18f82f8052fd4292be336c4afda5efba.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_cf3611e8d68f479085d4dc3a446c4831.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_962906f3f1e641c3959c3a493d8844d8.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1ecfec3c72c94cc0881451b48d15a57b.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_dd38f0ddf9694f9faa8fceb1fe31b190.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_e1b0fba4114040c3aacef82eeefede84.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c70f6d566b1649198840ed248a282c24.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_591f3392bcc24f9890fed42291c326e4.lnk	FIECBFIDGD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8378c6d1c396421880dc436351d53b8e.lnk	FIECBFIDGD.exe

Executes dropped EXE 5 IoCs

pid	Process
2520	AdminDHIECGCAEB.exe
1628	RoamingCGCFCFBKFC.exe
4176	IDSM.exe
728	MSDNG.exe
316	FIECBFIDGD.exe

Loads dropped DLL 4 IoCs

pid	Process
2152	RegAsm.exe
2152	RegAsm.exe
5016	RegAsm.exe
5016	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_8e7172b2327a4afd978368e33b40e687 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a19551d52b1b4be9b19b521b20547bae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7e2d332813674eb993ca7905d28f397a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_92ef4be2e87a4542bf6dcaac994e66da = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_45d24ea89bde402093d7de70a06557ed = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9d878a03ef224cdabed82c5700947ab1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_00a08011c9e349c69f452cafaa292879 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d66c643a558f432797db2757a77b9c76 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_40d6a12d2dac4cf4a412a7afc793a8d5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c88c7967cb764e6e941a676d373f0d55 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_78836d1d68394a74acf96afd124e228e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d2d5fc3f8e5a4b87aeaae56a7e1cfca4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3e18ba6bc5b6459baef533705efeaa0c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_72d3112409d34a5799601d6e95be74d3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a05893d159f54930a41f251f0c950427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2be13308402945d9854ffe028bb2b617 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_fe065d9bf1d54f6da7f2fe6900887307 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f744eab10c534ce698da7caef8e64988 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5f51aac4a9f64bcfb2cf5e6e138cd014 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_21cbc2e9427249cb804d73082c0430d3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_52123707e9dc46ac8496aa3ac8e576fd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5b64ca322ea646dda4bd3155fa60aba9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_adeffaf2562448e5afaa66dd3cd510ad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_55a324a648f247d4b94b89cefcbb116b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3a61a6459f8246e083d521abd8f705d5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ae29a160bd3a46f0a6f42216924e63f1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_93a54aaa27aa4be7865d7c5962427f88 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7136a0ecf8a648ecadff739e485cc95f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7e2c0d97cdd843f7a488e624f363c46b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_4019188ac37c464394355c78842463ed = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_71971bc225014b87af7ff4aa3050ad3b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_84ff3dfc85094b59b8a1b0cc459e456f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_4a40ff45a846483a9115235f296c8287 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_206db5fae67e44848128a28584474372 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2acdcf3a9e6c41718f7f020f41ad3069 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d4ee07df0ee64c7683970193b4718d95 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e73ef6b8ba914627ab6506ad8f68b8ff = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5da03b45cb5b43e888a3e5d55ccb3e72 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ad30755857da47898ba003812f67ba85 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5f8d812c2882499ea11f19df9b77be3a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5b78da0fa5c74532842400f05bf1e297 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_51e9ec33ea30434085e0a90484ce6282 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c4ba6c01bc8e4217bf2de1bc15ce63c4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_871d440f338549b99af86a9270c377cc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a9bf8ff51a724e15a4b7c2fe925dc973 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_00efece09f974504b29c599781de2958 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b73039f056054d7bba0d74543bf37f92 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a6fe5d27878d4662b831c0b6874d1f7b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3fc174bb8a464166b4efc1ba904b5173 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_701986bf96ab48f69736da9842ab8d1f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_6ff94a82044147059b53fdec135f5b9c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e48411a7908d428982bc0bee8af184ed = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b177ae5a14a04f5e8adbda1d58614361 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2b2cc70858f44943a6aee956a01f2fdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_4522894f1b184f3a805a0d171f28d9d6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_d7f827a009074d5dadec0d9f316a3822 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f8ae75b2a8484ff881bbf41baf4334fb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f40e3c87bb5f41b3bd362cd816244306 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_374f24ad1185466a99ea3f6cc2fef1ac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c99b7098d9a543fd8550a86c6beca961 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_dd15e159d0934f74a6ade716e5d5cffc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e648c067827f41b2ac0c9e47df714baa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a3c0cd0de7e94b78bc9d5fc032c5b507 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f32941bc55f647059d84ed6237029de5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FIECBFIDGD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3904 set thread context of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 2520 set thread context of 5016	2520	AdminDHIECGCAEB.exe	103

