lumma | b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

403KB
MD5

80729909b073a23f2caf883d9b9dce98
SHA1

cf621df3f09b1103e247e1292e6c9d4894e90d92
SHA256

b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee
SHA512

e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05
SSDEEP

6144:E9rIJUWYO5Mge78Vh5bbBUey+J8f8IztggcO6T4++1dJBMD8tCQSexEO:EiJUWR5MgeChxBUew0IztgO1XJiDYhEO

Score

10^/10

lumma stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://stogeneratmns.shop/api

Signatures

Detect Vidar Stealer 25 IoCs

stealer

resource	yara_rule
behavioral2/memory/2808-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-6-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-35-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-52-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-53-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-77-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-78-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-85-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1252-86-0x0000000074AB0000-0x0000000075260000-memory.dmp	family_vidar_v7
behavioral2/memory/2808-87-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-243-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-256-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-257-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-272-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-273-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-289-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-290-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-320-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-321-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-328-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/116-329-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	AdminAEBGHDBKEB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	MFDBG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ab9e6200e67d40ceb81ff00011facaf8.lnk	AdminAEBGHDBKEB.exe

Executes dropped EXE 37 IoCs

pid	Process
4552	JJJKEHCAKF.exe
1528	GDGDHJJDGH.exe
4784	FCAECAKKFB.exe
2940	AdminCBKFBAECBA.exe
3212	AdminDHDBGHCBAE.exe
932	AdminIECFBKFHCA.exe
4832	JJJKEHCAKF.exe
1748	GHJDGDBFCB.exe
4780	GDGDHJJDGH.exe
3088	AdminDGHIDHCAAK.exe
4388	AdminKFCFBAAEHC.exe
3136	AdminCFBAKEHIEB.exe
3568	HIIIIEGHDG.exe
4924	HIIIIEGHDG.exe
2436	BGHIIJDGHC.exe
2308	AdminBGHIIJDGHC.exe
2676	AdminGDBFHDHJKK.exe
4000	AdminBGCFBGDHJK.exe
2808	EGHCBKKKFH.exe
2032	BAKFBKEHDB.exe
212	ECGDBFCBKF.exe
3340	AdminFHCBGIIJKE.exe
3604	AdminKFCFBAAEHC.exe
1512	AdminJDAEHJJECA.exe
4560	IJEGHJECFC.exe
3656	BAEHIEBGHD.exe
1144	AAKKKEBFCG.exe
3580	AdminGDBFHDHJKK.exe
2796	AdminJJJKEHCAKF.exe
1100	AdminEHJJECBKKE.exe
4480	HIIIIEGHDG.exe
4900	HIIIIEGHDG.exe
3092	JKJKJJDBKE.exe
3792	AdminEBAFHCBFHD.exe
1520	AdminFHIDBKFCAA.exe
3924	AdminAEBGHDBKEB.exe
4992	MFDBG.exe

Loads dropped DLL 24 IoCs

pid	Process
2808	RegAsm.exe
2808	RegAsm.exe
3956	RegAsm.exe
3956	RegAsm.exe
116	RegAsm.exe
116	RegAsm.exe
3700	RegAsm.exe
3700	RegAsm.exe
1972	RegAsm.exe
1972	RegAsm.exe
4352	RegAsm.exe
4352	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe
1320	RegAsm.exe
1320	RegAsm.exe
3260	RegAsm.exe
3260	RegAsm.exe
3292	RegAsm.exe
3292	RegAsm.exe
4820	RegAsm.exe
4820	RegAsm.exe
3324	RegAsm.exe
3324	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_3f14d74498d8495ea2d616064372a725 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	AdminAEBGHDBKEB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
330	api.ipify.org

