stealc | a383f198e76031c2defef77e3b68119cce7eca4b64d3afcc477610c3399373aa

Analysis

max time kernel
20s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

403KB
MD5

fdd34557ce266b92abb5f2c188bc0b31
SHA1

6e3ed4a740842653f6029e2147652d779baa40aa
SHA256

a383f198e76031c2defef77e3b68119cce7eca4b64d3afcc477610c3399373aa
SHA512

313abe34a6d22e4e5aa66d45f7454207d671e214037932442641671beea0b1787f0cfb40988a5ba8e6f524af0ede974ed97b80ecb2888ed99a723403bc9eaa9d
SSDEEP

12288:mPy6bZeOTlVMMIEY3kVQWk5ogbr/ojdiEO:aDJTHlIEYpWg3/o8t

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a 58cd250b15e666e5f72fcf5caa6cb131 default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

58cd250b15e666e5f72fcf5caa6cb131

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 26 IoCs

stealer

resource	yara_rule
behavioral2/memory/3568-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-7-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-35-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-52-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-53-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-78-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-79-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-86-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3568-87-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-3571-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-3573-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-3569-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-4577-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-4740-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-4943-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-5120-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-5140-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-5308-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-6091-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-6262-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-6528-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2248-6668-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	KFIEHIIIJD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MFDBG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30aaed24800844eea0c4e60b6a13f7ba.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b20b1a38e3bf47a58b818fa3e0d20497.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_465c5d280ce14468a140bbc236f65aa7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bb8a4a7082a04db696be6d10b1c2737a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_09b670527ac04c2c93ad3fe4efaed079.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b709838a0864495bb963e249cad4eab1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e483879b398240a88eab296f7401d94a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7aa297cdd2e342b9ba3b52d08c6fabe0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_924fc71b6e3d41478abf596d6e055913.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c26c03d796194308885d7f947fb57561.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_12b75ee72a374b64876d555d7128e295.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c8e966d0953243dcb4d0671bed6b328f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ac864f1070894bd8bb7015e2ad6bb41b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7f1417473185493f9a6b92513857cb4d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ab673e51396f47939a6e386636ae569f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3fb377aa21fc4234a113daf187bb1905.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3da4681e9e564a15a0606fe6208c3db1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3ee09080bc8b4f8e82da881dd76512ae.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1dac8f3efd824284bb159d8ef7c48d4a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d70213751cf9431dbec7c59faebf9a40.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4e6cddd2c0c647fb82a1d350ddb4c4e8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b134d057357c4fdba80741c877b24056.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1a251560bcda41e38d498444009ff1ea.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_67fed8f8cf4b46eaa289ae28660b571c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2ad4e48c994040da96d2dad39a33fc1f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c45a9f0c552e49049fb0659dba543683.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a61d7d66cf9b437386f19ed80a0c5c88.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d1d41982bf4a411383053b9b53549c2c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_72fe127701f244d992fefd34f35be7d0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7c1576b4eaab491f90ec158dbbb1e00a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4dba73364588443aa0d768cac84ccb06.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bad2df9799f144b2ba426567cbb56ee9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_942f53d8a78e4646b5a68249b7379b09.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3dcbec0d96fd430d8add9f733d559bc4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_73d19d3be4c4490ea12bc391261b4dc8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_51d7c18a07c3494083a39d87ca7ad6d8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d9c7c3dc34fc45fbaee3434416632c7c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_83c6fb5a65ef4ba99321da75c21d1261.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_233d108c4d4d430a8f308c1815701bd6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_68b3ecf0cbd44562a60075d4829eadd5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_05869780b717413ba71971e9b7ac50cb.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_072fe7fc42b542718b7d91addf131e3d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b84b75f54c144c309f7b31fa91bc3823.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ca0338656be74faab5893acce9b0a440.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9c7aceab75e94da8a753508be0ddd11b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_97ef8f1cfc2a4c448a8f4ec857e75ffe.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6f2af984d5a94f07ba3126c99fdc9568.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dafa918f4f714c79a4face1997c2a013.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_62bb1d3a91124bb0b544332507c5c07a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0ac24d02c36649d596a92d4e2ff69a62.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2a794d641d5141b0a5ce88cedee8a982.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_412b999505e642a7a8c22f9a10433ef9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5dd5064468084d61a47654797059bfbf.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b2be654257214ad99304868be973cfc2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_57098aa4052146b8b033c63bea4c93dd.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e6d1ff68d45647a59d21e76c3a9de84a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aa55b1be668c4d99be7e38660a5d912a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_04225af2337945fb910052c4ebc9b4ec.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c68deb2bb86c476fb072a07528df3726.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d1a6215eb6174c668b549676ccae7e25.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fba2174dcab94df4ad64a7fa89e754da.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_baef7497daee4165a8dd8a7ff1b67583.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0780a34575ae4b7a9b2fd15f2b67ddac.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3730c25b714d47bf9827ac5f46a4150c.lnk	KFIEHIIIJD.exe