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSDNG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FIECBFIDGD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminDHIECGCAEB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingCGCFCFBKFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDSM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
872	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	RegAsm.exe
2152	RegAsm.exe
2152	RegAsm.exe
2152	RegAsm.exe
5016	RegAsm.exe
5016	RegAsm.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
728	MSDNG.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
728	MSDNG.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
728	MSDNG.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
728	MSDNG.exe
4176	IDSM.exe
5016	RegAsm.exe
5016	RegAsm.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
728	MSDNG.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
4176	IDSM.exe
728	MSDNG.exe
4176	IDSM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	IDSM.exe
Token: SeDebugPrivilege	728	MSDNG.exe
Token: SeDebugPrivilege	316	FIECBFIDGD.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 736	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 3904 wrote to memory of 736	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 3904 wrote to memory of 736	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	83
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 3904 wrote to memory of 2152	3904	f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe	84
PID 2152 wrote to memory of 4128	2152	RegAsm.exe	90
PID 2152 wrote to memory of 4128	2152	RegAsm.exe	90
PID 2152 wrote to memory of 4128	2152	RegAsm.exe	90
PID 2152 wrote to memory of 4160	2152	RegAsm.exe	92
PID 2152 wrote to memory of 4160	2152	RegAsm.exe	92
PID 2152 wrote to memory of 4160	2152	RegAsm.exe	92
PID 4160 wrote to memory of 2520	4160	cmd.exe	94
PID 4160 wrote to memory of 2520	4160	cmd.exe	94
PID 4160 wrote to memory of 2520	4160	cmd.exe	94
PID 2152 wrote to memory of 748	2152	RegAsm.exe	96
PID 2152 wrote to memory of 748	2152	RegAsm.exe	96
PID 2152 wrote to memory of 748	2152	RegAsm.exe	96
PID 748 wrote to memory of 1628	748	cmd.exe	98
PID 748 wrote to memory of 1628	748	cmd.exe	98
PID 748 wrote to memory of 1628	748	cmd.exe	98
PID 1628 wrote to memory of 4176	1628	RoamingCGCFCFBKFC.exe	101
PID 1628 wrote to memory of 4176	1628	RoamingCGCFCFBKFC.exe	101
PID 1628 wrote to memory of 4176	1628	RoamingCGCFCFBKFC.exe	101
PID 2520 wrote to memory of 900	2520	AdminDHIECGCAEB.exe	102
PID 2520 wrote to memory of 900	2520	AdminDHIECGCAEB.exe	102
PID 2520 wrote to memory of 900	2520	AdminDHIECGCAEB.exe	102
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 2520 wrote to memory of 5016	2520	AdminDHIECGCAEB.exe	103
PID 4176 wrote to memory of 728	4176	IDSM.exe	104
PID 4176 wrote to memory of 728	4176	IDSM.exe	104
PID 4176 wrote to memory of 728	4176	IDSM.exe	104
PID 5016 wrote to memory of 316	5016	RegAsm.exe	107
PID 5016 wrote to memory of 316	5016	RegAsm.exe	107
PID 5016 wrote to memory of 316	5016	RegAsm.exe	107
PID 5016 wrote to memory of 2004	5016	RegAsm.exe	109
PID 5016 wrote to memory of 2004	5016	RegAsm.exe	109
PID 5016 wrote to memory of 2004	5016	RegAsm.exe	109
PID 2004 wrote to memory of 872	2004	cmd.exe	111
PID 2004 wrote to memory of 872	2004	cmd.exe	111
PID 2004 wrote to memory of 872	2004	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe
"C:\Users\Admin\AppData\Local\Temp\f7d5e31a90a7a436fb88277e0920c9675b69fa37eee1b97120a27f792ea8ca1d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDAFBGHCAKK.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDHIECGCAEB.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\AdminDHIECGCAEB.exe
      "C:\Users\AdminDHIECGCAEB.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:900
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\ProgramData\FIECBFIDGD.exe
        