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 1252 set thread context of 2808	1252	file.exe	83
PID 1528 set thread context of 2064	1528	GDGDHJJDGH.exe	101
PID 4784 set thread context of 3956	4784	FCAECAKKFB.exe	105
PID 2940 set thread context of 116	2940	AdminCBKFBAECBA.exe	120
PID 3212 set thread context of 4404	3212	AdminDHDBGHCBAE.exe	124
PID 1748 set thread context of 4764	1748	GHJDGDBFCB.exe	134
PID 4780 set thread context of 3700	4780	GDGDHJJDGH.exe	140
PID 3088 set thread context of 1972	3088	AdminDGHIDHCAAK.exe	157
PID 4388 set thread context of 3992	4388	AdminKFCFBAAEHC.exe	158
PID 4924 set thread context of 2156	4924	HIIIIEGHDG.exe	166
PID 2436 set thread context of 4352	2436	BGHIIJDGHC.exe	170
PID 2308 set thread context of 228	2308	AdminBGHIIJDGHC.exe	184
PID 2676 set thread context of 4812	2676	AdminGDBFHDHJKK.exe	187
PID 2032 set thread context of 2620	2032	BAKFBKEHDB.exe	196
PID 212 set thread context of 1320	212	ECGDBFCBKF.exe	201
PID 3340 set thread context of 3260	3340	AdminFHCBGIIJKE.exe	215
PID 3604 set thread context of 3056	3604	AdminKFCFBAAEHC.exe	216
PID 3656 set thread context of 4160	3656	BAEHIEBGHD.exe	225
PID 1144 set thread context of 3292	1144	AAKKKEBFCG.exe	234
PID 3580 set thread context of 4820	3580	AdminGDBFHDHJKK.exe	248
PID 2796 set thread context of 4612	2796	AdminJJJKEHCAKF.exe	249
PID 4900 set thread context of 4916	4900	HIIIIEGHDG.exe	257
PID 3092 set thread context of 3324	3092	JKJKJJDBKE.exe	261

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
5044	4552	WerFault.exe	91
5036	932	WerFault.exe	116
2368	4832	WerFault.exe	127
1092	3136	WerFault.exe	151
2280	3568	WerFault.exe	159
2512	4000	WerFault.exe	181
2584	2808	WerFault.exe	188
3988	1512	WerFault.exe	212
1092	4560	WerFault.exe	217
1528	1100	WerFault.exe	245
3664	4480	WerFault.exe	250