Executes dropped EXE 4 IoCs

pid	Process
3264	KFIEHIIIJD.exe
2404	MFDBG.exe
2540	FCAAEBFHJJ.exe
4316	FDWDZ.exe

Loads dropped DLL 2 IoCs

pid	Process
3568	RegAsm.exe
3568	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_1bdc73172f31457f9e3cbe9ef69eddff = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	KFIEHIIIJD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4012 set thread context of 3568	4012	file.exe	83

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KFIEHIIIJD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FCAAEBFHJJ.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3588	timeout.exe
3264	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3568	RegAsm.exe
3568	RegAsm.exe
3568	RegAsm.exe
3568	RegAsm.exe
3568	RegAsm.exe
3568	RegAsm.exe
2404	MFDBG.exe
2404	MFDBG.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe
4316	FDWDZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	MFDBG.exe
Token: SeDebugPrivilege	4316	FDWDZ.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 4012 wrote to memory of 3568	4012	file.exe	83
PID 3568 wrote to memory of 3264	3568	RegAsm.exe	91
PID 3568 wrote to memory of 3264	3568	RegAsm.exe	91
PID 3568 wrote to memory of 3264	3568	RegAsm.exe	91
PID 3264 wrote to memory of 2404	3264	KFIEHIIIJD.exe	93
PID 3264 wrote to memory of 2404	3264	KFIEHIIIJD.exe	93
PID 3264 wrote to memory of 2404	3264	KFIEHIIIJD.exe	93
PID 3568 wrote to memory of 2540	3568	RegAsm.exe	94
PID 3568 wrote to memory of 2540	3568	RegAsm.exe	94
PID 3568 wrote to memory of 2540	3568	RegAsm.exe	94
PID 2404 wrote to memory of 4316	2404	MFDBG.exe	96
PID 2404 wrote to memory of 4316	2404	MFDBG.exe	96
PID 2404 wrote to memory of 4316	2404	MFDBG.exe	96

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\ProgramData\KFIEHIIIJD.exe
    "C:\ProgramData\KFIEHIIIJD.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
      "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
- - C:\ProgramData\FCAAEBFHJJ.exe
    "C:\ProgramData\FCAAEBFHJJ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2188
- - C:\ProgramData\BKKJDBFBKK.exe
    "C:\ProgramData\BKKJDBFBKK.exe"
    3⤵
    PID:4868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKEGCBFCBFB.exe"
        5⤵
        
        PID:2232
      - C:\Users\AdminKEGCBFCBFB.exe
        
        "C:\Users\AdminKEGCBFCBFB.exe"
        6⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2248
        