        "C:\ProgramData\FIECBFIDGD.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAKKEGCAAECA" & exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingCGCFCFBKFC.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Users\Admin\AppData\RoamingCGCFCFBKFC.exe
      "C:\Users\Admin\AppData\RoamingCGCFCFBKFC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
      - C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe" --checker
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BAKKEGCAAECA\CGIDGC

Filesize
11KB

MD5
7d74a5bdd8a50a46192b938970ae4086

SHA1
f223a499f9f46fe9cefc7a7e0c8978760f3ec853

SHA256
c6921a5df447875a330b76ee3a0ef64587c7480934f53d09f773bfa6d80af42d

SHA512
1a2ffb144430b018f9bbfb0b619f6c4278a000bc99425fcb8f63b0edf68f607fec20f771b9aaeac33ec1a7299f6a1a2291d640d97e7aeab3768e8e434f616b0e

Download Submit
C:\ProgramData\BAKKEGCAAECA\DHIECG

Filesize
114KB

MD5
2e5b34ca73bac7d39579ae5af5c50268

SHA1
910b0865cce750b73e308d0c9314edcdcf4162bb

SHA256
79f7541d73ed1744fbc041fdeaf95cae2e2a43cf9d73f6d9476b67a5c2ea9695

SHA512
95dcb404558da6bf1b58640440f3e26b13bf53b8fe05932e85b85dea7e629a544f2bfef094fdd23fd2ad0692297aad338e23c9e6e516e5c852d6d7c1c97249fc

Download Submit
C:\ProgramData\BAKKEGCAAECA\FCBAEC

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminDAFBGHCAKK.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\AdminDHIECGCAEB.exe

Filesize
403KB

MD5
82b844c817b508a93001bf5d7a92a16f

SHA1
9449fee27dee665a7ed7d144fa206889f721c87d

SHA256
7e31e78341d27bb711e8ac8b6867bab2f113830b6a57caea5b26f4a0771ec71f

SHA512
7807a0e983b1f9cdcaddc47dba93d293af2b34ff10a45d12368ae38e400d9218f0c62c5ba50f8dffe5ed4f22318080fd919edda885315cee21b338048caf3ce2

Download Submit
C:\Users\Admin\AppData\RoamingCGCFCFBKFC.exe

Filesize
410KB

MD5
85a11b316f726fa24547c289aa61092e

SHA1
b2e79c0f56b03f4213bab0b62190666e78940b82

SHA256
5864b9c1714f615fa1fa40f60b9e14cfb534ec217e9e4a013fa5959217adabe8

SHA512
4adf0998b395e502ee2d2e3ac9e58b64a537cd82a827175866522d642ec406c704665912e228f2f3e04a69d7b716da5801553dc71991f7ceac3c3b7444f13038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_01e251a8c9714382be9e1a0ce4842673.lnk

Filesize
1KB

MD5
a25ecd187469330576e10ccf0e7f4671

SHA1
24ac247f8731e54b8099b09efbb971f649f6122a

SHA256
e510b52fb5f374e221b3c56e911bc1f6197fbe9a6457b7d36158f046b84c4152

SHA512
0df02cdbdb482562b40bbef8bcfdfa32551d4beaea0b969b9a6c0975d678a56a3cb20d28a766d8a7ad30a8b57abfa62eb5661e9f754f6314a7ed829e5d069ad1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0beeca67a1364a7ea655bcb1dc44b428.lnk

Filesize
1KB

MD5
d601b8faf51f5b189675b4a294b83a40

SHA1
e7a48871925c2153adc12b735feb84d0f4b109d0

SHA256
c368a0396f5541252b6e7713411648af582de4effdf35436a7ab660eaae10267

SHA512
6c6344051703d932c2efaabc40d03fc33818b228bbd1f87168a27e0e6631e8df40d882eaff60c027648b1987e4135f578bf201bd9e60ea57fa9b913a50e5dfba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1dcebf179a4e4b74a3a2f0af6ecf74d7.lnk

Filesize
1KB

MD5
0835ef5ebbe68a4521afbf3a50e3f0f2

SHA1
7c77b94579141e7038798ee4571ad68368fa1b7f

SHA256
18805656fc1e6c0e983d2b0d80e722c7d0ab2276b5a7f6bdc14669668d0d73ab

SHA512
40543dc1f1d4a4de2a9c45a72e66cdb81d61bedd9da6ea5b21020f674c6d451bf420f4d4b66d48fb1da42bffaaf79152f9eded5e8ab02740fe1dc1cc4f27328b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_21ff297b3b2d4233892329330e8c3605.lnk

