lumma | 6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

326KB
MD5

56bbebff4b50d8298e46f3312915694c
SHA1

f83e6487506067aab52550faf4179ecac77b17ee
SHA256

6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185
SHA512

5612e0a314333d99d116e4333a7d5054e59b03b7cc1e31635866acbf58f5f7c6977d5fbac1ba7cee22759377ab8515131e9789b803b597d038f4c84e90e2e410
SSDEEP

6144:9HjkqhJNb+r7hwLDH1L3nbGIR1M34fHwTDIlpCUOS7YYCUEO:Fj3Jb+QDHRX/rMAHouFOS7Y6EO

Score

10^/10

lumma stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://ghostreedmnu.shop/api

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/4308-155-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-159-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-157-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-219-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-229-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-251-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-262-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-280-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-290-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-347-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-353-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-378-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4308-387-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	IDSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RoamingFHCBGIIJKE.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b796a91681d94e0bab71d35f89a69247.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2b840bc3005a4b918d83e94cf9ca689c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a251024c2dd543e4890a8d85ca52256e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7e9a4407ca184da1939902927bc4f604.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fa5b1b38e5814eabbb39ab102c6053a3.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_40d7b823e0ee41368521a55ecfb2fd51.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9f68efcccc24458299c7fb92ca04c886.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_bfa102a376b3474988e52ebebff7bd11.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b7b8e4c95bde4084bf897cdc3b9e4141.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8a0abcff19e846d785604a1c974b04ad.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c42c0a140b89492ca0b06a79f23a8e32.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1c250a6eb04a4d458a30dcbfe949ccfb.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_92166270ad2e4ef08a7844380f1974e2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_35a44e016c5040fda0261b0c2ade815f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8a31ead387494d308ab060ce34a2341a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0eb311c6f4f1497a8b3316d0913f3e84.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1cfd8eb9b7014bf78c1ff64c92a06892.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c89eb20d496043cfbd2af727c3ea9266.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_aa2abe53f4ee493b96c93ba2f983dcb7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_427dcce16d07496e90688f97ed8056ea.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ba93b95ee14f4f0394240e7c0b4e0f51.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9a27127015ae42208c40d07426156b23.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_807878624efe478a8a3513069334353d.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_da530996af954fef8d0b39ef3f1a0c13.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1b84eaccebb946adad0b4ef7278c78d8.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ca23dca535e64564ac5b3987f784e2c7.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f6198586e54046c9807a3fb7c052bd36.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_3480dfcfd6264e96ba8a636dd01fa18e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_34935a1ab19547a58eda145068b9e756.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_449b3bae7e524de29b12e6fd47aa5f70.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_dc028631b8dc44978c343188da6cb3f4.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0807d735c0a242a5b5d00eaa37ccde07.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_8436386c7d0a4eaaa674b12ee25f83c2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_f377072b88524c41b3217c910ee66e5e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_ce8dada8e54c490c927681ed3311028d.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_73babf0d4b3545e3a981744347d1ce8f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_62276091bf24417eaeae189f45fc6f5a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a5b3cc75115e4a5489e6d9bdbbb5cde2.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_0a32ad10d083487e93289c0eef58812e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_95c12a869e7d4de5ace951db59aab8c0.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_893245e0eb9e42c1a65671a706ea5c71.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_146dfecffc914bf5ad8f59f5a895d7a5.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a2ed0b6622cf43e1bc7cb65ea779b036.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_fe8a0bcddb1b4f798e102a76fa05903a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_060a6ff0b6a54fc699d3e812258b4a0d.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_87514b7c29e04c1f8b056fd5099d2b0f.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a26bd1bdc7ee4156998e00e8d93c633c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_9b4d5f727f13496cb4e9aa533b61b4ce.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_be164a15325d46ee9a1a60dc0f3bdd04.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_102f7d96c36441b986e0fb425ff9d6a8.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_7c52bc63f5924a4e8a70d09eef7fe43a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_23cd23a7e7d046dbaee632e1e91c654d.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d1d4bf622d874f87b4d0c07f9283892e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_b0e9e0d063e949babfb566675b19411a.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_c39447a90ea946cd88e418cd90c05c1c.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_36fe1c1856d44fe29abcc170cd356817.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a3860354b65f4222bd61dce7adf2e8fa.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_bbedf4d3cf8a4eb7b034276e1c68125e.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_5297fc6e1a7949ed941e082b978cfd23.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2756983cdb5c45ea8394e32c178b983c.lnk	FCAKFCGCGI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_1d2b61dd7be24e2cae9a667f923b1d25.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_d96e00f39e3049d0b0b914c8bbaaa870.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_daa3d3894a3c4f3a9461c4448ebb8d03.lnk	IDSM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4cb27dbbf1f2427ab06acd81cea71f7d.lnk	IDSM.exe

