stealc | 6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185

Analysis

max time kernel
16s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe
Size

326KB
MD5

56bbebff4b50d8298e46f3312915694c
SHA1

f83e6487506067aab52550faf4179ecac77b17ee
SHA256

6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185
SHA512

5612e0a314333d99d116e4333a7d5054e59b03b7cc1e31635866acbf58f5f7c6977d5fbac1ba7cee22759377ab8515131e9789b803b597d038f4c84e90e2e410
SSDEEP

6144:9HjkqhJNb+r7hwLDH1L3nbGIR1M34fHwTDIlpCUOS7YYCUEO:Fj3Jb+QDHRX/rMAHouFOS7Y6EO

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/2956-307-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-309-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-301-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-2039-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-2151-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-2262-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-2379-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-2406-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-2510-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-2937-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-3059-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-3317-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2956-3413-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	AdminAEHIECAFCG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	MFDBG.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ed6a54086dd04b718eac3f760e82d7fa.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ddeacfcbf3794a99ae7e5a07453571ff.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f174cc9786b14c95830a51b62a737454.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_33c40669f95c4790a4bb4a4803774226.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da0c7b1cd2fb4c30bda6085366a88166.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d9576e5eda614ba9ad2fa6ba127ee886.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b450d5764a4440c888d382b9cb014a9e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3e36519259064b8ca87589c1c0d771be.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d858ef72c11141ba86be34f386d27ac5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ce669ee791e84e6b8ba0661fb6a941b9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7ccaefbe382740c6855d380a58709124.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4450bfd0cf5e4140a381ca3163888504.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ba3248d9d350463eb478ad6158f619bc.lnk	AdminAEHIECAFCG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_95157ee65c09486fad29074b4fdf7c4f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_914c42e6397940ed9a4463613508c6e8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_732af87566d7495c9d3f0fa16beb26c6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f680fbc8c32d4053bad50e530fdb5a16.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c308fbac12c34f3dbfe341acd39fa49f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_32a25fd493f748c099e3927703ff5d86.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cb03fd63364d4a55b0beab77a362564b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2d96b22c311544b1b0c7d12deb1273f7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_17edbcf9ad594da683d5f3d6b1d90ed9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b83eebfd7e194edcb101df68b69c7160.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87a7e74182ab46ae8d38b38ee5626b4f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1234923a12254929ba2ac08886867d13.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_845fd0195d3845fab79aa455833f1fa5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_99219d159b314d02b126f53c2bf07268.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8c10fe872ce94a70988a667078fd83b3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_891052cfdfc74012859c325c69b79bc9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7f95890a4bd443b39c9efe20545d31d9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cf2d463f038a4f849e21b443fed60114.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9f34fccbdeaf49669f51cc79e6012694.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3791f0076f294c2f9960fdf990efa452.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e1bc576ad8464bcbad3af1a7645992b0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_778586d84e944815af5c8d830efbe436.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f28c2b6c88e340c482a43e0e43cebf18.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eea7eca065554ede948d90c87a0120f0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3b3e4c0bdbba43cb9cd92fd4a3fde2b8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b8cd7b21314845dca474b089ba7bb634.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5ded168771d34c1e9891a10412264938.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f5d3659001cd494f9199aaa4afca7f77.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1002b8c8787740f2ab79d8b0ca1100f1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e0231881bc434dc1ac807c0140dd44a6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_647e2e8a1d6a4ed988a1b0d341c8c8e6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c62211cf46d0486b9338be7e1bcab4d4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fb8509514fb14038b955cdc7d7f69c90.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ba84550d44e44916adf75bddb0007b21.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_65bc0b18632f42349e65d4692d113b84.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b5157e4f7d444e2391a29e49994fd22d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_38acd3b2a5b94a75aca3c39520b0175a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ec87fba1a14643dea9759f97a6b8a04b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f248e5d30d064f3e8b0a0df403c09d48.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_880166d6e3944870a3a931e28852bf60.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4351ea5eb0c646499148fb3aba169fa8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_88f8e798d5854a72ba367fa6621fee15.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3299bad948204f7fa894e8345b5fd238.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_adfc4c7e8bd74d20a14dfbb46cd82ac3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_20df9c8791ad46868232a2284649f0bd.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_58820af035ca4145839c8510b6726d77.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8cc5bb9290b24873a00fdd99ae251959.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7f9b004244cd4d0eb19af8ddf596a333.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ad13d884965f4fa1b766a3061e476583.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e2718402c2324ca28933e03df6103546.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_82f8f90874b7495da41f90b9d4b01a06.lnk	MFDBG.exe

