stealc | b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9

Analysis

max time kernel
20s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe
Size

403KB
MD5

a2fc88996b2fe412ad287321f6a18591
SHA1

33c3242867eebe62da8b8ba946ebf986918c48b4
SHA256

b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9
SHA512

74504dc96abb1a6c9ff0f22ab0e0f5dd087f2721678657fc895375ab3cfa5e4f81e818504d23423197b2e0fc44163340ea2420386cb64fb6b59b9e2d456628ea
SSDEEP

12288:PGeJadV8HxUS6590r5H0pC9aB9/07UBlEO:PGeJoV8RZ6sVHd9aB9/Blt

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a d80be45a1eb6454ca916f92c36ebf67d default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

d80be45a1eb6454ca916f92c36ebf67d

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral2/memory/4900-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-7-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-35-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-52-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-53-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-77-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-78-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-86-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-87-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-2609-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-2611-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-2605-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-3300-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-3412-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-3502-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-3569-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CGIJJKEHCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	MFDBG.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1b3c462a5cef4b5b8f2a3fb7903ef9a7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_36b22167e5a44dcfbb0058fa66221f5b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dd9d96d8cf47447fa70c49b0340d3e7e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_563c86b7eec24ffb9b1813b4aa513b84.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4e751bf8f8144dd793dab12b854e6842.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_096ec1b63e154eb6911a59baf52f197c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_29088b16b833405884655ce501cd61d6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2b381c65dc1043a38420dcad440cdd86.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6ad5c074404345a6ac26557eee9dbc2a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fefc9a08f10d45db833d5ffc9a5d882c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a4f18d9dc439421d88f65c26877cdb4d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_62ec453268544bf9829b03387624aedf.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8aabfc89b72e47c094e4235d081bb43f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87a89f935cf74fbe8a14f4e671588995.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4483f075cf55452ebae954b5037c2e62.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c787a89433b64299aabdde783e8c87c2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_119f830e56f64e4b8b44d8b93aa29dbd.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2b91fe9b1b9040ba9d66bae2bbbef8a3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_94d9cf210cb94b70979c9b8cd6b0e566.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_65c52ae1f0af4f95a897b63df2f39c10.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_34f7358d2a7f440da815a51a923060ca.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_396256c2f7df47b19f8f6ea434a3bb38.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7eaa3cf67df84cd9b1ca9bd9d1c90e92.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0c0dcade8a784778afe1e18d6459a6dc.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d9ee39d7855f4a758b6d9ac0e64337de.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a64eff315e1d49bf8053d12bcdedffc4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e4f31ee2ce504a46988d5db62cf8fbb6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_64e34b72310e42139074a16b8b884616.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c68f96cb91c847d68a1ad1b6e1b18eea.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a06396701a434d879b5435cbdc803f01.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_64afc4f8626943019118c0570ad1ea69.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f345ebcedc3444b08b240f4246149449.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a824ce9b7f6048b3871c705988e8ff25.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b3c37f84ef5340e6809dae13eef7e4e5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2abcc726bf8643dfa880ea0baa34c6b5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c1715738ab8d45efb3273291e582e880.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_941855c3aeb04564afdfeedb362c429b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2ecb9fee23984fe5a4c1563f91ff60e9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_45f2ce0b4ae9428a82d4d1446cd5ed87.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4a402b2394e54b99a0e60cc97cc431c1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_77b38ace9fb14746ad7ee1a6fd78bf88.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa6df9a3dc8d48adb524ff2b036fe961.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_882fd7431c9d47e3995b147018988d8d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_005aadc59a404456a4d17eba59dbe07f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6cac1bcf13df4c738dbb61d56e428483.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d636fa6be701454e9df1739a3d008cf4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f3580b1cf822483fb25f51a08bfa6496.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cba53fbcb01846b6a0148eba7d9b2379.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7dc46a00aa8342a782d241730055523b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9b027920c3174660b267f534ecdf5e5a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5f71eb434b1444a0a540d70a6f9c6e69.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e2159d1014d8420f8ad52d3b31ef11d7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f6b3741295174241ba35f0745719ca21.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2e302e2a30254b2db922d4b56cdcf7c9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dc188f1440c14f579b78adeb4edd31e7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9221e143bda14091afe609caf9b90e06.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f8d5cc3b342448a280c6221069bd96c9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_481545920d414fda9adfa4684f79fabf.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_469f5053c0db4edd8ca131f3c0e456c2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_50fcbb6b3d7749bfb7e07d0f7e275d5f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1fc4e4abb067441d88a6b26fb29da43e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2175dcc5aac34bdfa75877fc1658531a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_10bc85f2f5d041d88d83335f9520f4f1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4909e181a70e4b7fac9133593e53bdd1.lnk	MFDBG.exe

