lumma | fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93

Analysis

max time kernel
23s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe
Size

403KB
MD5

477f0641023c28b462ea3d1b0a62151d
SHA1

d1e3eaa36f07796995c4ad192754bfebc20778dc
SHA256

fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93
SHA512

08b6a37518fcc0f018375b33db4911da6f3111c9b3d9f621c15e584dc4823ec7ba613d01fb37793c4a8bea950c3b523a8ef092a73451c5e1cda35352e37c6dea
SSDEEP

12288:Dlu1SX7Sor999NBAlAdwefOixMORgj8cn7dy7zLsEO:o1SLzr1AlqdfrbuIOBygt

Score

10^/10

lumma stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a 58cd250b15e666e5f72fcf5caa6cb131 default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

58cd250b15e666e5f72fcf5caa6cb131

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://stogeneratmns.shop/api

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral2/memory/4464-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-6-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-35-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-52-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-53-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-77-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-79-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-86-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-87-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4416-1451-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4416-1447-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4416-1449-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4416-1927-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4416-1963-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4416-2060-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4416-2108-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	BFHIJEBKEB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MFDBG.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e3643f54bc8a4723b1c72b42fcecdbc7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e8d943460ca2438e8e3d930f74dbd550.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8bb8228ddce74effbf5291c7a4eb582a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e1125b72584e4f8f9c330cb5c92696aa.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b62f5cc9ba8242d6ae74ef9167ceae81.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3db97316874d4b26b82866c1be2ff3df.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a2ad7ba3f3674fa592b9ae8186f3c3d5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_572cec541f89440a87edcfdc94ef0e99.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_205ae1ebc059402c831e14c295d62677.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_59cff35b038541f9b514cb90c81384d5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c4f4febc7beb496591662d8319960a92.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a21dd034aa4249eaba656c2c0ac290a7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_efded9b8d8b7479a9d9a656a16b42599.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ae522b76a0524a2c9c27d3f4c30f5e6e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_60e91df19382403d982d47da774ec715.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c13fe5497fd64808ab62f6fecb0b16df.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_115db027b5de49b382b4b03a3c07e23e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa926a0b97d0464cab6879fd535e806f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a051946a8c964165b0861149ef7b5236.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_18c54eaa439d4825b7394b45cec15005.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cab1543e4f134767b8a387fb56b098c1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aa3c93e79e7442ec857181bd629d6b33.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bead595e0dc64f9e8e6156358fde8bc2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cfff5ae07e4a4eed84cfc568f3801a9d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_03165c89de2d4a7cac14e23a16a09fc4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_44e86f44506047898c6aef8e4b57978b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_013f64370eeb4df3b696225793c98210.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bad3dfb102614343bb1388db4a7aef02.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a9eedef83e0b4425b572429d4d25e87c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4fc6e4e3b90e4d40bbeb47462a130a30.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_583173349945470996d1189ac5c52136.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_98887c52bfa8472dbc1c7fa86bad76aa.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a5bfa866fb0046429ff1b038aff23af7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_15119d72b3004ce0a87bafea26b3befb.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_24b1ceec9dcf4220924995e66285b477.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_50b59510450543b0b9421c6acff620ef.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1b071b172f124004b16108a5061e7bc7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f1e68c0b9b8c43d7bb7b68d5bdd7661e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d7bd9f5c8e1843219d740e3bcf1f444d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1bf89d0cc3334ffb96b6174e336a5786.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7be044a24acc4938aa3d88041ac15511.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8ae433925b034042bc1ad6c36f51912d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8f9142d8988a44afafa5efb49ea6bf44.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cbaa8b3b6b984f9d95f585d4365b1ee4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_69f8c8025bc6471f8e7818b03ff3ba0c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_660414d09cd6425fafa3b3c165644f25.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ef265457bce1493ebd4a7f5c4b30410b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a2ba99e87bde437d97f3d518870eb29b.lnk	BFHIJEBKEB.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a9b723601f504d489a225ef9cb10d8c6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_880c36da1ee04616a8e8467c4c610fd8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_afab5e3b2c5e4dbc86d782386a0fb86f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f2544a6dd01f4e11a98c2cc5cfba64db.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_57ecf236e9c24a8e90df285d6a7e9655.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6291584465f14ddd83818af4de373bd6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bf3023b2bd4b47e1a8e1d6bd6cf075b3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_68f3338e8e7d42ce9db503773c5bf4a6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1e05177c01fa4b619b58d48897ddf368.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b2466257f0984d6fa226457c5049843c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_285d680157b94c44a6b5743dca5d93ab.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_05fed4dcbd8546f19687c6514866a27c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4aa054f87fb345a598bbb526afbace2f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ff7258303f574d9baeaca0d3b4089d4c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3a38ddd69787443ea5f925f562d183b6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_495f300832d14f48bf048e92468b1b4c.lnk	MFDBG.exe