Filesize
1KB

MD5
b472c143de6bcff801ed21544d1982ba

SHA1
752b7986f1aaecd4289f0e364cbe81bbfd45a2eb

SHA256
f9a80fd18eb55bd9dd1e32438bf7232d6a63ddb4e7946105568b2c595a1107ae

SHA512
e3c6e83065c9fcd6a3a18cae18f518225ac711618aee6b5f28ea1f9faf29228681a97af7e88a8e336c62cc68ccb5f8445d78fef685987d0d0ae6544ad3f3f764

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2b63d1b849fd49c2a8dc55bb23883541.lnk

Filesize
1KB

MD5
8aa2f1844e59a68a7fd183537feda976

SHA1
42fe1c8ab1ea814a64606152f01fe9057c151665

SHA256
aec358bf4a6ccabdf8ada20530aeb1eeb65764c0bea7abbac086fc79b1deb482

SHA512
65d5f89e8a21fd99f160d35a2202d147de0e2138f087b9e75f218e4c9835a695e8a5fb8b2deed1626b450739bbebf0464341cbfe8bdeb3776f2e7371b985c215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_30a63cfcd9fb4484821d9f17c337e5ff.lnk

Filesize
1KB

MD5
c09f4270d7cb340cd00878f49027b9fa

SHA1
373dfac004d8385645d5a712176481296aa9a8f5

SHA256
253fe0f211ddd40634c7da31c1327763c914dfc78e5399f5036996ed8e3ecbc8

SHA512
a147eca942e4b9af06c5a86c57a55ff64ae452511ec244f4fc5042095eee73c502b13a9321a89baf0057494b124c2f68084f47d048bb221edee49ae7e7941e3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_31dba2a2dbc647e4ae5610f306229fad.lnk

Filesize
1KB

MD5
42fff6dffcd45d57b784a56bee0cfb4e

SHA1
38e794de90c4f36cdee338a96b2a2d6724be46fe

SHA256
e55bc2165f35a31baad50dad3e3ac766b739e31b71b3121ce04d453e6f7e399a

SHA512
e73b04b774b0d7672414ffbac8e31fff9d92d7b76840271ff69fdadc680f928de7ba4274609321257745fb1e06e8b4b6a0520634f9f58d42df46f10fb92e91b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_329c613d575e47e189d5f0580a2319b3.lnk

Filesize
1KB

MD5
b6f42df39b678515238c6564bbadbae3

SHA1
fe777382d2eea03d2a3e6d1e8a67304e877d4d7d

SHA256
6f4bda15469a7f676d78558ca67978abc799377eaca19f24167c0bec17045fc0

SHA512
b3d7af5affe99a2c757de5e95ba2d29734e95ac6c85ea1a03f6e421141e1e07ed9a4dec7201306585cebbbb82582ee3f5afb68365fc085633a90f44762b7ee54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3314518123a54458abc10546329d76e8.lnk

Filesize
1KB

MD5
13c8d3168364f191f5c68de23e064d1e

SHA1
bc8520c52861b5c74bbe63c9ffe45de18f2bcec0

SHA256
06ff1f5f4b5f299bfcc02748ba87bda19d742aec05b4800b20433138739f4a44

SHA512
cf841bf4a2776d1fc90771f336da1fc29fae18ce274e185aa1ca68b06b3bf2640e736049562ef26586ba2ce16adf125f85a1923553be9f97b74ff7f88347bad3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3cae67453d414626a018c1cc3f47c340.lnk

Filesize
1KB

MD5
3d43875968e9ae0ecda146adbf9f45c0

SHA1
abfb748021cf538ecce3a172673cc39d82f26b3a

SHA256
46dba67685e191773deca6ed64e4ea037ca8cdee897e035b034457dc86ebec7f

SHA512
48050ce4d2d0c2749e126a8860ffcf3c17ec1c888399e87c48e87e0d3069acabb12607c058eb7f774e1eb9b2c378c781b450c55cad4593865421121cae8f5109

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_48a3a7685981480ba5f853527b44d23d.lnk

Filesize
1KB

MD5
53bb3af4d236f8858fa5be029858ddc8

SHA1
bdd6b518cc49d0685ce5cbff09986de235df1237

SHA256
357150de98a040f6e1ea286e8cee8cb0b823f83a78049ed66f15eef7807f4e79

SHA512
a2796606c49763ab6cde046c7643e9e59bf3b0392e5ba244ab03b3f4f25f7d2ac0591692ef649025bfdff4323e892f3419bff38b96a665461c36bcad115ac20c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4cd516093e6d45c2b6e1e51453b6f062.lnk