Executes dropped EXE 5 IoCs

pid	Process
4160	CGIJJKEHCA.exe
824	MFDBG.exe
2520	JDAFIEHIEG.exe
3052	FDWDZ.exe
3248	JKFCBAEHCA.exe

Loads dropped DLL 2 IoCs

pid	Process
4900	RegAsm.exe
4900	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_0ef66afd4f4640ebb895ec6c23b30600 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	CGIJJKEHCA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JKFCBAEHCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CGIJJKEHCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JDAFIEHIEG.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3320	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4900	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe
824	MFDBG.exe
824	MFDBG.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe
3052	FDWDZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	MFDBG.exe
Token: SeDebugPrivilege	3052	FDWDZ.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 1624 wrote to memory of 4900	1624	b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe	83
PID 4900 wrote to memory of 4160	4900	RegAsm.exe	89
PID 4900 wrote to memory of 4160	4900	RegAsm.exe	89
PID 4900 wrote to memory of 4160	4900	RegAsm.exe	89
PID 4160 wrote to memory of 824	4160	CGIJJKEHCA.exe	91
PID 4160 wrote to memory of 824	4160	CGIJJKEHCA.exe	91
PID 4160 wrote to memory of 824	4160	CGIJJKEHCA.exe	91
PID 4900 wrote to memory of 2520	4900	RegAsm.exe	92
PID 4900 wrote to memory of 2520	4900	RegAsm.exe	92
PID 4900 wrote to memory of 2520	4900	RegAsm.exe	92
PID 824 wrote to memory of 3052	824	MFDBG.exe	94
PID 824 wrote to memory of 3052	824	MFDBG.exe	94
PID 824 wrote to memory of 3052	824	MFDBG.exe	94
PID 4900 wrote to memory of 3248	4900	RegAsm.exe	95
PID 4900 wrote to memory of 3248	4900	RegAsm.exe	95
PID 4900 wrote to memory of 3248	4900	RegAsm.exe	95

C:\Users\Admin\AppData\Local\Temp\b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe
"C:\Users\Admin\AppData\Local\Temp\b5bb760b32b6cba8aae36d830b64c53cd3aa0d8ae0ec5686d604564f30ec46b9.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\ProgramData\CGIJJKEHCA.exe
    "C:\ProgramData\CGIJJKEHCA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
      "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
- - C:\ProgramData\JDAFIEHIEG.exe
    "C:\ProgramData\JDAFIEHIEG.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2520
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5072
- - C:\ProgramData\JKFCBAEHCA.exe
    "C:\ProgramData\JKFCBAEHCA.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAKKKFBGDHJ.exe"
        5⤵
        
        PID:4660
      - C:\Users\AdminAKKKFBGDHJ.exe
        
        "C:\Users\AdminAKKKFBGDHJ.exe"
        6⤵
        
        PID:4812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDHDHCGHDHI.exe"
        5⤵
        
        PID:2412
      - C:\Users\AdminDHDHCGHDHI.exe
        
        "C:\Users\AdminDHDHCGHDHI.exe"
        6⤵
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGIDBKKKKKF.exe"
        5⤵
        
        PID:2520
      - C:\Users\AdminGIDBKKKKKF.exe
        
        "C:\Users\AdminGIDBKKKKKF.exe"
        6⤵
        
        PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FBKJDGCGDAAA" & exit
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CGIJJKEHCA.exe

Filesize
26KB

MD5
0677d5eb007dc9b0de2c5ddf8c3886d8

SHA1
d455b38856bb2a143e5edc2ade8db811e4e9a71b

SHA256
f33f40367e6a3878f2c8df07683413c77126150d076684fdbc295e9a7a0e5164

SHA512
983d9081093f838e6b1b2a5a70e4726caa8fe4a54e83c0bc66985751a88ca9122e5c14688d18c0b9b738195a22ac40900de39c4f49267dca72e22cc9aaa7bf88

Download Submit
C:\ProgramData\IDBKFHJE

Filesize
114KB

MD5
503d6b554ee03ef54c8deb8c440f6012

SHA1
e306b2a07bf87e90c63418024c92933bcc3f4d7f

SHA256
4c407af4d5326d1ea43e89945eda0b86c81ad0d12bd5465b327c0fd1df56f7d4

SHA512
3490b51dfe2e8f6efa3cdeee7bc08c03072597861c1a2f88dc830139abb7611c671ddad345c2af97bb1e88927c09467ed92b5feafe6696d7e2b31b3bd3447437