Executes dropped EXE 5 IoCs

pid	Process
2868	BFHIJEBKEB.exe
428	MFDBG.exe
3040	JECAFHJEGC.exe
2608	FDWDZ.exe
3860	EBFHJEGDAF.exe

Loads dropped DLL 2 IoCs

pid	Process
4464	RegAsm.exe
4464	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_301afd8ec9df4348808a3080218ae167 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	BFHIJEBKEB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 3040 set thread context of 3728	3040	JECAFHJEGC.exe	101

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JECAFHJEGC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BFHIJEBKEB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBFHJEGDAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2720	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4464	RegAsm.exe
4464	RegAsm.exe
4464	RegAsm.exe
4464	RegAsm.exe
4464	RegAsm.exe
4464	RegAsm.exe
428	MFDBG.exe
2608	FDWDZ.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
428	MFDBG.exe
2608	FDWDZ.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe
428	MFDBG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	MFDBG.exe
Token: SeDebugPrivilege	2608	FDWDZ.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 4512	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	83
PID 2568 wrote to memory of 4512	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	83
PID 2568 wrote to memory of 4512	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	83
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 2568 wrote to memory of 4464	2568	fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe	84
PID 4464 wrote to memory of 2868	4464	RegAsm.exe	92
PID 4464 wrote to memory of 2868	4464	RegAsm.exe	92
PID 4464 wrote to memory of 2868	4464	RegAsm.exe	92
PID 2868 wrote to memory of 428	2868	BFHIJEBKEB.exe	94
PID 2868 wrote to memory of 428	2868	BFHIJEBKEB.exe	94
PID 2868 wrote to memory of 428	2868	BFHIJEBKEB.exe	94
PID 4464 wrote to memory of 3040	4464	RegAsm.exe	95
PID 4464 wrote to memory of 3040	4464	RegAsm.exe	95
PID 4464 wrote to memory of 3040	4464	RegAsm.exe	95
PID 428 wrote to memory of 2608	428	MFDBG.exe	97
PID 428 wrote to memory of 2608	428	MFDBG.exe	97
PID 428 wrote to memory of 2608	428	MFDBG.exe	97
PID 4464 wrote to memory of 3860	4464	RegAsm.exe	98
PID 4464 wrote to memory of 3860	4464	RegAsm.exe	98
PID 4464 wrote to memory of 3860	4464	RegAsm.exe	98
PID 3040 wrote to memory of 5000	3040	JECAFHJEGC.exe	100
PID 3040 wrote to memory of 5000	3040	JECAFHJEGC.exe	100
PID 3040 wrote to memory of 5000	3040	JECAFHJEGC.exe	100
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 3040 wrote to memory of 3728	3040	JECAFHJEGC.exe	101
PID 4464 wrote to memory of 3016	4464	RegAsm.exe	102
PID 4464 wrote to memory of 3016	4464	RegAsm.exe	102
PID 4464 wrote to memory of 3016	4464	RegAsm.exe	102

C:\Users\Admin\AppData\Local\Temp\fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe
"C:\Users\Admin\AppData\Local\Temp\fb371a0bf9bd2437bfeb1e15335f35f60f071662c0c6a1d3b9abd1359ad85c93.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\ProgramData\BFHIJEBKEB.exe
    "C:\ProgramData\BFHIJEBKEB.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
      "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
- - C:\ProgramData\JECAFHJEGC.exe
    "C:\ProgramData\JECAFHJEGC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3728
- - C:\ProgramData\EBFHJEGDAF.exe
    "C:\ProgramData\EBFHJEGDAF.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDBFBFBGDBK.exe"
        5⤵
        
        PID:3396
      - C:\Users\AdminDBFBFBGDBK.exe
        
        "C:\Users\AdminDBFBFBGDBK.exe"
        6⤵
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4416
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJJJECFIECB.exe"
        5⤵
        
        PID:5112
      - C:\Users\AdminJJJECFIECB.exe
        
        "C:\Users\AdminJJJECFIECB.exe"
        6⤵
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3240
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHJJEHJJKJE.exe"
        5⤵
        
        PID:4140
      - C:\Users\AdminHJJEHJJKJE.exe
        
        "C:\Users\AdminHJJEHJJKJE.exe"
        6⤵
        
        PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAFHIIDHJEBF" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAFIJKKE

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\ProgramData\BFHIJEBKEB.exe

Filesize
25KB

MD5
168087c84c5ff3664e5e2f4eec18d7dd

SHA1
639e9e87103f576617ed08c50910ca92fe5c8c5b

SHA256
2a7cdb79045658b9c02ebbb159e5b3680d7d6d832dbd757572f7d202c3fa935d

SHA512
89491261e1234f917964566def4b1a50505ba4c2eb90d14c19e2130d78fe65cd61c4bba685909109c7088b35e7fd48f6311ace7a0dd8c703a6d1b1d23d1a54bb

Download Submit
C:\ProgramData\EBFHJEGDAF.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
C:\ProgramData\FBFIDBFH

