lumma | 922cc62136078b304e61183fc11d3a6258eecf23da272278897543b25ba1a541

Analysis

max time kernel
70s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

403KB
MD5

03c94d73127dfe7f3d12aa591612cad6
SHA1

1ced86cbe41cdd4710776c2bfda5ced85e11c5c8
SHA256

922cc62136078b304e61183fc11d3a6258eecf23da272278897543b25ba1a541
SHA512

dc36256646c2c5af54622be4f46e53bee22b47f4e54981138d0a8e675e679178a31d05bc8bd14e72254304f4a1ba6117c58b61d3be0d8a5a3ec93d0b592541cc
SSDEEP

6144:AKSk+V/WTaEEVQTDHSICGdB2mgFwayoEkNS+GSYOuGVYk/xS8s4LegipEO:AnREEVOzSF1vn9EkNmljaYQxoKYEO

Score

10^/10

lumma stealc vidar d80be45a1eb6454ca916f92c36ebf67d default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

d80be45a1eb6454ca916f92c36ebf67d

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://stogeneratmns.shop/api

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral1/memory/3020-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-7-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-15-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-12-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-17-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-158-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-177-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-211-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-237-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-361-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-382-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-423-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-442-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aaa06b22737c4484b684f965de618231.lnk	AdminCFHIIJDBKE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ce07d45532094ffaac6175ca87af3f65.lnk	AdminCFHIIJDBKE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_14b39391f5a7477c9ee89dd03368c41f.lnk	AdminCFHIIJDBKE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fdd491de8f464ddbad9fd40caaae03f4.lnk	HJJEGCAAEC.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f3fe671fe37c4aa5b538a1703ec9f52a.lnk	HJJEGCAAEC.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d66e7a35ba54c2680aba8484ee7f3f0.lnk	AAFBAKECAE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3b9f09cc4ef94e968da729997fa443ce.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d122c82c84704334b04a28559a05f405.lnk	MFDBG.exe

Executes dropped EXE 11 IoCs

pid	Process
2356	AAFBAKECAE.exe
2264	MFDBG.exe
1512	FDWDZ.exe
908	ECGDBAEHIJ.exe
2776	EBAEBFIIEC.exe
1040	AdminGDHIEHJEBA.exe
792	AdminCFHIIJDBKE.exe
336	AdminCGDGCFBAEG.exe
1480	HJJEGCAAEC.exe
1724	AEBAFBGIDH.exe
2276	GCGIDGCGIE.exe

Loads dropped DLL 43 IoCs

pid	Process
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
2356	AAFBAKECAE.exe
2356	AAFBAKECAE.exe
2264	MFDBG.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
2264	MFDBG.exe
2264	MFDBG.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
1692	RegAsm.exe
1692	RegAsm.exe
732	cmd.exe
1656	cmd.exe
784	cmd.exe
792	AdminCFHIIJDBKE.exe
792	AdminCFHIIJDBKE.exe
792	AdminCFHIIJDBKE.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
1480	HJJEGCAAEC.exe
1480	HJJEGCAAEC.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe
2852	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MFDBG_315ac13e110f4c6eb716aff510643c57 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	AAFBAKECAE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 3020	2248	file.exe	31
PID 908 set thread context of 1556	908	ECGDBAEHIJ.exe	41
PID 2776 set thread context of 1692	2776	EBAEBFIIEC.exe	42
PID 1040 set thread context of 2852	1040	AdminGDHIEHJEBA.exe	59
PID 336 set thread context of 2100	336	AdminCGDGCFBAEG.exe	61
PID 1724 set thread context of 2832	1724	AEBAFBGIDH.exe	69
PID 2276 set thread context of 2148	2276	GCGIDGCGIE.exe	70

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2120	2100	WerFault.exe	61
2712	2832	WerFault.exe	69