        C:\ProgramData\KJDGDGDHDG.exe
        
        "C:\ProgramData\KJDGDGDHDG.exe"
        8⤵
        
        PID:4588
        
        C:\ProgramData\GHDHDGHJEB.exe
        
        "C:\ProgramData\GHDHDGHJEB.exe"
        8⤵
        
        PID:4472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:1920
        
        C:\ProgramData\CFHDBFIEGI.exe
        
        "C:\ProgramData\CFHDBFIEGI.exe"
        8⤵
        
        PID:5052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAFCBFIJEHD.exe"
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAFCBFIJEHD.exe"
        10⤵
        
        PID:1304
        
        C:\Users\AdminAFCBFIJEHD.exe
        
        "C:\Users\AdminAFCBFIJEHD.exe"
        11⤵
        
        PID:3428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAKKKFBGDHJ.exe"
        10⤵
        
        PID:2152
        
        C:\Users\AdminAKKKFBGDHJ.exe
        
        "C:\Users\AdminAKKKFBGDHJ.exe"
        11⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKFCBAEHCAEG" & exit
        8⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        9⤵
        Delays execution with timeout.exe
        
        PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBFHDHJKKJD.exe"
        5⤵
        
        PID:1892
      - C:\Users\AdminBFHDHJKKJD.exe
        
        "C:\Users\AdminBFHDHJKKJD.exe"
        6⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4124
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHJDAKFBFBF.exe"
        5⤵
        
        PID:1660
      - C:\Users\AdminHJDAKFBFBF.exe
        
        "C:\Users\AdminHJDAKFBFBF.exe"
        6⤵
        
        PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAKKKFBFIDGD" & exit
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAAAKJKJ

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\BKKJDBFBKK.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
C:\ProgramData\CFCGIIEH

Filesize
114KB

MD5
35fb57f056b0f47185c5dfb9a0939dba

SHA1
7c1b0bbbb77dbe46286078bca427202d494a5d36

SHA256
1dc436687ed65d9f2fcda9a68a812346f56f566f7671cbe1be0beaa157045294

SHA512
531351adffddc5a9c8c9d1fcba531d85747be0927156bae79106114b4bdc3f2fd2570c97bbfcec09265dcc87ed286655f2ab15fb3c7af0ad638a67a738f504c7

Download Submit
C:\ProgramData\FCAAEBFHJJ.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\ProgramData\JKFCBAEHCAEGDHJKFHJK

Filesize
11KB

MD5
cac41d09ce6832b7c4f8efa824089d8e

SHA1
b249012c97c4761305e3cd1d75a957a258913424

SHA256
022a2d933b705ad71228815a8d99617cd7b6dc27e323c2e36563beb4abb5733d

SHA512
361c522926c25e326cb105584f2e5538e82017ca97c8c3c7ad24bdd744b981b8e578164fe94d9d4eeee3d895e488c21cf3fed2bb0d573a13ea98da65f8085f7f

Download Submit
C:\ProgramData\JKFCBAEHCAEG\BKKJDB

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\JKFCBAEHCAEG\DHDHCG

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\JKFCBAEHCAEG\EGDGIE

Filesize
5.0MB

MD5
14640ede02774424a6e16d3c3b459bd0

SHA1
00915b6769e94bc726b64a2decc881262b4f1b9f

SHA256
676e950074a335c14afceb09c942c56ad0988ad04221949f6bd83b67570d4483

SHA512
63b063abac61c8fabd140b138a629bc029bf82174578c7e018b12c831285cd30ec53bd43ce1243d903dcddd87facf6c740d04048512f8e42a84d4606365c47fc

Download Submit
C:\ProgramData\JKFCBAEHCAEG\EGDGIE

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\JKFCBAEHCAEG\IDHDGI

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\JKFCBAEHCAEG\JKFCBA

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\JKFCBAEHCAEG\JKFCBA

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\JKFCBAEHCAEG\JKFCBA

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\ProgramData\KFIEHIIIJD.exe

Filesize
26KB

MD5
0677d5eb007dc9b0de2c5ddf8c3886d8

SHA1
d455b38856bb2a143e5edc2ade8db811e4e9a71b

SHA256
f33f40367e6a3878f2c8df07683413c77126150d076684fdbc295e9a7a0e5164

SHA512
983d9081093f838e6b1b2a5a70e4726caa8fe4a54e83c0bc66985751a88ca9122e5c14688d18c0b9b738195a22ac40900de39c4f49267dca72e22cc9aaa7bf88