Executes dropped EXE 7 IoCs

pid	Process
2848	AdminCBKFBAECBA.exe
2620	AdminIECFBKFHCA.exe
4648	RoamingFHCBGIIJKE.exe
4044	IDSM.exe
1372	MSDNG.exe
2016	HCAEHJJKFC.exe
952	FCAKFCGCGI.exe

Loads dropped DLL 4 IoCs

pid	Process
872	RegAsm.exe
872	RegAsm.exe
4308	RegAsm.exe
4308	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b6559f6642544002bcf8bc3182e6a725 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e4c76335cdfb46a888624d6cd7ac8c4e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ca5d979f3cc2419eb662d83ced2fcbaa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_fd4145bd66724c2a9fbb0dd3f47d40c5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b7ee837de0a74a0cbe6f8d5ab96953ff = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5bcdf64910a54327a09d257ff534af6d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_be918d755d9c4720a67ba8be03f1a190 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_068b252cf2d449019cd9ae8b697b66b5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_fd6cd9013ad240f6b9dccb9eef15e597 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_471472fc7eca468299533ee3f5d1e742 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_39e447fa9303443db881664cc482e47e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e810d0b5b287485eaa73a5e717d2707d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e4247e1c826b4c5fbf81ebe61e6ebf3e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_90ba79b0057347f59c20ab5d440a7e8e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_589f0d0f526a415f8c19c746e1fb5786 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	FCAKFCGCGI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_691a76d270ca47cc9b3c53b0069f4510 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_bff05a06f4624e8d8c2c28f73555b69f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f50126403e7a4d77abe955076745a367 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_83f06a20cf9d48e6b1b28302eddd3f4b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e1ddf7f11d1049a2898d7ebba189f6c3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_352cc356f9e7478a91d72a2ab9b1b0e6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_663e0f600cbb46b5ab76913883acccde = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_7672fe825e4c475da7f224c23bbf9d80 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_34f22333f4bc4c29b321f1b3d414f2f5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_3cb9d488908e49bb8935054d4d256750 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ff4bec947261489bbd7b579f7d0b623e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_142b34c53db64f14a22b922e4111f332 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5c73239aa7164799a304fe29b98a8d36 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_318e21c615054c9a98017cb011db5277 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_fd5bb263f4464117883651c956c22bbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_c191445081c248b9827e73f73397f30c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2cab5be1b81345f4ada99d873400eda1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_bcd2d65253544a748127c1f55ad3ed05 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_6c5a891c75f04cdeb4590a350e10f48a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_2fffd705ebe84faf971c6c6672837d16 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_397274eeb0ed4564bc1ff52553e01aee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9a565440d55e46f4a520cb96494e44f3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_5d7ca83384f649a09e91c2672f4e79fd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_064da88bd9444669b5976b9480e843be = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e7b74ac17d43479bba5601830d9f4303 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_75509f3a1faf493a9a95749e94cd08a7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b0925d351ba84055ae00b056dd394166 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ca4fe0b86751452aabaf46c94d207abd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_31a61e9065d948d6907193b18f0ba602 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_e657e231010044a6a90560b55286ee71 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_4e7f991afce74a06adde1ac8144ae040 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b6170f114999487a84d13725d980e9cc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ffa4ac54d14e499fb07d53af7c5ec8a5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0628f62f34b74f66bc8cca5dac9646c9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_97e0570168524f07a4db3b586c0eb88d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_aa24c77e694e42218d905635d6116b9a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_252e896ec5124ae687cda0fcb1f6668a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_631dc8710466431988c2396ec811280d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ff45d50c125548648d5877f6c4f89cdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_8fd3b8747c5446c1970f051a97f104cb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_bfa155eb08cf421da69eacc97a42de7a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_b81b6f8ea44a46cc9be73e8387f01c33 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_afdb397c502c45218c8453d797b10676 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_f69d602139234935ad57674df8235933 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_9d3ccf7d1f4240aab6f58ab86c5082cb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_ef2687e2312e41dab22808d061c91c68 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_31bbde6e354e4f30805b164620b5b87e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_0f23e1f5c75d46d8a37c885ad1b50b3c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDSM_a66155b2f8a341a094c6e5fb0dbc0d38 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software\\IDSM.exe"	IDSM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.ipify.org