Filesize
1KB

MD5
53f79b8b2f8509f671e37b8e462ca42f

SHA1
6ebbcdf0683bbbc390a24cad8391526e05484b28

SHA256
550f447fca99dee3d6d5ed022f7b3be121ba098dde9f74f26bdb3b38341983f0

SHA512
fdb1ec4a2c22b8182e3ceb8c11699a6a34d9674205ba8aa2e13714ada6edfde96dad70ae59d411823573795c5caa609ce422ed5c3c002b955bdace5213c95c29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5b2badbc46c44cf8b4cb01d45b7199b0.lnk

Filesize
1KB

MD5
e7e6a535547b5c9ade4b6e845e9da626

SHA1
5ec7f28d9cb37d8fc454340ccacc9c4192e78b7f

SHA256
ec68b887cdfd71b34d972c81a2cd5f7bda08607037587486fceabe01119741f9

SHA512
f0b64e40b0087ddb92a2f0598ed30305b81d308970ba9802a3e8cb7691e9bdd62680ce2964416b9ab77f4a903fb4a570bc34b742179aa70df99558dc74ddde55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_674f239dd7ad4ed992ff8f1233e6f558.lnk

Filesize
1KB

MD5
1e93debbeadd60ed351f31a848bbb2ec

SHA1
c01ab7c9934a5eab467e93d442c566db57b7652a

SHA256
1ff5d0a06ff4559e8a0118053da89481c186a5b90c2488c5e539c4efc0b6d5e3

SHA512
0e1681f4dd691987fd29dd53efedf69e932c6c02cebaa7bd1566b82d8142046b46d012ecdd9b48ad120ebfaed47f762f86bfd343fc969f168563930755d84767

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_68f2529fa8ac4d97be54223456c8c514.lnk

Filesize
1KB

MD5
f32903e36933ec8f1c4e78c4f4c80025

SHA1
4248233c19d6463fa0b41186ddf58438b38d31c0

SHA256
aba7849f926e4c9e9c4eae3cdfa36b318b873147595fa619f238954affae340e

SHA512
473e74320aeb51618e80b68f751e43c89b7e16c134c543d3eeb74c664d6e132813872b21fe53a5ad364f5901b07df389c54a51e029b582631a9701d90d002b58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6a5a43ecb1d840aba63a721048b8275a.lnk

Filesize
1KB

MD5
93dc4e63e0d64e8857c78a3f2f244a63

SHA1
cf7e1ba14a1d94d744fd35d9d8fe808a6efd454d

SHA256
c4bac400d3d5d142cc0ff431c01c27a94708457e70044e34b495466a43c213f3

SHA512
b5d7d7b070c5cb6d4c7317026179b7b0538f097b26043b15927acf90238218cff0d22df6e4b073f4d3522b3ab738746224f13f70cc4117c450c12f1401909450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_73872d929e8f4458ad2ca5557fe58d28.lnk

Filesize
1KB

MD5
46d80be10893d560bdf1da6fa20c4c73

SHA1
a6110391b6fbd1d11dd1939aed80a16292033704

SHA256
6f5616a732e0eac22ba236f9dcf43d53274928866501b13eeb94e24a03fba00a

SHA512
c309b8320d6330c89def2904047a9bef3a8f032dd8fa81e121c7281d154f6bd725308a89e8043ac03a195f8c4ab5157f75e9edc8cad68c70600d27ba6e9c0189

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_76387196fe00457f97e13b13c4c31ab8.lnk

Filesize
1KB

MD5
04e6612fd91e44caf9ed7a03f190a071

SHA1
78b6085561a7d35b07f35329d5a454048452b467

SHA256
959bfba5ce6fd8bf1aad576c43b0e63f9f6a672248bcd67eafa9329f7827f8de

SHA512
655dc97c74b9b498a3a091f8f686616a2287421cf58af4182186801d8455b877d89d3be9c428621339294795a6d2cb16075a8bc7384380b714523043201d16e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_85fd5d939f2246a685de446cb3e72541.lnk