Download Submit
C:\ProgramData\freebl3.dll

Filesize
48KB

MD5
a82f8f3bb6783a9c1275da8a12fce484

SHA1
21d844f3d86d6ba2114c4baaa6309074c26d79e3

SHA256
bde016ae5a149d3702bb29b1a0944a06c2fff82c29bfa3d75595765bcaf88bd9

SHA512
8d2ddc8b1ccacde8dd4eac0e3d03036c3c3441cc45aad7e424e8d5300354a5dc7488b46105d121ca16870906cbe7a64ecb6529b355cadfc3ca18f57cffeb14ef

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
40KB

MD5
c6a7f4fe82fdb6d407e203350b4d2e28

SHA1
f37dd2b37901ff1131bb05609b91dea1b5096bb9

SHA256
5190cf7fde67a814617f158c8ce09ea384778b69da9c0eca88b540473d90105d

SHA512
62217f2044ba117b9b7bbe524abe9c2de91ad651ea41c8544ab9fc8276fde1337b1902cebb4261df60b487df29928996e38c6d1770ee5bf99cb685b6686ac789

Download Submit
C:\ProgramData\mozglue.dll

Filesize
166KB

MD5
a9fcea1ea3e5723251e2a81b28166e4e

SHA1
85c88a872ffe7fce4827b5494d5fe1876b955366

SHA256
803f2a44175395aed1aa9e53e535baed43b247bab456878e7232d8614b4a8237

SHA512
1e358151e48417c34fa5145721f6e93c19bde0dbf9daad593d7823099965b4d8271c9dc70f87309d9250d84f1f414b650d86a6505f8f04e1fd04906df23f6863

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
93KB

MD5
915b693b06e755d222e1329b417c9dbd

SHA1
7115c319850d3c649a9f382b2ac4c8b26bc8be4c

SHA256
65a7cfdc0dd8ca4179c30606c322862e6e78ed66860961e8457ae71f6d82ba7f

SHA512
b81710e1c6f577b6003cc4400307659c81953ccd7d6c7c41f8b76fc2abed1efd3c4b2154e16ddc7bbefa3a474f9e5b4ce665cb1e0d394c9a6389b5300b62b1fe

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
144KB

MD5
dd92bd8410219b48226f76374faebe35

SHA1
af7e8e33fcddf8c4bbae84e5df4d0b27f81b5809

SHA256
5411c39c7017c2f43ad0c52edd07511ce12f5c529c8e5250e78fa7fa975cab60

SHA512
5ef98cf3ec79ad1431b94e1620c470953adf68e266400cc149cfc2596e3cb6f5930725f4eeaa9d73dfc8e48523036734223de619bc6f333cf516c6af68020456

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
99KB

MD5
14ae101ba3cb1155ad5fcefabd99763a

SHA1
ee17b2b655f97ec0df050cf3772b93a8cc86867a

SHA256
c984e5bb723514de70fc7c5fd63c82179b6aad98b43e46a8468426394ecf7041

SHA512
51c34c33fd0ce8047c9580defa277fc120d864f052971bd35dd8425cd2e955164ed4abb790c7bef3ea7264cee45abd3be50476d1f80e1a4039a303acdba70939

Download Submit
C:\ProgramData\nss3.dll

Filesize
101KB

MD5
e8ffdd1a3dd889d0d77f7248b3c851a3

SHA1
7abe94632a8bc65ec43200d59c6aabf74862ad11

SHA256
8675344dc69e8c98439fcb28fff49e2b3b3a48d0246f5ad5b10b70ac9f4bfe7e

SHA512
85e1bcc823b74f693753e8ba02f3990120f098ea35ee996a82ff8460280572791389184358527ef3014e6bab084daf316489f4fa6062d3b694c6b84f5bd55043