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ECGDBAEHIJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminCFHIIJDBKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminCGDGCFBAEG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAFBAKECAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AEBAFBGIDH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminGDHIEHJEBA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBAEBFIIEC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HJJEGCAAEC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GCGIDGCGIE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1112	timeout.exe
916	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
2264	MFDBG.exe
2264	MFDBG.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe
1512	FDWDZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	MFDBG.exe
Token: SeDebugPrivilege	1512	FDWDZ.exe
Token: SeDebugPrivilege	792	AdminCFHIIJDBKE.exe
Token: SeDebugPrivilege	1480	HJJEGCAAEC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 2248 wrote to memory of 3020	2248	file.exe	31
PID 3020 wrote to memory of 2356	3020	RegAsm.exe	34
PID 3020 wrote to memory of 2356	3020	RegAsm.exe	34
PID 3020 wrote to memory of 2356	3020	RegAsm.exe	34
PID 3020 wrote to memory of 2356	3020	RegAsm.exe	34
PID 2356 wrote to memory of 2264	2356	AAFBAKECAE.exe	35
PID 2356 wrote to memory of 2264	2356	AAFBAKECAE.exe	35
PID 2356 wrote to memory of 2264	2356	AAFBAKECAE.exe	35
PID 2356 wrote to memory of 2264	2356	AAFBAKECAE.exe	35
PID 2264 wrote to memory of 1512	2264	MFDBG.exe	36
PID 2264 wrote to memory of 1512	2264	MFDBG.exe	36
PID 2264 wrote to memory of 1512	2264	MFDBG.exe	36
PID 2264 wrote to memory of 1512	2264	MFDBG.exe	36
PID 3020 wrote to memory of 908	3020	RegAsm.exe	37
PID 3020 wrote to memory of 908	3020	RegAsm.exe	37
PID 3020 wrote to memory of 908	3020	RegAsm.exe	37
PID 3020 wrote to memory of 908	3020	RegAsm.exe	37
PID 3020 wrote to memory of 2776	3020	RegAsm.exe	39
PID 3020 wrote to memory of 2776	3020	RegAsm.exe	39
PID 3020 wrote to memory of 2776	3020	RegAsm.exe	39
PID 3020 wrote to memory of 2776	3020	RegAsm.exe	39
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 908 wrote to memory of 1556	908	ECGDBAEHIJ.exe	41
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 2776 wrote to memory of 1692	2776	EBAEBFIIEC.exe	42
PID 3020 wrote to memory of 2988	3020	RegAsm.exe	43
PID 3020 wrote to memory of 2988	3020	RegAsm.exe	43
PID 3020 wrote to memory of 2988	3020	RegAsm.exe	43
PID 3020 wrote to memory of 2988	3020	RegAsm.exe	43

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\ProgramData\AAFBAKECAE.exe
    "C:\ProgramData\AAFBAKECAE.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
      "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
- - C:\ProgramData\ECGDBAEHIJ.exe
    "C:\ProgramData\ECGDBAEHIJ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1556
- - C:\ProgramData\EBAEBFIIEC.exe
    "C:\ProgramData\EBAEBFIIEC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGDHIEHJEBA.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:732
      - C:\Users\AdminGDHIEHJEBA.exe
        
        "C:\Users\AdminGDHIEHJEBA.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies system certificate store
        
        PID:2852
        
        C:\ProgramData\HJJEGCAAEC.exe
        
        "C:\ProgramData\HJJEGCAAEC.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\ProgramData\AEBAFBGIDH.exe
        
        "C:\ProgramData\AEBAFBGIDH.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1080
        10⤵
        Program crash
        
        PID:2712
        
        C:\ProgramData\GCGIDGCGIE.exe
        
        "C:\ProgramData\GCGIDGCGIE.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEGCBAFCFIJ.exe"
        10⤵
        
        PID:1084
        
        C:\Users\AdminEGCBAFCFIJ.exe
        
        "C:\Users\AdminEGCBAFCFIJ.exe"
        11⤵
        
        PID:1248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBKJKEBGDHD.exe"
        10⤵
        
        PID:2332
        
        C:\Users\AdminBKJKEBGDHD.exe
        
        "C:\Users\AdminBKJKEBGDHD.exe"
        11⤵
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGIEBFHCAKF.exe"
        10⤵
        
        PID:1508
        
        C:\Users\AdminGIEBFHCAKF.exe
        
        "C:\Users\AdminGIEBFHCAKF.exe"
        11⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIIIIJDHJEGI" & exit
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCGDGCFBAEG.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:784
      - C:\Users\AdminCGDGCFBAEG.exe
        
        "C:\Users\AdminCGDGCFBAEG.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1088
        8⤵
        Program crash
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCFHIIJDBKE.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1656
      - C:\Users\AdminCFHIIJDBKE.exe
        
        "C:\Users\AdminCFHIIJDBKE.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GDHCGDGIEBKJ" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ECGDBAEHIJ.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\ProgramData\FIEHIIIJDAAAAAAKECBF

Filesize
6KB

MD5
485f117be2a85ace033e56e5b3b647c7

SHA1
7e37f4232c0956d364bb4c7af27a526b81987d1c

SHA256
3d0603aadd87d02e53b6009940e1e240be519fb3bf2bc49b86360284472e32f5

SHA512
c40e182e90a31bc1fc72f8375c0ce59859a3dabb27d99ad674ac3c60aeea863bc5eb3f5595f42be5b59d8ab751740dec9b3e2e2c8e8ca45cfd75353d5633f32a