Executes dropped EXE 5 IoCs

pid	Process
1472	AdminBGDAAKJJDA.exe
4780	AdminJKEHIIJJEC.exe
428	AdminAEHIECAFCG.exe
3080	MFDBG.exe
760	FDWDZ.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	RegAsm.exe
1640	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_65274cb13fc94171b779ca1b867ee348 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	AdminAEHIECAFCG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4112 set thread context of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 1472 set thread context of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 4780 set thread context of 3164	4780	AdminJKEHIIJJEC.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminBGDAAKJJDA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminAEHIECAFCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminJKEHIIJJEC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1664	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	RegAsm.exe
1640	RegAsm.exe
1640	RegAsm.exe
1640	RegAsm.exe
3080	MFDBG.exe
760	FDWDZ.exe
760	FDWDZ.exe
3080	MFDBG.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe
760	FDWDZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	MFDBG.exe
Token: SeDebugPrivilege	760	FDWDZ.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 4112 wrote to memory of 1640	4112	6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe	83
PID 1640 wrote to memory of 4516	1640	RegAsm.exe	84
PID 1640 wrote to memory of 4516	1640	RegAsm.exe	84
PID 1640 wrote to memory of 4516	1640	RegAsm.exe	84
PID 4516 wrote to memory of 1472	4516	cmd.exe	86
PID 4516 wrote to memory of 1472	4516	cmd.exe	86
PID 4516 wrote to memory of 1472	4516	cmd.exe	86
PID 1640 wrote to memory of 2072	1640	RegAsm.exe	88
PID 1640 wrote to memory of 2072	1640	RegAsm.exe	88
PID 1640 wrote to memory of 2072	1640	RegAsm.exe	88
PID 1640 wrote to memory of 4472	1640	RegAsm.exe	90
PID 1640 wrote to memory of 4472	1640	RegAsm.exe	90
PID 1640 wrote to memory of 4472	1640	RegAsm.exe	90
PID 2072 wrote to memory of 4780	2072	cmd.exe	92
PID 2072 wrote to memory of 4780	2072	cmd.exe	92
PID 2072 wrote to memory of 4780	2072	cmd.exe	92
PID 4472 wrote to memory of 428	4472	cmd.exe	94
PID 4472 wrote to memory of 428	4472	cmd.exe	94
PID 4472 wrote to memory of 428	4472	cmd.exe	94
PID 428 wrote to memory of 3080	428	AdminAEHIECAFCG.exe	95
PID 428 wrote to memory of 3080	428	AdminAEHIECAFCG.exe	95
PID 428 wrote to memory of 3080	428	AdminAEHIECAFCG.exe	95
PID 3080 wrote to memory of 760	3080	MFDBG.exe	96
PID 3080 wrote to memory of 760	3080	MFDBG.exe	96
PID 3080 wrote to memory of 760	3080	MFDBG.exe	96
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 1472 wrote to memory of 2956	1472	AdminBGDAAKJJDA.exe	97
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98
PID 4780 wrote to memory of 3164	4780	AdminJKEHIIJJEC.exe	98

C:\Users\Admin\AppData\Local\Temp\6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe
"C:\Users\Admin\AppData\Local\Temp\6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBGDAAKJJDA.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Users\AdminBGDAAKJJDA.exe
      "C:\Users\AdminBGDAAKJJDA.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
      - C:\ProgramData\DGDBAKKJKK.exe
        
        "C:\ProgramData\DGDBAKKJKK.exe"
        6⤵
        
        PID:4228
      - C:\ProgramData\KJEHJKJEBG.exe
        
        "C:\ProgramData\KJEHJKJEBG.exe"
        6⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2228
      - C:\ProgramData\BAAAKJDAAF.exe
        