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminDHDBGHCBAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHJDGDBFCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminGDBFHDHJKK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminDGHIDHCAAK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ECGDBFCBKF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IJEGHJECFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJJKEHCAKF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminKFCFBAAEHC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminKFCFBAAEHC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminFHCBGIIJKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GDGDHJJDGH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BAKFBKEHDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BAEHIEBGHD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAKKKEBFCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminIECFBKFHCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminBGHIIJDGHC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminCFBAKEHIEB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HIIIIEGHDG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminEHJJECBKKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HIIIIEGHDG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GDGDHJJDGH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminJDAEHJJECA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminJJJKEHCAKF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
1668	timeout.exe
3368	timeout.exe
2580	timeout.exe
5048	timeout.exe
1520	timeout.exe
2692	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	RegAsm.exe
2808	RegAsm.exe
2808	RegAsm.exe
2808	RegAsm.exe
2808	RegAsm.exe
2808	RegAsm.exe
2808	RegAsm.exe
2808	RegAsm.exe
2064	RegAsm.exe
2064	RegAsm.exe
2064	RegAsm.exe
2064	RegAsm.exe
3956	RegAsm.exe
3956	RegAsm.exe
3956	RegAsm.exe
3956	RegAsm.exe
116	RegAsm.exe
116	RegAsm.exe
4404	RegAsm.exe
4404	RegAsm.exe
4404	RegAsm.exe
4404	RegAsm.exe
116	RegAsm.exe
116	RegAsm.exe
116	RegAsm.exe
116	RegAsm.exe
116	RegAsm.exe
116	RegAsm.exe
4764	RegAsm.exe
4764	RegAsm.exe
4764	RegAsm.exe
4764	RegAsm.exe
3700	RegAsm.exe
3700	RegAsm.exe
3700	RegAsm.exe
3700	RegAsm.exe
1972	RegAsm.exe
1972	RegAsm.exe
3992	RegAsm.exe
3992	RegAsm.exe
3992	RegAsm.exe
3992	RegAsm.exe
1972	RegAsm.exe
1972	RegAsm.exe
1972	RegAsm.exe
1972	RegAsm.exe
1972	RegAsm.exe
1972	RegAsm.exe
4352	RegAsm.exe
4352	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
4352	RegAsm.exe
4352	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe
4812	RegAsm.exe
4812	RegAsm.exe
4812	RegAsm.exe
4812	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	MFDBG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 1252 wrote to memory of 2808	1252	file.exe	83
PID 2808 wrote to memory of 4552	2808	RegAsm.exe	91
PID 2808 wrote to memory of 4552	2808	RegAsm.exe	91
PID 2808 wrote to memory of 4552	2808	RegAsm.exe	91
PID 2808 wrote to memory of 1528	2808	RegAsm.exe	96
PID 2808 wrote to memory of 1528	2808	RegAsm.exe	96
PID 2808 wrote to memory of 1528	2808	RegAsm.exe	96
PID 2808 wrote to memory of 4784	2808	RegAsm.exe	98
PID 2808 wrote to memory of 4784	2808	RegAsm.exe	98
PID 2808 wrote to memory of 4784	2808	RegAsm.exe	98
PID 1528 wrote to memory of 4000	1528	GDGDHJJDGH.exe	100
PID 1528 wrote to memory of 4000	1528	GDGDHJJDGH.exe	100
PID 1528 wrote to memory of 4000	1528	GDGDHJJDGH.exe	100
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 1528 wrote to memory of 2064	1528	GDGDHJJDGH.exe	101
PID 2808 wrote to memory of 1252	2808	RegAsm.exe	102
PID 2808 wrote to memory of 1252	2808	RegAsm.exe	102
PID 2808 wrote to memory of 1252	2808	RegAsm.exe	102
PID 1252 wrote to memory of 3368	1252	cmd.exe	104
PID 1252 wrote to memory of 3368	1252	cmd.exe	104
PID 1252 wrote to memory of 3368	1252	cmd.exe	104
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 4784 wrote to memory of 3956	4784	FCAECAKKFB.exe	105
PID 3956 wrote to memory of 3620	3956	RegAsm.exe	106
PID 3956 wrote to memory of 3620	3956	RegAsm.exe	106
PID 3956 wrote to memory of 3620	3956	RegAsm.exe	106
PID 3620 wrote to memory of 2940	3620	cmd.exe	108
PID 3620 wrote to memory of 2940	3620	cmd.exe	108
PID 3620 wrote to memory of 2940	3620	cmd.exe	108
PID 3956 wrote to memory of 5068	3956	RegAsm.exe	110
PID 3956 wrote to memory of 5068	3956	RegAsm.exe	110
PID 3956 wrote to memory of 5068	3956	RegAsm.exe	110
PID 3956 wrote to memory of 1320	3956	RegAsm.exe	112
PID 3956 wrote to memory of 1320	3956	RegAsm.exe	112
PID 3956 wrote to memory of 1320	3956	RegAsm.exe	112
PID 5068 wrote to memory of 3212	5068	cmd.exe	114
PID 5068 wrote to memory of 3212	5068	cmd.exe	114
PID 5068 wrote to memory of 3212	5068	cmd.exe	114
PID 1320 wrote to memory of 932	1320	cmd.exe	116
PID 1320 wrote to memory of 932	1320	cmd.exe	116
PID 1320 wrote to memory of 932	1320	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\ProgramData\JJJKEHCAKF.exe
    "C:\ProgramData\JJJKEHCAKF.exe"
    3⤵
    - Executes dropped EXE
    PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1060
      4⤵
      Program crash
      PID:5044
- - C:\ProgramData\GDGDHJJDGH.exe
    "C:\ProgramData\GDGDHJJDGH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2064
- - C:\ProgramData\FCAECAKKFB.exe
    "C:\ProgramData\FCAECAKKFB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCBKFBAECBA.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
      - C:\Users\AdminCBKFBAECBA.exe
        