Download Submit
C:\ProgramData\GIIIIJDHJEGI\BGDBKK

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\GIIIIJDHJEGI\BGDBKK

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\GIIIIJDHJEGI\BKEHDG

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\GIIIIJDHJEGI\BKEHDG

Filesize
5.0MB

MD5
8691a71035e8ba85d578cb944c864a93

SHA1
4bf9b4ee3c56798a001ba56e80f14f4a23e21385

SHA256
1a1c0276d17e3a92faca1511e99fdceaa7f7c389dbb7e476e6d908466ce0a26d

SHA512
d3b18883d070a38c4abf7a060460f99f23ee5e2a08081275e324b4b2bd3c76368b80db433b8c58fd8fc69dc148216ce5acf534ba57e486bc7a7a057baac93bf4

Download Submit
C:\ProgramData\GIIIIJDHJEGI\FIEHII

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\HDAAAAFI

Filesize
92KB

MD5
e248975fcae2fff4649630d9421bd44e

SHA1
283f382e83b0767a0cd6b2d54bce3c1c315c60d6

SHA256
2e7470ccd25b6d7e9606f29643dbda3e3a4ef3f0575b2d074986c80cf8b148d2

SHA512
9bd5cf49a7773811d72be905cc8dfc2310f82899553c6f598a52b5dc261fc26191462855fdba8b3a83c8a317faed71a1a134df83f338c6c9442ee792cdf7428f

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
109KB

MD5
22c53d400bb8e6dacee7019703db340e

SHA1
a3d6fe2afe658092a0ef32855642d19ac2a71a49

SHA256
0ad39ec79686c76dc79281bf9fb448683cc3b1fff659c760a372b26b9e208e22

SHA512
d913f824f967f6e64987f19fd9e2805fa525b98232301a1b409807d4328c6b135b18f6402ff8ab9862e5a3efe192023b74cb88ed3366371120169859b0fe9a31

Download Submit
C:\ProgramData\mozglue.dll

Filesize
142KB

MD5
2ca40003773a3cdb32b4b2413c8e5fee

SHA1
8108c2b39931ea042f239530d8ff9feda3caa36b

SHA256
648b2664130340e8bd483aaa07bd3d209c231f49872280be6a281e1759914338

SHA512
ddee2360d8f2b8dafd541d4f4bcb925d2f8e203e8e193d5458e846ccc69b45e6c7f80c12a46cd579e87cb3a0916f59caf4501881c638692f43b671fb617755cf

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
173KB

MD5
76f85218c9fb42a4e1b366ae6f109a9b

SHA1
78122ab7e436491e71b6b37aae6bde19e8e5bf14

SHA256
c152c33df2adf335af3e0cf305020558bd5c3ba3ae0c8abf33e580076525ea9c

SHA512
e92699160ac191e64f27a223b3cc266a965b8fd0575e46ac7a3502c989b3f9d877e04c57469d5c87d2ae4fd8e6e92ca51ead9df4141058b154e9c4564729f515

Download Submit
C:\ProgramData\nss3.dll

Filesize
132KB

MD5
861a2c34c894d2310bcc4a1fc1c2cd4e

SHA1
c348fdfafe4f59b4fa4efa907ed3953a3dc274ad

SHA256
5979d75f3dffe06532d4bb3a206f798b03d112cf4c3b47706b905b3a5ca0c00f

SHA512
464f5c1ce5048253a68217b21ae037f9d031ffb0a7960083d34cf95f9f3cc46e15a05d21e3ba35e073e14fe3a514de7e224b274910707c277428f237d73d35fa

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
221KB

MD5
a1b42f5e664a162ae7e15a6ed01de74c

SHA1
9e30ad4f5c82120e3f5943bad2cb055982e22448

SHA256
90a19597854cbb449d84d51ef9c13f23607a6eae9bef73e81438a8777c6fb58a

SHA512
c9f643e9775604f820990c41d79ce97ae833e27720e4c2e80b55ebb45f42349c71d6c181c864f919dea00a9bec86dcfad0d845d7124cceb1040c64e1cec0b05e

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminGDHIEHJEBA.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
2b36821f56b5af8c6696d071788bdcbf

SHA1
19bc0e2633ad82f28beb4e7e72cf3b208f3ba435

SHA256
6bd2e70bec06d9aaf7d4a4e43e05ec5cd6d86ba1ee462a4a43881c5fc7e1ab02

SHA512
eebf46211ad75641582459ae8fbbefc29a6d402fc03576738dd8d9f17c9675a2befdcfa1d84120202e39a47bcf721e341cdd8628c5b269ee489f6ac038268f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e10aa6a7dfa0e5e3e42f1e29355ca315