Download Submit
C:\ProgramData\IDBKFHJEBAAEBGDGDBFB

Filesize
11KB

MD5
c139fef32349b4fef17e37440dfdbf33

SHA1
4f2caa19e7d3afd5ceaac72ee3085fec74533051

SHA256
2abeb0fee5ab17d77ed012920c58b51823687e46daacc2197d907ba7895f6393

SHA512
09fdff41f0aafc6287aaafe4d5c6123bbd2eecd7c07d12a4192685181209626d736af6357f6531a16626e7dcde2459c8e3129a685c6ee1581f0f7ab95f564973

Download Submit
C:\ProgramData\JDAFIEHIEG.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\ProgramData\JDGHIIJKEBGI\AKKKFB

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\JDGHIIJKEBGI\AKKKFB

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\JDGHIIJKEBGI\GHIJJJ

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\JEGHCBAF

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JKFCBAEHCA.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
C:\ProgramData\freebl3.dll

Filesize
107KB

MD5
814304b9e1b9750fd5ab54146c6cf393

SHA1
0afcb1c206b1deb71ee6791f9e2bbc4842af208c

SHA256
ef1bff0b722ca4f05b0be238b69caadb85564fa286d96b1f64e237ecaeb72194

SHA512
6997aa85522ab8edd44534bf7d88f9670c0045909a57d818d932774ee8157c4ea66275e28deff1a88627b1ff32b5a7b8d9e88690855141252d59557290ab0d37

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
5c18e5bc32a037bd429c4855846a6c5d

SHA1
b14a099012f5ca6fb36f6f109a391ef438d78a1a

SHA256
be4ad8739c147f12045ab828a52eac01b86999637e1ae357c95522f5ec56a5d3

SHA512
30813aa3724a2b317c895d52f141b9476e1095dba1560b8564518fce1810d8fa8c2507b0a0b3beb54e399249577142880195bf61e9870403857e43110fabe859

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
104KB

MD5
c1002d485f7c555ba87761bc399132ea

SHA1
2ea1dc717911611e2c51c8e5ec024cf89854e332

SHA256
41d5e5483dd1013d1a2c268e13fded9a1445446969b8df654eb2b1268284897b

SHA512
7b0fff6e8322870f1d099b5536b3d2fdd316e1aa751fd4fd4503e757a82062bfd5718778e95eee7de9590c3f4249e06465c24130b1294eb1ad5226ecce1a0248

Download Submit
C:\ProgramData\nss3.dll

Filesize
109KB

MD5
f07a0e6f1fac026ea4fdf9a447bb134d

SHA1
69b1e4638adcaac35fe573000ef2760eb00b183f

SHA256
77b7ae7a70ebc86bc38c824ef030a54fd4d20d81c44f0eb32ef55f3bedc751d7

SHA512
744e40c9415a6b683a9d997874892f44957e61d1b2a45cf04357a2fa9e8e522fdfe2c168350e2b79a02d654dce20b75b00fd60323c36f6b5942d99f187b0874d

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
89KB

MD5
12565260c30c56282e05657b0ca444b4

SHA1
5202ba97dbcafa20f448f6683ac0291c81c99658

SHA256
1d110d94f33a8ec5da2a19665796bf40a0b768ec05d4dae4b2d9a1ac271a174f

SHA512
8b9b8ac2587e9f7ee62fd55da613b31157f9904bd8d007ccf5509fce0a2228fec4063e48dea6e67e0a636a710a52c572a46ff3daabfa47e91b257388e037c311

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminAKKKFBGDHJ.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
3d0514f5227d0ba8f91af3531108aa9e

SHA1
e785caa409acb468d4cc46790320a54f1ff99db6

SHA256
aac8c93892fef76efc9790da21d518ed553e974256217b4244b34d73bdd0f8ee

SHA512
2990a16921b56e0e00ef40e01c6a5d8ab425475de36fad0228d5f9d31643e476de620f594063fd5a253b47219c10e0de1094aeeea215be00225c7cb79fbc3eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
d6cddbe55cf9259c788697ed731b43d0

SHA1
5c20ac5ed0feba4814eaf489b3866d47a8f39da8

SHA256
cb42cbe85d0266bb82bf2861f1d4097a1ab402f0721e4d6f1f8c7a017563a2f5

SHA512
c368c8c3943c48a12972d552bde1e8d56d0ba64dff06c94ff859c9bc1f6ada46cbc97b6067d882e68e5568990705ca46d193de384a15d6d1fe0b86fffd7f4f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminAKKKFBGDHJ.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\76561199780418869[1].htm