        "C:\Users\AdminCBKFBAECBA.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:116
        
        C:\ProgramData\JJJKEHCAKF.exe
        
        "C:\ProgramData\JJJKEHCAKF.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1056
        9⤵
        Program crash
        
        PID:2368
        
        C:\ProgramData\GHJDGDBFCB.exe
        
        "C:\ProgramData\GHJDGDBFCB.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
        
        C:\ProgramData\GDGDHJJDGH.exe
        
        "C:\ProgramData\GDGDHJJDGH.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDGHIDHCAAK.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Users\AdminDGHIDHCAAK.exe
        
        "C:\Users\AdminDGHIDHCAAK.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:2732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\ProgramData\HIIIIEGHDG.exe
        
        "C:\ProgramData\HIIIIEGHDG.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1060
        14⤵
        Program crash
        
        PID:2280
        
        C:\ProgramData\HIIIIEGHDG.exe
        
        "C:\ProgramData\HIIIIEGHDG.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
        
        C:\ProgramData\BGHIIJDGHC.exe
        
        "C:\ProgramData\BGHIIJDGHC.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBGHIIJDGHC.exe"
        15⤵
        
        PID:2184
        
        C:\Users\AdminBGHIIJDGHC.exe
        
        "C:\Users\AdminBGHIIJDGHC.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
        
        C:\ProgramData\EGHCBKKKFH.exe
        
        "C:\ProgramData\EGHCBKKKFH.exe"
        18⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1060
        19⤵
        Program crash
        
        PID:2584
        
        C:\ProgramData\BAKFBKEHDB.exe
        
        "C:\ProgramData\BAKFBKEHDB.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\ProgramData\ECGDBFCBKF.exe
        
        "C:\ProgramData\ECGDBFCBKF.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFHCBGIIJKE.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\AdminFHCBGIIJKE.exe
        
        "C:\Users\AdminFHCBGIIJKE.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:3260
        
        C:\ProgramData\IJEGHJECFC.exe
        
        "C:\ProgramData\IJEGHJECFC.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1060
        24⤵
        Program crash
        
        PID:1092
        
        C:\ProgramData\BAEHIEBGHD.exe
        
        "C:\ProgramData\BAEHIEBGHD.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:3684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\ProgramData\AAKKKEBFCG.exe
        
        "C:\ProgramData\AAKKKEBFCG.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:1680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:4568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:2664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGDBFHDHJKK.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Users\AdminGDBFHDHJKK.exe
        
        "C:\Users\AdminGDBFHDHJKK.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4820
        
        C:\ProgramData\HIIIIEGHDG.exe
        
        "C:\ProgramData\HIIIIEGHDG.exe"
        28⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1056
        29⤵
        Program crash
        
        PID:3664
        
        C:\ProgramData\HIIIIEGHDG.exe
        
        "C:\ProgramData\HIIIIEGHDG.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:4916
        
        C:\ProgramData\JKJKJJDBKE.exe
        
        "C:\ProgramData\JKJKJJDBKE.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEBAFHCBFHD.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Users\AdminEBAFHCBFHD.exe
        
        "C:\Users\AdminEBAFHCBFHD.exe"
        31⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFHIDBKFCAA.exe"
        30⤵
        
        PID:1600
        
        C:\Users\AdminFHIDBKFCAA.exe
        
        "C:\Users\AdminFHIDBKFCAA.exe"
        31⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:3800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAEBGHDBKEB.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Users\AdminAEBGHDBKEB.exe
        