Filesize
1KB

MD5
dbf7b2ffcb9c5aaf6ebc03b64283b3ab

SHA1
12491418a389056c91dcbbb988ed62d6ab58d667

SHA256
87767868d2a29cc3aa577a601755f955b10e5543de0791c80cf37d6d590d2e7a

SHA512
4488db15dc0d378dbcc6b41743a0f3a37304744c93dfe50a3b11646b9f3f7eac02634f584dbca455e8645784a7f0f25e2ee53382312641f46a4d95f4c0571b55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_87602702cbe44f74aec4ffe89fbfe07b.lnk

Filesize
1KB

MD5
c0f804a690a69a4961790c0d9cae71bd

SHA1
8d8cd48af2a8f75758b9bb2d28f6f4b014a51657

SHA256
477dbb49d3123a9465ca60577a4279d49bbe4cba2763969a0ab35c6b47eb7151

SHA512
586f0b360f344326c0b9d59fe1748c81df366cf0cef89a74d16d27a17b126e66ffe3acbe01d0e68a8b3bc6b50d0eaad117147a04b3c4b7b7477b1bad583e66fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a01d6e4a4df648f4976bdfea590aeffc.lnk

Filesize
1KB

MD5
974e5b153ce91bc3049ec0f3bfb0e37e

SHA1
46af501651f3b00c0ca906ef6f77eecdebffb9f7

SHA256
4f746a0329704be7589142387c1251cdda252aa758b1023f1aeb77d91799bd2b

SHA512
18be4e66ca31be673cbee426e98a655715721ed0505c4ebf6302a4c4613c723e2fde12406a07835ebc5c0642bfdda81c696943bcf5a5794e910c98733ce2fc3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a57551ea19cf473095af157e564b8998.lnk

Filesize
1KB

MD5
0f91d73a6d63ac74f8c726ed1c44757b

SHA1
3b981eea3583540c35235ffe42c60ac167dd34d9

SHA256
0df968a52932141aa0279eeede22315a78dc90632b4c6956dd073e5bc6f4cc4e

SHA512
973c2c778caefeefe094ec81a360e6d744f903e6c5df647a274b7abec62bdc187a7fc4b6857acba4089e17a64e33c3831c6d863075a76e64a801f2929ab84526

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a633012dd4f4485e8bfd17f5bb1f54d2.lnk

Filesize
1KB

MD5
fe660f12a1a580eebf25f318ae343078

SHA1
e450abc422954a5b91d32ceb3a496f7f324fca94

SHA256
7ef6b975208120f0eff7f3f42dd902803f3261583873c2088443976eb544031b

SHA512
365c2eadc6b5f0b90906ab90d8503bb1eb38e43882da9094e04910917380cbcd9d24cd1e279250ad9d621a5fd06bdf19c63161e52ae1912d7203daf1363c68fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a9b18924e52e41e5b6a0ac7faf1308dd.lnk

Filesize
1KB

MD5
017ef23965cbfa97742961525a4bfb1b

SHA1
2376d6ac74ca7cd56747b55d3f4ef58e4d20c9ae

SHA256
818abf91b31cfb5c774e2ededa483a90d77d61c8ddb8795dca5a3902d87735ff

SHA512
d8b235c0b82efbebfd6fd7ba20e727b6b7b53b0c6de034e8f6671eeaf949e174152acfa427c86579bb18fe44306e861bc0f1d72d0480326ae577a2d157ec2195

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b4bbbcff05574997b5745e9c877ad768.lnk

Filesize
1KB

MD5
e8c4db012109fc915616ec127d93d64f

SHA1
213abcb58677d039cc9bcc9ebcf39718fea9fc27

SHA256
86311bb7a0f46e88fbc25aa37a9acdeae16f831213cd1076dcea44b2ff3721b6

SHA512
3dcb3e2ecfee0373b3ad49dd653828276529db5483bd02567cf549edb0398dec58b13e51d26092c1d6b4bd6384f92f1987681235ab44bd7fb86063f57100446d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c65daeb8b77c433eb7c2186eabeee522.lnk

Filesize
1KB

MD5
80656b4804346fbc97d2432b285c573c

SHA1
3abff1a0ec148f1f14a1507826637dc572041bb8

SHA256
f75b189ad78c63142d5ef3d29db8e40d47f4a48f6e0320b7a6095f5b1575c703

SHA512
806f60330d12004fe2a56a2a083d4d6fc892ec9012a04c60ad0793b70d70dd95daf09bedc3d3cea684ce6e1be8254f1083d55c802c66c8dd74540c8fca214358