Filesize
33KB

MD5
22075fdc8e03725f00bf4b9e54df1850

SHA1
5799156cbbb90ee69f705a0c3736deac642dadc7

SHA256
8ab925d4fcc918da608616b100b0e8c1031318a83628427119251765a8265d8e

SHA512
846e6df4e13064047fcce0158d9a575bd7e3fdeeaf98017c1b14481bd9e0329cedf08acc64b485b799172b03854116913cb418265f6bb56b32dd733e25149f83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4f615d5c9a9044e08d46107d9e72ee18.lnk

Filesize
1KB

MD5
9069ce6fc9c67698f83b0009d56c7dad

SHA1
451b2815ae368d890b68cb0e29d1e0e00047a9a0

SHA256
e6888d4a652a993305a12cc092474ead68db0baef3975582774f818d25dbd800

SHA512
0c10ae6ab6428a9f8e54c1b0910c650d13de8ec42d56e62f10e263316b3a73b79cbfa9342e4bf95ff93540a2ec3307ecd1676ed6c2ef33f5c5be4588fc5b3bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5a83088c8fd6441c930fcc0decdb3f89.lnk

Filesize
1KB

MD5
36a4aeefdced1ab8958354d568a4dcb9

SHA1
ae5f76c318514d2c049e8b08be0cc019aae14dfa

SHA256
ca889568a5a8d7481deff7f8fc2a09cf8afe473a82a01ca64a7bb201dfbc76a8

SHA512
5256ed2d160f27a89e5a86ff4b6b84467041275403e283f80d067840bf1f34dd98df3d88931e61bc63de7f41a57ce76795a6f0cd57e116a77223c371d21b0b03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6173c2e7423c486e914f1ebd3fc115d6.lnk

Filesize
1KB

MD5
742a20671fe0f60eaa3a8103624f8705

SHA1
02eea47e300b26816d2fbe8f563b651414bada1e

SHA256
1e098aa2f2da2b63b4ce6b4b5ec7aba652374b90122d65345786c5b9bc27b637

SHA512
3e3eeafbe26e75b5e58b118b229cf019abc905b549a3cb6a03f50b66abdf5ccc6e9901e1deaf02101061692744543c7918b121bca15897136a01a92765ae57b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_67713b25a86e49578f0d52693711d70b.lnk

Filesize
1KB

MD5
85cac1488c995bb2bc5114adcfc94f8f

SHA1
807401deb016d62cba9ce579c519371d42500f4e

SHA256
a1684b84dd78121cfe9873af86f71ab2189db73cc7ed5baae29fb00f1c47d772

SHA512
2a96ec79e935f533b6cbfcc3f33fc6f38400236cbff6d3967d99dcee668ecd59bf8480b26fafe7ad6fa83637bfd746b30d6104b5f6136a29116911cc95c7826e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7d62edd54174486ca254f6aaae9cf66b.lnk

Filesize
1KB

MD5
878b2de89ffbb2a4395f2ee2367a181e

SHA1
931362f064efaf50cf0268427eb2405087054892

SHA256
09d2bc7897ae5b5f1ffc9aef5a1c69f392d380c6d4bc2e2901a41ba3161e3c40

SHA512
0dd62d8853cf0899c55ec4f1644f2a59727d2d3ca9f63249060f13c0e600026db48025ed4ebfd4cd1dd2f0c0884c79a4da611807f18bd27b7007b51b35f28e10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8e28037aa2134125890cf6d3711885de.lnk

Filesize
1KB

MD5
66302ec6110b0c4476939c77bc557098

SHA1
7511fd4da246f4ceb64b422d9f97c4342efa9e46

SHA256
1c0191db191037fcb3a085d57ce24978fd4bb6971e01052ab5f2a96a2e52420a

SHA512
5d54ea47bf0a0cbfea83e202414a2c827296c13c102cf19c5bf189e5f724c739c9b92d5289300ec039a29a10f6b9837075a6d85888b082c898856771fba1d1b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a7018ebe0d4149bbb819b7f27eb3a514.lnk