Download Submit
C:\ProgramData\nss3.dll

Filesize
148KB

MD5
d1975de33bdf08156c12ee5909a6fc3a

SHA1
2c29f9ef9492691a884f4572a5f9ab0185540522

SHA256
fc0e9db0473ff548f512e1b8e8a34b6801fe21cd366432bba46ba6fa4326e372

SHA512
219e99b48a84243a75b6ea62ccb2932dfd7d57d38ccd5f46543d11e0c98e86c6a61efdb631e1bdd1cfd274686509496be5ea61da589ad1fe2519556547ba0a49

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
59KB

MD5
c887527ccb0abc7d0c7d60eabe79a757

SHA1
6496f4a0ad52c4842d9a7895c85094b5b7a201ed

SHA256
4eff10b1e21479a801421e359f0bed0d44bd608d3252c78621027d5c48223c1f

SHA512
a4d8fa55c4b7e98a63aa4d6c9ba2f675335589b3a30346e620a7cc5367818b2e87678f8f7d0b85d9712db84399ff85a3b28cae0048eac9cc600995951ccd82e6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
160KB

MD5
ccb4f8a17af01d9bed874d886df81b46

SHA1
4ec04e71f2c20e0235a7c331a69ad104a5842157

SHA256
f4b76c8abacaed6bf0224ffbbc444f20c8ee376374bb929ff67ab57bff4f8b1d

SHA512
046c6a7bccbf82d3ceed008802558698c8459a2bf8dc408f9d86b12a8799939d021f5ef7f6a7a9f36d692c0a3ad923a09e2ab566d1e8f89d48fca5cc2420ebb6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminKEGCBFCBFB.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
2b36821f56b5af8c6696d071788bdcbf

SHA1
19bc0e2633ad82f28beb4e7e72cf3b208f3ba435

SHA256
6bd2e70bec06d9aaf7d4a4e43e05ec5cd6d86ba1ee462a4a43881c5fc7e1ab02

SHA512
eebf46211ad75641582459ae8fbbefc29a6d402fc03576738dd8d9f17c9675a2befdcfa1d84120202e39a47bcf721e341cdd8628c5b269ee489f6ac038268f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
a1a437fa66fcde394dd2002d7b35e1d6

SHA1
5eaf4f7bbb9e1780fc883100b8754a7266646595

SHA256
c49d907dc4a1b31536effcbc481242f902c363a6a81a574aa6a19a9515dc4c8a

SHA512
14d374b6a6fd094817245a15fe1b47bf6b8a983b084c6dbc3b3c68e74a99b45f15d591dfdc56a90ad547bbf0450513c434c85cf0e60bc809afc1c5efa83cf4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminKEGCBFCBFB.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\76561199780418869[1].htm

Filesize
33KB

MD5
dbf9acd2681d64ccb81acce9f0217c8e

SHA1
aebe0aa1a6328fa41a493acf4ea09ddac6789fb0

SHA256
65ffffbb8d8653f921b88f3b7f955ab7563e2907a874757142e2e5fdb78e84c8

SHA512
573d705e78d217096b0eb7a43f9515535f05fcf4fb51662755b8c4eefa600245b267816d0e28ded83a715c7f9a89fcdcce9a915fc4e7476009bed57adfc186a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_175436331de74fc981301f944ecc9427.lnk

Filesize
1KB

MD5
0480dbc05a3a631e9a581f9a87632126

SHA1
4d795afed6932fb75caa3ca19be93ae00c286f3f

SHA256
43ac9ab9ad53cc0ea1a049b1edd67dbc140d21d8abce881781da9ea9bc777ee5

SHA512
e11ac489c1e6baa56ab861059f5ded6d752cf2f7238f2073919ed5b9c791c01a4713db847d285451159d9c7d63c12fbd9fc33bdbbdb53a36a4d550beb7900b01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3730c25b714d47bf9827ac5f46a4150c.lnk