        "C:\Users\AdminAEBGHDBKEB.exe"
        31⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        33⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JDAEHJJECAEG" & exit
        28⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        29⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJJJKEHCAKF.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\AdminJJJKEHCAKF.exe
        
        "C:\Users\AdminJJJKEHCAKF.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEHJJECBKKE.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\AdminEHJJECBKKE.exe
        
        "C:\Users\AdminEHJJECBKKE.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1080
        27⤵
        Program crash
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KEGDBFIJKEBG" & exit
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        24⤵
        Delays execution with timeout.exe
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKFCFBAAEHC.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\AdminKFCFBAAEHC.exe
        
        "C:\Users\AdminKFCFBAAEHC.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJDAEHJJECA.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Users\AdminJDAEHJJECA.exe
        
        "C:\Users\AdminJDAEHJJECA.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1076
        22⤵
        Program crash
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIJKEHJJDAAK" & exit
        18⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        19⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGDBFHDHJKK.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Users\AdminGDBFHDHJKK.exe
        
        "C:\Users\AdminGDBFHDHJKK.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBGCFBGDHJK.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Users\AdminBGCFBGDHJK.exe
        
        "C:\Users\AdminBGCFBGDHJK.exe"
        16⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1072
        17⤵
        Program crash
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIDAECGDAFBA" & exit
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        14⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKFCFBAAEHC.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\AdminKFCFBAAEHC.exe
        
        "C:\Users\AdminKFCFBAAEHC.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCFBAKEHIEB.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\AdminCFBAKEHIEB.exe
        
        "C:\Users\AdminCFBAKEHIEB.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1076
        12⤵
        Program crash
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECBKKEBKEBF" & exit
        8⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDHDBGHCBAE.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Users\AdminDHDBGHCBAE.exe
        
        "C:\Users\AdminDHDBGHCBAE.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIECFBKFHCA.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Users\AdminIECFBKFHCA.exe
        
        "C:\Users\AdminIECFBKFHCA.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1072
        7⤵
        Program crash
        
        PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEBFHJKJEBF" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 932 -ip 932
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4832 -ip 4832
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3136 -ip 3136
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3568 -ip 3568
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4000 -ip 4000
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2808 -ip 2808
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1512 -ip 1512
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4560 -ip 4560
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1100 -ip 1100
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4480 -ip 4480
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AEBKFIJE

Filesize
114KB

MD5
3cfabadfcb05a77b204fe1a6b09a5c90

SHA1
f106b5ed22265e64bc61dc5cf1e2d33ed12ec18d

SHA256
693617c470d7472e751d872341061cfb663f22ee95bdb42f9db01f02cb90df9c

SHA512
d5502023a17213919e2e991f5ba2d0d2c08223fd489d876a47a37239b637d03ace9cb9b92deb71460ae4030194ca49ce9e9752e0bf2ccbcd297dc5afe62a4e7b

Download Submit
C:\ProgramData\BKJEHCAK

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\FCAECAKKFB.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
C:\ProgramData\GDGDHJJDGH.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\ProgramData\IJKFHIIEHIEGDHJJJKFI

Filesize
11KB

MD5
73705cbd003958ee05edaad2c32f7ac6

SHA1
2325b05c1e46de2a176f09739eb905e937301d50

SHA256
03da02c524e3476ce55b2f0b3ae95434a10f0737c89752e36189ec5a87e91f96

SHA512
9a469a12ab9d3501f6ac6caeb1295d1d0e34c9eb43a383ec0d90af95dcb6dd703f5aa61a0d2a12c4a860d424e9f35ebac18cba77f24dea5f6af0cc552521193c

Download Submit
C:\ProgramData\JJJKEHCAKF.exe

Filesize
23KB

MD5
5c6e3bc21c044f3eaafb78a95da59678

SHA1
87b7544b6e165ea9b4cd14a203c1e8369fc68d0c

SHA256
dcea5c016aee094deb47607c1fc6c5698ce915dc1e1d515e2ca5c3e0019b2d40

SHA512
fc761169783e9c431a9ca16c490c8ea0ad62997a914c4fdc25fa3d2789b6bbeed042117194a2aa4b18bbce3b0bff9862aa56fced64d2b4dbb5c9bab113fe2c37