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3688 set thread context of 872	3688	file.exe	85
PID 2848 set thread context of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2620 set thread context of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2016 set thread context of 1556	2016	HCAEHJJKFC.exe	115

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDSM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FCAKFCGCGI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminIECFBKFHCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingFHCBGIIJKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HCAEHJJKFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminCBKFBAECBA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSDNG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2884	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
872	RegAsm.exe
872	RegAsm.exe
872	RegAsm.exe
872	RegAsm.exe
4044	IDSM.exe
4044	IDSM.exe
1372	MSDNG.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4308	RegAsm.exe
4308	RegAsm.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
1372	MSDNG.exe
4044	IDSM.exe
4044	IDSM.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
1372	MSDNG.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
1372	MSDNG.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4308	RegAsm.exe
4308	RegAsm.exe
4044	IDSM.exe
1372	MSDNG.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe
4044	IDSM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	IDSM.exe
Token: SeDebugPrivilege	1372	MSDNG.exe
Token: SeDebugPrivilege	952	FCAKFCGCGI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 3688 wrote to memory of 872	3688	file.exe	85
PID 872 wrote to memory of 1608	872	RegAsm.exe	91
PID 872 wrote to memory of 1608	872	RegAsm.exe	91
PID 872 wrote to memory of 1608	872	RegAsm.exe	91
PID 1608 wrote to memory of 2848	1608	cmd.exe	93
PID 1608 wrote to memory of 2848	1608	cmd.exe	93
PID 1608 wrote to memory of 2848	1608	cmd.exe	93
PID 872 wrote to memory of 3512	872	RegAsm.exe	95
PID 872 wrote to memory of 3512	872	RegAsm.exe	95
PID 872 wrote to memory of 3512	872	RegAsm.exe	95
PID 3512 wrote to memory of 2620	3512	cmd.exe	97
PID 3512 wrote to memory of 2620	3512	cmd.exe	97
PID 3512 wrote to memory of 2620	3512	cmd.exe	97
PID 2848 wrote to memory of 740	2848	AdminCBKFBAECBA.exe	99
PID 2848 wrote to memory of 740	2848	AdminCBKFBAECBA.exe	99
PID 2848 wrote to memory of 740	2848	AdminCBKFBAECBA.exe	99
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 2848 wrote to memory of 2940	2848	AdminCBKFBAECBA.exe	100
PID 872 wrote to memory of 2952	872	RegAsm.exe	101
PID 872 wrote to memory of 2952	872	RegAsm.exe	101
PID 872 wrote to memory of 2952	872	RegAsm.exe	101
PID 2952 wrote to memory of 4648	2952	cmd.exe	103
PID 2952 wrote to memory of 4648	2952	cmd.exe	103
PID 2952 wrote to memory of 4648	2952	cmd.exe	103
PID 4648 wrote to memory of 4044	4648	RoamingFHCBGIIJKE.exe	104
PID 4648 wrote to memory of 4044	4648	RoamingFHCBGIIJKE.exe	104
PID 4648 wrote to memory of 4044	4648	RoamingFHCBGIIJKE.exe	104
PID 4044 wrote to memory of 1372	4044	IDSM.exe	105
PID 4044 wrote to memory of 1372	4044	IDSM.exe	105
PID 4044 wrote to memory of 1372	4044	IDSM.exe	105
PID 2620 wrote to memory of 5040	2620	AdminIECFBKFHCA.exe	106
PID 2620 wrote to memory of 5040	2620	AdminIECFBKFHCA.exe	106
PID 2620 wrote to memory of 5040	2620	AdminIECFBKFHCA.exe	106
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 2620 wrote to memory of 4308	2620	AdminIECFBKFHCA.exe	107
PID 4308 wrote to memory of 2016	4308	RegAsm.exe	111
PID 4308 wrote to memory of 2016	4308	RegAsm.exe	111
PID 4308 wrote to memory of 2016	4308	RegAsm.exe	111
PID 4308 wrote to memory of 952	4308	RegAsm.exe	114
PID 4308 wrote to memory of 952	4308	RegAsm.exe	114
PID 4308 wrote to memory of 952	4308	RegAsm.exe	114