Filesize
1KB

MD5
8d70c56c8bb4596a14dd608a8fc2306a

SHA1
514bba5168ea7517a30e339762891483cf96dd04

SHA256
f1d09cc97aec16a35929a4fa83d4562da8cd9ee00c4587a37527e4d7ea30379c

SHA512
6ef7b1c52cb1f8a725ccda04fa76d7164c2c5e5c3310cfb043fb501a3c7db77dc0fd75966cad67c7c450a57c5d886fb42d528f33a48c058f4376be70eea4ddfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5bf234f2b3e04170b9f3948d8fd9beb4.lnk

Filesize
1KB

MD5
13f8627b0a05c0e3247f677e0e16113f

SHA1
fc5ae3f9e892600bb1b0954e2a02969759fd8cc7

SHA256
0ca8990957f8d28001e114648ddeb57b21eed874dd54aff7b3dd3807a8d0fdf0

SHA512
717f9f4fbd6de454b315db0d1673c45df371af91fce3dc699083fd27b5bb4d9d89689373d3dc627c1b007aa0139915983f15a09fd777148d72ac3a3ff8ce3e82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_66b0ef259b044d50ac22ccec85af19d3.lnk

Filesize
1KB

MD5
661214f52b9a3c733669aff26108ecc6

SHA1
03e42e0f0b23ecf30556a598a91a73d0d0d35d7a

SHA256
fac0f055e7e44e967cb51a0035bc566d67fa937c476c2862b67e2b74bc0074d2

SHA512
ec0fb72728d494ebdf5646f1e0b1178cc085a372e81c8f05bc5cec3d85025eeab9d545d592bac022d77d5c6df8c7f682a5f4b468ee6f05eff7ee6cac0e6af6af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78fe51f9fe4d4ce1bce6d5fb21db4803.lnk

Filesize
1KB

MD5
74d8ff97cb40a8c25a907dc089637070

SHA1
80fc025ec1c1b840fe84287d818bcec3ce797db9

SHA256
8d70bff6ed07f30397f37355d5f82545ee3a5e972efb677bc56ae648af8abc37

SHA512
0de816dc958a1220ab97a83e8e91d426199c71d198eb5f203fafbc0b2bae1f624c67adff8c21da40c98c92c6ce2576e4252aa99e29fcd2b784a77e2e97cdc1be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_853c97039d7d4d9f82b32b87f0bc9cd9.lnk

Filesize
1KB

MD5
3948f7f523c0f6207889ea25d74f3e66

SHA1
78fec4f28d2b5190791c769382ae9e239de5a043

SHA256
a2fca53738f60b86d180515f1154b79cb25e9cc5de1ba01c3b907779e5a85fb1

SHA512
b007ba200fed3544e7c9a532f7652897d15da2d8b627f8d2cb2f7b57b229bdf12361f2af70d78312a6877e6d5f24559a55eb156623787d0ecae8a0e02b405bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a8eaf7274a7f420aa2ae8a3de7503a39.lnk

Filesize
1KB

MD5
c455105ea08ac6e3431bbb6a8ab74e8c

SHA1
1cc70cd1cb07435a2a3638c7bc5d60959a01b1bd

SHA256
b65dc94d1373b0d79704e72b908adeb2938bbed01ca50cdbd78f12c4af64fe64

SHA512
9c115c93375ea2084de934e8ecf9b8c88fa3d3c654efbaeddf8b58d7ced25abcf65b6f594156be804d2193a0e6c72b67c21bf0cfa0eaff06b384e28d56e34a9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c048ce03522e4b9183700f0fad4e8567.lnk

Filesize
1KB

MD5
aaf25fc850a9de171c2db0df33b51f5b

SHA1
17932bd7630272eb1d3f9da1b09ecea5c00c6a6d

SHA256
8b99ce08bc850b76c93819a1ab9d9b2d7947f597587374f4d9657f033f310fdc

SHA512
83085734fccce57c95d73bbec7d425a84848f51a5273f129dd5626da796795465ef6e2ad7cc07173c675b5a6a02f5309c3200168fc73afa4cb737d72364ad2f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d86b81e1cf674bfe93b586d72992308f.lnk