Download Submit
C:\ProgramData\KECBKKEBKEBF\DHDBGH

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\KECBKKEBKEBF\FBKKFB

Filesize
5.0MB

MD5
1e82b3787b23061611482cee72145da7

SHA1
83c11287d68a6f1e5cbb9b39755a85686257fd22

SHA256
e86af9a8d23096ac222c9d8416698c962074a9d367abb96680a1bf6c27b619ba

SHA512
729268b632b1ce38eb48bea4bd781e886ce04adda5e6ac2608de7023e1ab9e06e7fc304627f9b26e344c42fff603f49713758406002b600e7f844a0541659748

Download Submit
C:\ProgramData\KECBKKEBKEBF\FBKKFB

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\KECBKKEBKEBF\FIJKEH

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\KECBKKEBKEBF\FIJKEH

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\KECBKKEBKEBF\FIJKEH

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\ProgramData\KECBKKEBKEBF\KFCFBA

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\KECBKKEBKEBF\KFCFBA

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
5KB

MD5
05316256fc231667b11f963089a1c29f

SHA1
ab7c9a3b82a1eb0870f0ede33506d24e7cb0b8b0

SHA256
d3638a9f55bc228cbd203265cca97b3d0af50332ae09ca986e95f4922a13a427

SHA512
c7cc2fdfc1883e32060d1e6c24abc9692c824f8fbc70ca4bd913812437c5d89718c4fd9a2f96e436995ad3f84389e055d7041c09b117c0bacbc55084abd02fee

Download Submit
C:\ProgramData\mozglue.dll

Filesize
1024B

MD5
ef8872dbb1e0de26c4daadb4e2ba1231

SHA1
3d2931acbf70418c2e5d997efb92191a0aa1c370

SHA256
3c3473cd478011ef47a57b88ec6fda2427c944085bbb929bbde6ed88ba4cd624

SHA512
68aafdca48c3830d035fecec97fecfbe11f7691561e53cd9b8c126bc0a9675056f807869f6248ad9e3d8f6dcf0a5d7ce8355490aec7e2a09376ac0673a6392c4

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
1024B

MD5
458532781441ed7f121a3cc4e6f63b14

SHA1
f3e84e6a4179fb84f0b0a008f858fd878a1d35b5

SHA256
be23585ccb1f4d5389af6747a03cb83f4508e333ea885027d04045fb7c6b5a5c

SHA512
3b823102f72d45527c51ad39de238cb4dc38a1b6bfa25c0087aa35d65f3628c4f0f2b718bdd8dc7abf4c69f67944d63ca2b7f402047946ce5d7950a961aefb56

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
1024B

MD5
f5e41b8019653f9d890f856e7042676e

SHA1
2937dad4d83da14f8c6304277924c45004718f99

SHA256
447721844cb2d6066639fda761ec369aabc28e9cbf883f60702a09fcc9fda51f

SHA512
8cef4c6bdee2cba6601e2b7302b05c7b9f63725d9b0dda6656263a82e5f54c030211dcf7d747c1a222206c9e84dbba25988a4ac9a5365e7dd6153a78e7d8f577

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminCBKFBAECBA.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
2b36821f56b5af8c6696d071788bdcbf

SHA1
19bc0e2633ad82f28beb4e7e72cf3b208f3ba435

SHA256
6bd2e70bec06d9aaf7d4a4e43e05ec5cd6d86ba1ee462a4a43881c5fc7e1ab02

SHA512
eebf46211ad75641582459ae8fbbefc29a6d402fc03576738dd8d9f17c9675a2befdcfa1d84120202e39a47bcf721e341cdd8628c5b269ee489f6ac038268f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
8dd67dfa2fd1cc8c8dcc3751b3a6484b