        "C:\ProgramData\BAAAKJDAAF.exe"
        6⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminECFHCGHJDB.exe"
        8⤵
        
        PID:3132
        
        C:\Users\AdminECFHCGHJDB.exe
        
        "C:\Users\AdminECFHCGHJDB.exe"
        9⤵
        
        PID:4172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIDHDAAEHI.exe"
        8⤵
        
        PID:1588
        
        C:\Users\AdminHIDHDAAEHI.exe
        
        "C:\Users\AdminHIDHDAAEHI.exe"
        9⤵
        
        PID:4752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCGDGCFBAEG.exe"
        8⤵
        
        PID:2784
        
        C:\Users\AdminCGDGCFBAEG.exe
        
        "C:\Users\AdminCGDGCFBAEG.exe"
        9⤵
        
        PID:5084
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IEHCAKKJDBKK" & exit
        6⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJKEHIIJJEC.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\AdminJKEHIIJJEC.exe
      "C:\Users\AdminJKEHIIJJEC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAEHIECAFCG.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\AdminAEHIECAFCG.exe
      "C:\Users\AdminAEHIECAFCG.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BAAAKJDAAF.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
C:\ProgramData\DHCBAEHJJJKKFIDGHJECAFIDAF

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\GDGHIDBKJEGIECBGIEHC

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\GDGHIDBKJEGIECBGIEHCGIDBAA

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\ProgramData\HIJJDGDHDGDAKFIECFIJ

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\IEHCAKKJDBKK\CGHCGI

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\IEHCAKKJDBKK\HIJJDG

Filesize
114KB

MD5
3cfabadfcb05a77b204fe1a6b09a5c90

SHA1
f106b5ed22265e64bc61dc5cf1e2d33ed12ec18d

SHA256
693617c470d7472e751d872341061cfb663f22ee95bdb42f9db01f02cb90df9c

SHA512
d5502023a17213919e2e991f5ba2d0d2c08223fd489d876a47a37239b637d03ace9cb9b92deb71460ae4030194ca49ce9e9752e0bf2ccbcd297dc5afe62a4e7b

Download Submit
C:\ProgramData\IEHCAKKJDBKK\HIJJDG

Filesize
11KB

MD5
f8448bd123e73e87abd121580fcc1840

SHA1
f99308e2b16c1a58ee47cb1605f38d6b3a66f5f4

SHA256
8015d1127aea76521c63bca05deecd16227a3d72e3c8653f464950e8bc69b732

SHA512
f8cd0c9124dfea36bf7011b98dd9f420886465d08ede5a14d2c14ea78797a9f750aac56df5ed807ab913e513227cab54eb5cf6268f11da548b883d5738d9445b

Download Submit
C:\ProgramData\JDHIEBFHCAKE\DGDBAK

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
174KB

MD5
caf45b51ed5bbd93fd7cbef417b22040

SHA1
69a10d4e98ef0d4268d56e9bf587a1d6dfa7f981

SHA256
d8cec7ef55aa69fec153ab74d329439a712e4190817aa42747ac15eb691277e7

SHA512
385790c2084c285ba6c89cc1ee62637f0f83f85a87abe7c5bc40c28f9d756b473db13cdc6bebe762772abd9e1991a842f9a994a5a00c07817315e8bd1d255a39

Download Submit
C:\ProgramData\mozglue.dll

Filesize
126KB

MD5
68d571df5d409ff4c455378df9574994

SHA1
075d544310ffa8b587029f971c34762859529c33

SHA256
5b5d2cb554d6e2571d0ca0c3db71a5b6fa0607cdde0622167c88bd7ff8429049

SHA512
9143fbc2fd1ca2593290e2db7c050dfac0a7107d8ac24c508fc084bad456e17b64656b0a81c05c8a69d3ea9e15a7e1f66c9fdc74d75a97ee92b45c8b6806fe10