Filesize
1KB

MD5
4deebd712de578a3174de843445c0c72

SHA1
b26ba15e6f730134beea41332b787cf0d9db81bc

SHA256
05b9577274799ba3288975cd3fcd5ea41644f67ff64e0ffe345c96c8170a82ac

SHA512
49e18c254cef640814c50a58c0f0ed1fbf3c4c1c0b8a01c48bf6c6d7ee23348ca54ff94f5b0a435c880caafa4a947f3c3b03237ab7a0b40970b046536fd94966

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dc6c4a80e1e843f5a437d937f1580e4f.lnk

Filesize
1KB

MD5
4de07b4595d3955b3591ac67dbe5bdf9

SHA1
c8954a0b929e42c0bd923de84c4f3be11ee8ca85

SHA256
41eb4c59ef86fd02aff02eb284a5d091eb2a5e88cfe51335b5978654bcc0f27f

SHA512
7c18a56212cdc072e7021a6fdac64fbd9f43927e7cc19d97a0bccd7871057c6662b556b0d06e1d56fa2394e65f746e9c42bb2c51aa7e81f33c4af5d3d34979b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e1f4cca8420f49279e7bfed7d49ffb61.lnk

Filesize
1KB

MD5
077614db337425115e53796910c275a3

SHA1
25483fa12912818513d6498f21a4251e225fee90

SHA256
f8d7c68964de3cf9c5097f526d756bbeafe728c4c8938e8c58b243f5e780ae05

SHA512
b83e6d9224a6be9174467a49eb4591f82390df2a2eccd3114aa9911c301f13ef5726ba2e06eaa8e10fbe48f4e058b29abe8552a9fe4a77966255f33bbe3db8bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f10240eba45a4c5695197b768ebaee30.lnk

Filesize
1KB

MD5
9ab916d59261769a89390adb9c1dbd7f

SHA1
bc2b74a9802303707e52bc61651f95f32b5636d2

SHA256
68d3d0f69e4b1223e5031ff8e140fb03d2434299fd2581dd01faf177022c9fa3

SHA512
c66f1376ac9ac518f5a44772384d34dd023aeb6f49be80efa71cb74c070f986ea9417a5f5bd24f59249930f8856a33a23be3f8847f8c69c8688ec5e3c6e6938f

Download Submit
memory/2004-1773-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2004-1223-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2004-1227-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2184-2978-0x0000000000970000-0x00000000009D8000-memory.dmp

Filesize
416KB

Download
memory/2188-760-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2188-762-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2188-756-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2248-4943-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-5120-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-6262-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-3571-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-3573-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-5140-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-3569-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-6091-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-4919-0x0000000022730000-0x000000002298F000-memory.dmp

Filesize
2.4MB

Download
memory/2248-5308-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-6668-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-4577-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-4740-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2248-6528-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2540-142-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3264-119-0x00000000720D0000-0x0000000072880000-memory.dmp

Filesize
7.7MB

Download
memory/3264-100-0x00000000720DE000-0x00000000720DF000-memory.dmp

Filesize
4KB

Download
memory/3264-101-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/3264-104-0x00000000720D0000-0x0000000072880000-memory.dmp

Filesize
7.7MB

Download
memory/3568-21-0x00000000226A0000-0x00000000228FF000-memory.dmp

Filesize
2.4MB

Download
memory/3568-78-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-53-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-79-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-52-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-35-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-86-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-87-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3568-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4012-1-0x0000000000790000-0x00000000007F8000-memory.dmp

Filesize
416KB

Download
memory/4012-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/4012-60-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4012-5-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4124-3805-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4868-663-0x0000000000EC0000-0x0000000000F16000-memory.dmp

Filesize
344KB

Download