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_cacab2bcfcab4e35a0b63ccfa9c676de.lnk

Filesize
1KB

MD5
861c9f92c65c58d8c7dc0b5734c30a39

SHA1
303f70fa8d5f2e3f5ac2622758cdd5f3db41e222

SHA256
40a9715c87db7143f94fd3fc80f3e41675bbc51709966b791e22a221644bfeb9

SHA512
2aa6f7db17c4a3e6732e2c083f1f78f9210be6b895bc368e938605f519c3033b09059935a3530559d7985384feef03d2bf335648c129b84696dcea22e8b52fa1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d000092920a240e5951b2780381af687.lnk

Filesize
1KB

MD5
e28705704d7eeb255896a3b73318c595

SHA1
520283224d634ffe4d89134ccc9f23fd03519e2b

SHA256
e024f18b4f0210404f3fdf0704ddba68551002cc83742304bab6af257f9061ee

SHA512
a86b0484317b27da57bf9594a091a3303811ddebe7206e5793865d7006f8d34086cf3d0ca9af77ea39820a33eed5bda565ea77c3cfc8c878e8b7b7ce12b5545c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d959e7b2a1c34802920e07842716d28f.lnk

Filesize
1KB

MD5
e2378b341974ceeb5479b0d6f3c9bec4

SHA1
617dd92d32a887962398b2b93813fc0641d8809c

SHA256
c241c4189a430c38953e5d869e05014aaf3bb195f0721ca2252cf70e3a0dbddb

SHA512
9bd545c609952712acc943026c85c9e50ac707bb2876dda34169b9d673a4c0eb315ae2ab76a13447d9f6ede71e8a50796a829db5a163da5b3e21d97f59ec281a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d9bd4fc01d3c49f7a1bf70b204cd36b9.lnk

Filesize
1KB

MD5
a5248fe787656328c9ff20b33138ee93

SHA1
a2515f1c0694f8b52a56c63719044c25de66749b

SHA256
ec45252abcf9c4a4d07f361c1b2f3284ea096f1ee642820128d9dd2ab1d0b3f6

SHA512
e5d2d6601ed0a27a5f64a916d1a98b5db73eeb0b8ed48ee6eeaad2db25ce4a8adfbd95f027ff26f8d3a656b7773828eaa15db61f0c64a8e8b43bedf2a3730e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_dc716e00c62f4b939eb0b2b6c4fd408c.lnk

Filesize
1KB

MD5
0f09d45e523fdcf514fbd427fd51ef3f

SHA1
320bece5f78ad4a61610bcf311ce11d2d27ed51b

SHA256
5ab1217881672f1ae09216217fa4abb6129d236d30abfe02aed2e8e6b402bb80

SHA512
f3cd201dfde0c56701f3acc24d180f3365211b16b051a937f469c7d81cc14e63254b39f7d9d2d9f1f50e3d5fceca94eb60894217e95c86ebf0f49992c6e002e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ed6bc67c94be41bfb737570647c1ba63.lnk

Filesize
1KB

MD5
5392885c90c6c73fa32b4bb921bc62b2

SHA1
a74de60237dd4c7eb997e69b5b8776d645a99f9e

SHA256
47886c8b139ae04b22a2bb943b9366bd350982a5f0f0897a6ae8b9ad6f1c7c76

SHA512
db089dcfb677afa2be8bd652477dbbdae462a0587017098a112b55578a89c2af888cd395fddc84e9cab31b3a87d26d321b863ea99ff620f11ddace0dacff4a69

Download Submit
memory/1628-99-0x0000000000010000-0x00000000000BA000-memory.dmp

Filesize
680KB

Download
memory/1628-100-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2152-101-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-7-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-8-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2152-11-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2152-43-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2520-91-0x00000000001A0000-0x0000000000208000-memory.dmp

Filesize
416KB

Download
memory/2520-92-0x0000000072BFE000-0x0000000072BFF000-memory.dmp

Filesize
4KB

Download
memory/3904-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/3904-1-0x0000000000A50000-0x0000000000A88000-memory.dmp

Filesize
224KB

Download
memory/3904-5-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/3904-9-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/5016-249-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-236-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-119-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-121-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-198-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-211-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-222-0x0000000022690000-0x00000000228EF000-memory.dmp

Filesize
2.4MB

Download
memory/5016-123-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-403-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-265-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-276-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-358-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-367-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5016-394-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download