SHA1
437607513d18d303c0d7b73b1f9f279d1e5adccd

SHA256
165f90559610fcd30cdf8c66b994407afdc4a879f335ef86b84bd1b010daff26

SHA512
5490ef2265204c3848290178d61a20daf85e9a784704ae3dda5719d0d9187bca462aa4b41d4b05f26a111aeb34555d3c48e7298a30a66a47c4c77e8a377a1e7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
22e8e79073c2a5e6f944dea57160ee6a

SHA1
8b482e927daf7b1bc98b842215410775e9c99da2

SHA256
ba9a99d211f9b75980761a1cf44529836c91ced8940d25350b2c8497a66d56f7

SHA512
6ce610b5807032b02b68806b9eace9f765d04889cd78280d306447d6076d41c48c10ccfdab90779b90025da9825fec1a66f9b62630db489b8232ad31b59a3954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\76561199780418869[1].htm

Filesize
33KB

MD5
0232bf5370d27c6b3c1968ab1222d638

SHA1
6d8b3e7dfabb07f9486f887b72b79d128e8fe13c

SHA256
f7a8a5afd5955256ca19c141f0424519c70d5a282609742cbe06840ed7e30869

SHA512
964dca1f4d33ab70eb829b94a2780f80a2392213735bc7898717507e07d146cd6381189265a0491cdca99fc25e62f6d00ee695bdec2c512767cfaf09fe142fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab58FB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar592D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d66e7a35ba54c2680aba8484ee7f3f0.lnk

Filesize
1022B

MD5
4e6a6745ab1da2ab4f6705c63569e528

SHA1
6502abf7be22a15ac76556f63d3fffa8f4aa6102

SHA256
f9bff5d0ed5b7e5a7e37bc7eb24b4ce3d41f2094b50e4ec34ed491e04ad1d57f

SHA512
f5fe19da607441f6f9e947e853ca31484c3acc3633bdc7a59081cfaa2a9a4833c7bbdd7d89347581ae94c35cb82a32c067ece7162b5c7f9fe889b22efe2f802f

Download Submit
\ProgramData\AAFBAKECAE.exe

Filesize
26KB

MD5
0677d5eb007dc9b0de2c5ddf8c3886d8

SHA1
d455b38856bb2a143e5edc2ade8db811e4e9a71b

SHA256
f33f40367e6a3878f2c8df07683413c77126150d076684fdbc295e9a7a0e5164

SHA512
983d9081093f838e6b1b2a5a70e4726caa8fe4a54e83c0bc66985751a88ca9122e5c14688d18c0b9b738195a22ac40900de39c4f49267dca72e22cc9aaa7bf88

Download Submit
\ProgramData\EBAEBFIIEC.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/336-744-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/792-740-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/908-578-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1040-731-0x00000000008C0000-0x0000000000928000-memory.dmp

Filesize
416KB

Download
memory/1248-1415-0x0000000000E90000-0x0000000000EF8000-memory.dmp

Filesize
416KB

Download
memory/1480-1229-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1512-536-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/1556-630-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1556-616-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1556-628-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1556-627-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1556-624-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1556-622-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1556-620-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1556-618-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1692-664-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1692-654-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1692-650-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1692-665-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1692-662-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1692-658-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1692-656-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1692-661-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1692-652-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1724-1263-0x0000000001040000-0x00000000010A0000-memory.dmp

Filesize
384KB

Download
memory/2248-13-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-0-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/2248-3-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-1-0x0000000000B40000-0x0000000000BA8000-memory.dmp

Filesize
416KB

Download
memory/2264-527-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2276-1293-0x0000000000210000-0x0000000000266000-memory.dmp

Filesize
344KB

Download
memory/2356-505-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2356-503-0x000000007339E000-0x000000007339F000-memory.dmp

Filesize
4KB

Download
memory/2616-1421-0x0000000000F70000-0x0000000000FD0000-memory.dmp

Filesize
384KB

Download
memory/2776-596-0x0000000000120000-0x0000000000176000-memory.dmp

Filesize
344KB

Download
memory/3008-1420-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/3020-361-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-12-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-17-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-15-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-5-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-4-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-158-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-177-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-197-0x0000000020090000-0x00000000202EF000-memory.dmp

Filesize
2.4MB

Download
memory/3020-211-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-237-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-382-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-423-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-442-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download