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCBKFBAECBA.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\AdminCBKFBAECBA.exe
      "C:\Users\AdminCBKFBAECBA.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:740
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIECFBKFHCA.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Users\AdminIECFBKFHCA.exe
      "C:\Users\AdminIECFBKFHCA.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\ProgramData\HCAEHJJKFC.exe
        
        "C:\ProgramData\HCAEHJJKFC.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
      - C:\ProgramData\FCAKFCGCGI.exe
        
        "C:\ProgramData\FCAKFCGCGI.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FHIDBKFCAAEB" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingFHCBGIIJKE.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\RoamingFHCBGIIJKE.exe
      "C:\Users\Admin\AppData\RoamingFHCBGIIJKE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\IDSM.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Software\MSDNG.exe" --checker
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FHIDBKFCAAEB\AEBGHD

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\FHIDBKFCAAEB\EBAFHC

Filesize
11KB

MD5
49a1cd6f38a739d8d13b9c47e40597e1

SHA1
455eeb6ed576725c60d358a47d91a39fd60d0c21

SHA256
341aa1adf9fb65eaa8c60e82ac836228781f8a352219656626922eb85d064d57

SHA512
c5bee669c56e216f41bcf7149a4511c717fc8283400cab6f6e84c12e7eee3830f0d64cae889a1f3b1af42a21bfa0f29de297cbb492bbb924fc89cfc686259217

Download Submit
C:\ProgramData\FHIDBKFCAAEB\IECFBK

Filesize
114KB

MD5
503d6b554ee03ef54c8deb8c440f6012

SHA1
e306b2a07bf87e90c63418024c92933bcc3f4d7f

SHA256
4c407af4d5326d1ea43e89945eda0b86c81ad0d12bd5465b327c0fd1df56f7d4

SHA512
3490b51dfe2e8f6efa3cdeee7bc08c03072597861c1a2f88dc830139abb7611c671ddad345c2af97bb1e88927c09467ed92b5feafe6696d7e2b31b3bd3447437

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminCBKFBAECBA.exe

Filesize
375KB

MD5
3f21d4209d237332463e5364186f1b91

SHA1
6ba5926a058b13e58e21fbb3c7e22074381b5c80

SHA256
c7995bd4c494c80060f42ee5b8519bfdbed13e047751e924aabc3710e412bc6d

SHA512
2d12345204e7a25fbfef9c4ede47713e7898eb387cc07b4eb05dfe104e2a0aaca6ec60529551fe2bb1e38cf710e4e00486a52e787a7db4a4f1d975cca2a5a419

Download Submit
C:\Users\AdminIECFBKFHCA.exe

Filesize
403KB

MD5
5456c9b238c54e52277972cdadf6764d

SHA1
512977a16b78c08e9aeb028e06a5995fc36c0d40

SHA256
6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd

SHA512
bf6cfbbc35edcfec8d8dd2c7be5c587b2b43ada1bb1a43620711cc713b122e41b978cfb1b5b0f8dfe107bea00d34de02c7a112926302652f3810a779a818944b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
218ae453d9f09bd4eeadfd716c2808a6