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
116KB

MD5
61ab75924a4c4f1cb2de0fcb1ea4af4f

SHA1
f9b7e2601163d1a355230c0acde21b7027386bac

SHA256
1f3c3b9e41bdd48a9673114a6b0212f3b3de0f4e20a814592847162421f3d116

SHA512
2e5fe3e269d8cece49a1ea266e5106d829a5239bc32a23693df7347f343bb1d7b2600c433186f97b53610cddcb52dabe47244fe242038ff4ff31525fb4404b14

Download Submit
C:\ProgramData\nss3.dll

Filesize
47KB

MD5
9774f7b9b66588e56e97af51f29109e6

SHA1
e659d1eafa91e396cc9276e6b0620c5328140ca5

SHA256
14427e3fff3787ee544792b2a88685fc198c2d1ac3f523dd0e53129bade5d4df

SHA512
d4eaf04ac71d28ea303fc76778ce938c04e9e1860c685f57359bc072c43cfcc083c94826cec2a4c0d6ea6c24289741bdafa3f03647045edf9e99919ad1fea041

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
183KB

MD5
d1ef6d221243c90ae81ce306488be5a7

SHA1
11cbcc098502f16ee666df257f4a3821bcfcf83a

SHA256
e7fa0ecb682d0db5598cac8b8965f6bf0171ccf83a534329b088859b788a8911

SHA512
9e39c31211dfc7376d3cac5c375e7e003aaf609297d49102d62c6d35b472b64cabbfff638cd5bc1539b5ce8e4bb6ad28c8fa0dbc93c957ae069699f04f71b836

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
63KB

MD5
f5f6a51ddd9cd474116b0ac2d9b2f047

SHA1
4de17ba4a182b1a8f0456682fc69fd097ecd1523

SHA256
2aad82c388b351728ee63f4c5eab3e3761cad6bcb5fea7c43f1836d2f6bde3d7

SHA512
b0edaa113390a7ac69f9fcd1de1773f109bd645aa4e4e6609f555ba4a7f928b60304ab93861f1e439ab563ba461eb96c6f45914776077ab613806a5a4cb300bb

Download Submit
C:\Users\AdminAEHIECAFCG.exe

Filesize
26KB

MD5
0677d5eb007dc9b0de2c5ddf8c3886d8

SHA1
d455b38856bb2a143e5edc2ade8db811e4e9a71b

SHA256
f33f40367e6a3878f2c8df07683413c77126150d076684fdbc295e9a7a0e5164

SHA512
983d9081093f838e6b1b2a5a70e4726caa8fe4a54e83c0bc66985751a88ca9122e5c14688d18c0b9b738195a22ac40900de39c4f49267dca72e22cc9aaa7bf88

Download Submit
C:\Users\AdminBGDAAKJJDA.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\AdminJKEHIIJJEC.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
2b36821f56b5af8c6696d071788bdcbf

SHA1
19bc0e2633ad82f28beb4e7e72cf3b208f3ba435

SHA256
6bd2e70bec06d9aaf7d4a4e43e05ec5cd6d86ba1ee462a4a43881c5fc7e1ab02

SHA512
eebf46211ad75641582459ae8fbbefc29a6d402fc03576738dd8d9f17c9675a2befdcfa1d84120202e39a47bcf721e341cdd8628c5b269ee489f6ac038268f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
9acd96c9913e11d1f3ef65707ee50eef

SHA1
ae412c0b5be0c98490441286b643b13ee70f42c4

SHA256
48dd296c0d99e46448244064ac59ecb3635ffb8fdb092ab84cdf8012e3d2e7fd

SHA512
2d9551bcf89eac7e96de9a2d6e6273a1ebc436e01aa8ac8d4adf0d50c4f6f4f8b26be4803275f9373c80577db3386b86f7794f62c16b2ae84e81389c09c9335e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KJEHJKJEBG.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8M42AOWL\76561199780418869[1].htm

Filesize
33KB

MD5
61443dc4dc2d8ca345488b209fcece8b

SHA1
d5c91f910c3e31cb0c86835ea438e024121df4ad

SHA256
d2d7c1a0ac06ec2fe050a3e2cd83521698cb2a41b7caacc01a33de48d7d67d58

SHA512
3a9aa58589558041a3bf15fd90c740ebfb4cc4e848db75b10633aaaa5c53a2f6c6024466c1bdad25831392a619e593b0b5fb786611a87433646848d95af26550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9083cddae77c4873a50e1c6320f94ea0.lnk