Filesize
1KB

MD5
610a4a3b9ca43393e49e8727be126080

SHA1
400c134536a8d20d7d22201283a4022433540bc3

SHA256
2c2137dbda7000b97a3100468e57cd49c31d13e9011176a7e9c612139daa91f8

SHA512
ec473294dc724ccb1b612aab2d8f77ff8430808a18b1940ce21067bc55fe015401412352b2d5383bc0ab7ad2011e3d16f90afae8bf27e366cc0223378d5c0d6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cb6ffffd71e341abbc13f862db700a5a.lnk

Filesize
1KB

MD5
e39722eefa0b31a4bf45dbfde9efdef8

SHA1
ec811e73126b90d7c0793d8963892c2b8295299f

SHA256
b98ad6d9b42bfb1a0cf1f38d645fd9965fa7234e60ccd247eb8da4fd21b8f886

SHA512
8ec2d9fc385ab2a9c8677c42242af45ed963fd30fbdd12741a09344cb544c21c32a453b3fbb767a8c83f11098b9ac20afde82d1d81b5633a1b885c04c6540e4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d639a395fe8a4b9dabfa6252ff757b58.lnk

Filesize
1KB

MD5
9b09700950121f9eecf92434f2e70dc7

SHA1
00710f80440a137a126b31a4bdcfccd40ebe3143

SHA256
d1cdd04eeed1caf4270880134d46249793c434aa000c64759a51280cd75f8bcf

SHA512
51ceb37e4bcb7100d4d12cdc2070d0947017279f737b00bb11b32286d2e2fcd8d7a20e9a6f1d4425ae7fdbafed1b779ada8fdb0b12ed15b8ea362e7be6a6d131

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d947141c50e843b6b03b7f30f7183ee5.lnk

Filesize
1KB

MD5
b25d19c5ec8a56619168cd8bc78ca530

SHA1
b9006d3836cd5ae9fa85e874c18497e30059b1aa

SHA256
b9c9efbd86e238959b2ae8dbd8ca51bfb47a715ffff2e1a91de2ba6f9f1ac919

SHA512
c746b2b7f8420875778bc082c28da843bea575d699ee8c2db1a39faaf6df5171c768d15047489277ef495ed969944a26b6ddb46344e132b386b5da9f07f9c38d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ef510a2bea544c2da5785fb54bc1def6.lnk

Filesize
1KB

MD5
4708257a9388589656602d66af6b40b4

SHA1
51cd3318cb34a97cc4dffe2be3f8ca442918df73

SHA256
1dd11e88810a2ed77f03e31a0b67df0f65465945c08fa350c6d6b57db0417ea7

SHA512
e768d64548ca04aa0586d3cdc4c1258956eca8e25df0fc3a23bc66401c2f8c362278aed0e6203e3072d1b1a22a66e81462ce116ab4e562c7e55b2ac3e29a29aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f64c50769fbd423fb883a9390b75aa3b.lnk

Filesize
1KB

MD5
a9173b93c5a641e42b6e3acbd3b34f3c

SHA1
b614a08243beecfc460b40caacad25f384bc0252

SHA256
fca7257f0ce27d4c62333707ced375dd9b88f53e8b6fb460d447cbd85560eb75

SHA512
c14f2c146aaf204afb46fc5463304e65368e5b28d400179cd9937ab9fbe92daa5e69a9d00295cf36239d229126f5cb647db78cf370e45399c2a76636691e1530

Download Submit
memory/1624-85-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1624-5-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1624-1-0x0000000000080000-0x00000000000E8000-memory.dmp

Filesize
416KB

Download
memory/1624-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/1912-886-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1912-1258-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1912-889-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2428-2609-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2428-2605-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2428-2611-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2428-3300-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2428-3412-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2428-3488-0x0000000022540000-0x000000002279F000-memory.dmp

Filesize
2.4MB

Download
memory/2428-3502-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2428-3569-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2520-145-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3248-398-0x0000000000B60000-0x0000000000BB6000-memory.dmp

Filesize
344KB

Download
memory/3456-2709-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4160-100-0x000000007259E000-0x000000007259F000-memory.dmp

Filesize
4KB

Download
memory/4160-101-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/4160-119-0x0000000072590000-0x0000000072D40000-memory.dmp

Filesize
7.7MB

Download
memory/4160-104-0x0000000072590000-0x0000000072D40000-memory.dmp

Filesize
7.7MB

Download
memory/4812-2189-0x00000000000A0000-0x0000000000108000-memory.dmp

Filesize
416KB

Download
memory/4900-53-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-87-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-77-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-78-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-86-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-35-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-52-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4900-20-0x0000000022480000-0x00000000226DF000-memory.dmp

Filesize
2.4MB

Download
memory/4900-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5072-540-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5072-535-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5072-538-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download