SHA1
fafd8afccbf688659d6f8d6fade94592d23344e0

SHA256
9949761ff43c0822473e7763062c47138417902dcfd4504313fb1afafb2a2060

SHA512
45676eec197922731393770d187548f05a61ef1e43bd9277c24dfdf022030c872eca3e3eed041b8f0ca658c92b4f78f94e798be9bbbe4717e4198e0be4cee377

Download Submit
C:\Users\Admin\AppData\RoamingFHCBGIIJKE.exe

Filesize
25KB

MD5
5a7ef447d5d556b9d550da1cac582a7a

SHA1
3761d13fe006bf7332bbb6e697cd31cfe463e541

SHA256
1f8acba1d796a9ebaed193ece097f9e82c09f596ab79bd66362c5cda736df3d1

SHA512
3a15ba07b474eaf49c94cd5c61bfb64acf1021fe05520972cae458fd8bbd98d18a94590af3eaaac9f7e77be9a54084d68087f3439ad37be67145b5e19c6af0f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_02a29b649ca54dedbd809ce29edf111a.lnk

Filesize
1KB

MD5
f49ba153233b8a933a705361603605e6

SHA1
63630d5fe7d63b630cf7c829e3249db9b240f261

SHA256
7538835cbf03fc2c528e57e365d1d250dd8ef87a11bb7edd6336199227677f49

SHA512
5a522ade2b52c0b7d2acfce1a7c110b4a99131d52eea04c2886e0808f3c3abb168406636fbd53a5cd4fe27c6945399f92c31a5adc24da7cd4c886a343f0db604

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_21edb52526da41c4823b38382ce68b11.lnk

Filesize
1KB

MD5
69ab1c46229c6f2db19dd7169dfd3918

SHA1
36c8a7fc6e859427bcb5bc05eebcf68310545b94

SHA256
c0e3dee33de1db5ce0b833b5dd30586dff019027a9142e3e742c0045f1a76e2a

SHA512
30cf64ab7255eedc7dd83b65df608b2369a06beeb749528371ff77df3a3c3ac08f3f4a71090e5cfcc984bf581bbf57c03a4123da06b103edb3bb3dd682926a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2756983cdb5c45ea8394e32c178b983c.lnk

Filesize
1KB

MD5
9dd6223ad125406121041d86da8bf529

SHA1
1fb35bca94808e564bab88fb41aecfbb940ee2c1

SHA256
be20b41b7feec504142f01412d80874c4554c5e8dff5a64e6883409943af4e3f

SHA512
d02e14b403c8f6fe01eb6411c7402ec1720b829a251b4a82d062fc6eed7d3d3d27c8b8801eab6403245055ee994ac7f3c1daddae3a660fc46f4e8d6882a21fbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_2e9e58ca86764c2a9e459d4af218631d.lnk

Filesize
1KB

MD5
283d694c40d0394d9c61ae62764d857c

SHA1
04010a82afb45b871c3448617d13c97fa4151c8b

SHA256
88042be6cef56851b1f955e388e41b40a8e84a618154f32859ef9430283d3893

SHA512
c990a6cde2a23072b511d9b51a22252f5c4dfdbcddc1ef16ada659763542a1d14d4154d76153aa19c7aa54ed4296b0c28d9753dc0706723c73eb947cd837b632

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_4df59c624ed743c9a2fca87d5539a573.lnk

Filesize
1KB

MD5
ecedbd2e990cb07c95993bb6d9868343

SHA1
341c88000de6f7cd09891b902957ff512189b06a

SHA256
c348ee84316b5df72f03f603510fcab5294742d07d149ba775b9dbaa1f1f80b6

SHA512
35929d67a4e8e4326893f84bf099caedb4312922a99b7d74ea05bc0319ee56e4f77c26361800a03b80f4f5c23bc12bb5f17b2cb0d5ef09eea8c578cbfa23ce53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_6698b106c3b646859bad1f51ad8428e5.lnk

Filesize
1KB

MD5
202b8732ea8f84acfc30d4ec7ad8f096

SHA1
80650ccfa6bf56f022423703a6f4e39168512496

SHA256
01ccfaae81f11a4aab26b65328b9ddb6b1e6a92717f5077d7c7cbec8e114502b

SHA512
5cc1e67c098afab5d1c4d67c681b36f7f007de10a0474ad2bd3ac222684f69c2aeff0cda1f357999a851db8fbd0443220a1d583d495b85d9dd4e4402dd08b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_84e041c9fe45442f93f2926a15ada39f.lnk