Filesize
1KB

MD5
bb4e1985b1165c4f11fa6840e1ddb098

SHA1
7e77018d045180e44bfd9f2b2c94f73154f2da9b

SHA256
deba899d572ae86841a1cfad4294a613c7f17bfe19883d626dcaf9eba40bc609

SHA512
eb7073c3f5142ff6d4a619d4769c1fe13ff650f120c29832ca7e0a32010a5d4d1ed50dde829ba9b7a68f62a48baf485364276e5c69be946deecdad3622f92cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ba3248d9d350463eb478ad6158f619bc.lnk

Filesize
1KB

MD5
801e92f8fdaf63bc07a86ba71469eefb

SHA1
cc149ffe4d72581392ad3d5a9110c04ef43bdd50

SHA256
9cd8a698120383b3525391bc5141ebaf41e7b5e84f132022a4f0d263ce7d6f1c

SHA512
792a414bbccde793eb9d592befde24ffbad8eb7cdab5ecd68ececa8068e1dfd79ed4f3844597d84ae3279a3ad954c3860cffca0f896a5984d18a95967d57e37d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c4376ffef993404ea3c27c0e5497b6cc.lnk

Filesize
1KB

MD5
2892e5587048f3cebd8d23f45c5ba3fe

SHA1
306842c358fa4db2e8ff98c7d0cd94a3e78c8c2f

SHA256
485f5bb36ef7843b5958da399340ece238051004c29de61e157139211a4f6677

SHA512
9c57c4542a186adc11c94f7dc1b915f6683402b80a5ed7a7bcd70dddb295fda1f60bd12e2448a2b6a7889047145a5f9f3ac14f89782aecc46deac13300a775ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e72b9e7ea7cd46c392ed028ab5e908d3.lnk

Filesize
1KB

MD5
0bdd84fa54fa8f31a86d9ad39d77cc56

SHA1
85b18682d3f5bc3f6d8e7f924d0eefd3480dd044

SHA256
6987088953ed810e06eea65ce3319baa9a84193a44545855bc3f247ec4d6f4c2

SHA512
49fb6791e742261e3e5b7d47fb14f2cbf2c17a402779f1197914d670ce92926bc32eefb7d151858214911dc1a52a6165c404c1db91186b2191258f8723a75db5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f44a2bcc0551402ebe4ca219d575308e.lnk

Filesize
1KB

MD5
c144d0c37da08cff343539c4e4983133

SHA1
7bf994ad9efe8762e058c0a0986ae1ec35200e02

SHA256
fb4c97031b53c49efd2af026081bd459053730418b71249f50fded498ac1edb7

SHA512
99c97127199aaf50a0dbb49e4b46f0c29f031b8c5cfd5b4299d61ef113694be3d41a7d74d9128290b72f29b3bc9edbbb54d95179cdf311dbca6c996dae307ce5

Download Submit
memory/428-101-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/1472-90-0x000000007275E000-0x000000007275F000-memory.dmp

Filesize
4KB

Download
memory/1472-88-0x0000000000980000-0x00000000009E8000-memory.dmp

Filesize
416KB

Download
memory/1640-3-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1640-6-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1640-8-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1640-9-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1640-89-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1640-106-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2276-4293-0x0000000000A40000-0x0000000000A96000-memory.dmp

Filesize
344KB

Download
memory/2956-3317-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-307-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-2247-0x000000001FF10000-0x000000002016F000-memory.dmp

Filesize
2.4MB

Download
memory/2956-2039-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-2937-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-301-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-3413-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-309-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-3059-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-2262-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-2510-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-2406-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-2379-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2956-2151-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3164-360-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3164-362-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3164-354-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3844-5097-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4112-84-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4112-7-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4112-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/4112-1-0x0000000000C30000-0x0000000000C86000-memory.dmp

Filesize
344KB

Download
memory/4780-103-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download