SHA1
39be85bf4e85cf132f88faac1f8e8da1d426abed

SHA256
5772f63196420179b1325839e7f0f139d900250a417396fcebb653ae0e94ab43

SHA512
ba69a0105a6746946373f31505abdeb43e07a73629e571796b1ecca90a093a2e7e2ce8bbd7f35a108b5ecaf54a7c3de5a731fd5323eab2ac6c42fafaf8c9dae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminDHDBGHCBAE.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUB8HZ4Z\76561199780418869[1].htm

Filesize
33KB

MD5
37a9a236afac2e4c2f7c64c0633ec774

SHA1
2c78bc1b2ad2412d411518057c651fb38fbfd903

SHA256
ddec60cf3733e53f43fcbc2465fa526d2949d5d97782be2be825f3e89dfde5cf

SHA512
019220ccb7148b4abea5053eda9af23596db7d32e2aeed01bb8b547763817681cc643fda21faa69c0cad69e6c19c83b2eb5b719dcf2fff8ebc0d9436bf5c5d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKVWVXN7\76561199780418869[1].htm

Filesize
33KB

MD5
de853dab3a387fbbf0936ff56668a2d2

SHA1
2890344d6dbcb0ea306174994404018854e8cfc2

SHA256
d983c31b565d4a0d9a8feb5e4bcc21c176c9d80786dad1df3231c9f0bd28e32e

SHA512
be5a1febe7fc194a7209868c35f3c981c7b93ce7f5042eac7a48d05aa576ef0e49b39b00714e0d4679f0c93f937aac0ef0da4adcdcff2c9213f2cc8a22c0ce2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKVWVXN7\76561199780418869[1].htm

Filesize
33KB

MD5
597a174e67d2242e9a9c85f269a336d1

SHA1
ddea36eda86245df29dea495e3fa546a4c0190d6

SHA256
3735a3398a51da8e6b97ef393227839b5d3827379446dee9b75122abc908744d

SHA512
5a299f550153052a443494ce27d422cd2275ace4a7877c698187e5e46aa13c5efeac7101b4180292fe582e91ab155f8bdd18767e989485467a92b15a66e40a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe

Filesize
23KB

MD5
56d135563e4ea79d80bd9528aef278b2

SHA1
3814b2f307e7c2cd1b9502218d261ac80c477822

SHA256
c5bde9544e65b4036c78085a5f3ba08968e644c0ede610bb665d381a054ef977

SHA512
93afd764790fe9fe487bde0c2592abd2f34dc125655efffca0b680ef45f78f84abe32a00c08f149ac764857f12f10b68c71ec0d9dc491e799aebae57aa331c14

Download Submit
memory/116-257-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-256-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-273-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-329-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-328-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-272-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-321-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-320-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-289-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-243-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/116-258-0x0000000022A00000-0x0000000022C5F000-memory.dmp

Filesize
2.4MB

Download
memory/116-290-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1252-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1252-11-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/1252-86-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/1252-1-0x0000000000AC0000-0x0000000000B28000-memory.dmp

Filesize
416KB

Download
memory/1528-120-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2064-136-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2064-140-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2064-138-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2808-35-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-87-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-52-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-20-0x00000000229F0000-0x0000000022C4F000-memory.dmp

Filesize
2.4MB

Download
memory/2808-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-77-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-85-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-78-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2808-53-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3924-1302-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/3956-144-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3956-145-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3956-142-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4404-254-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4552-106-0x0000000072300000-0x0000000072AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4552-105-0x0000000072300000-0x0000000072AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4552-102-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/4552-101-0x000000007230E000-0x000000007230F000-memory.dmp

Filesize
4KB

Download
memory/4784-134-0x0000000000B90000-0x0000000000BE6000-memory.dmp

Filesize
344KB

Download