Filesize
1KB

MD5
6957f488435eec33ba6bcd6c85be07f8

SHA1
ddbb2c3f5688aa3a8a6971ab0323478e7f60a45e

SHA256
2d9ecefe772edfa5abbaae858f04b3f77932eecd3030c20297be256ad3a6de28

SHA512
d17b136a50f4f70cb3193e474c0ebdb68baa8945aeaa2fabae8dd83e19f80d91ceecce7adc616230bb88c9716029a523512fe15741afd38f5b491f01ce73b4b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a0190eaf10644db3bed3496a534aea3c.lnk

Filesize
1KB

MD5
09a3db1c27b9387877fb31d686957492

SHA1
9856faa1012a757fe9e5a7a5879b51d5db8b0c02

SHA256
08f6c37853710ca168ce5e0a4fa014df916bd7d6ab54f48c54e75a4042d281aa

SHA512
2fa7542b8a4a0ddb6d1d9461034c51f51e2326d7e142bc9ee8931bc2e46622b29adb9f3b512996d2493b4f5f79dac27153f9d7ebdc492ce5542f554c3da94ba5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_a5154945d352428099caf831a93e8466.lnk

Filesize
1KB

MD5
72de9810f35a8167fac38e1a4be26437

SHA1
03b67881ceffafece9c1ebdcb7505e799559f53d

SHA256
4725d732453ab48ef1ebd9884739a6e3e0a158f060b62018d832b4268e94ce5e

SHA512
1fd2a6ad3be249140a70f8f97646c67e469ba0d08ce3a53eae324d30305d22c4cd90c8eb5e2f7f1322318036510ff8fb6bc1ccac3a2e5913020a0019636a8062

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_cae11d5cb0f947bc83a31397cf900295.lnk

Filesize
1KB

MD5
9f2ed6d4498af722cb61bf06c20393dc

SHA1
1ec7fa347b4ed45390a26deadb10fc38f5d8280f

SHA256
20e09c13b3ef7c9c1e86c1470257ca5863f8a826b27969bfcbe1a1b9a0d8f6d8

SHA512
0092f223736c22502b8eb0a218b75071708ddb5abad78252f91fa58c62b290ea3de03b0f3847207542120d9a2ef67d20733f86d47a8d57239e0b4036f74fecef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDSM_eda334127a174601af58be6df2d523dc.lnk

Filesize
1KB

MD5
ec2e3f7bc57fef5c9dc21ac37b0f815a

SHA1
7372fbac4352e2aa13a5368393399b0372582db6

SHA256
c6b87be1dbf5603b7e2db1e9a44363d5404f088bc5f10d7c567f25a0ef21733d

SHA512
f6d295558e3c32e8116e5175f0061abf0f79772efc4c917bbba6bf5a2be448da707fcb14668a4922b9c47318d1667c8ee37c24d3f61fdfa423b107756671dfde

Download Submit
memory/872-85-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/872-3-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/872-7-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/872-8-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/872-9-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/872-117-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2620-100-0x0000000000910000-0x0000000000978000-memory.dmp

Filesize
416KB

Download
memory/2848-92-0x00000000728EE000-0x00000000728EF000-memory.dmp

Filesize
4KB

Download
memory/2848-93-0x00000000003A0000-0x0000000000402000-memory.dmp

Filesize
392KB

Download
memory/2940-102-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2940-104-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2940-106-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3688-84-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3688-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/3688-5-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3688-1-0x0000000000500000-0x0000000000556000-memory.dmp

Filesize
344KB

Download
memory/4308-229-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-353-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-378-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-387-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-347-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-290-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-280-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-262-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-251-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-237-0x0000000022550000-0x00000000227AF000-memory.dmp

Filesize
2.4MB

Download
memory/4308-219-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-157-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-159-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4308-155-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4648-114-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/4648-113-0x00000000000D0000-0x00000000000DC000-memory.dmp

Filesize
48KB

Download