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\GIIIIJDHJEGI\AAKEGI

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\GIIIIJDHJEGI\CFCFHJ

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\GIIIIJDHJEGI\GDAAKK

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\IDBAFHDGDGHDGCBFCFID

Filesize
11KB

MD5
fe776dd032bebe227d52e0a0fce3bf43

SHA1
a681f3dc51cb61b627eab1291f0728253e2f234c

SHA256
e582d57e1b6ebcd262052d02149530a8077b4d14c6e3855fc7ebc823eca56af2

SHA512
be322e942264d9f161ad2f44b17eabcd5db36a6746db1a9f107481307081cc6d074d56f7f95eec8734a256377b73e466d89d8c20657e9bec53404ec262f50f15

Download Submit
C:\ProgramData\JECAFHJEGC.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\ProgramData\freebl3.dll

Filesize
18KB

MD5
128611e9434c4e83e0624c64c9e43f9b

SHA1
bc56fbaef16056fc74f8cd27eefdf449f0b295b2

SHA256
3de6681ce68e4598cac8f00bab65956a3d5d3f2968bdbbd9631d5d337994c04a

SHA512
f4412d52cef46a8463b46c8d746c58c3ad4c0dba2cfe65b8557e7ed6d056c8290f622ab207e5eb4c15b6c45c77b20dc5499278146757d7aacd11feb82a7cd210

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
176KB

MD5
8c3a96b6f1b05847ca29668c121c9e65

SHA1
2f8f5a145893921812cbbfe98e1ef2cc7e2eea2b

SHA256
d030efc8fb18e2f5761c598dd1974d19823ec24fc18c9af49845b5c91653e14d

SHA512
b56af14e88963f511e7df1f9f494baf4d74262b51abc469fb259d96fc683e3126a1a7ce150b136f99c086f13cc50f06974601bedca156e848f7383d9a151b7f0

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
500KB

MD5
e31ab390e5cd52dc320d25187f7208a2

SHA1
70769578fbcdc905894658f24e90c758fe4ef97f

SHA256
439a236a02cc1a7fe8c106605c4b700a38fb8813a8a8009fee5a0390736ac762

SHA512
bac9bcbef373469b402cf2cc5b0f997c391b3314f63ea6d52793f571d6ddde6961b4f145b193236ee50d3bb5d56c54781808dcbb200e48fd7547e9b33c1ebba2

Download Submit
C:\ProgramData\softokn3.dll

Filesize
138KB

MD5
93a0682f91f3497372e5c173512946dd

SHA1
da23c746ca5761f2e220778911f8e04ca62653ec

SHA256
15c7530aff65681456a37a98b48360d48f336c779a94408107372ab5db6e3a33

SHA512
5b93434d9fb60fc8fd322161a75bf6cbf2ce97223ba396613b8346e7486aaf4edf44263ce928e68662220800ef720fcf244996c42fa7e80841cf448ffe1175cf

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminDBFBFBGDBK.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
3d0514f5227d0ba8f91af3531108aa9e

SHA1
e785caa409acb468d4cc46790320a54f1ff99db6

SHA256
aac8c93892fef76efc9790da21d518ed553e974256217b4244b34d73bdd0f8ee

SHA512
2990a16921b56e0e00ef40e01c6a5d8ab425475de36fad0228d5f9d31643e476de620f594063fd5a253b47219c10e0de1094aeeea215be00225c7cb79fbc3eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
8104b368cb9a2f6ef0af31fcff9c55fc

SHA1
b605f36ca1760654fc1355f2ed683297d33855b3

SHA256
6c12b87dc7dea98ff54398c4cb7b2c1a6fd921eb894a67d06dd675e079cc3e59

SHA512
a8ce50c457d687f4ce08f25e6d14d428d72b4b7cec32b1e271694e33a49dd3bb46c34e313c1a7e9d17fa2ea08393dc01660eec3714ce9e4a9b5c4a18d50937dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminDBFBFBGDBK.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\76561199780418869[1].htm

Filesize
33KB

MD5
e89ed1bf53a59f35cb3865a5829e294b

SHA1
65146013dbd621d6e2c570e9ad861157bd74c3d1

SHA256
0abde7a57420f50d98af38fb806c345052a82ba4c213242f5ac6fccc2a698cb3

SHA512
10d4ddffbaf88321e6fdc81f93c06b7b3797c875a23dee8dba4856490e0fac38b4ce98c695ce21dab432b5d7f81e28adbc5bc3f87aa0681cb0c71fa06804778a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_52f26c9d6fc24d3daaf74baeba3c5ee0.lnk

Filesize
1KB

MD5
6d3e9a0172b208a294f988ca444bd845

SHA1
6222e7d666c52740fdd4bfe64a4e73c8c18252a9

SHA256
303a10871df74d924815d19dfd1c4b7083d67ff6ff7087f62685c2035794e151

SHA512
5ffee601995c258017d220b45999eee0fb33f6b94f036608a36ea8a80760cee2a5bbefe622187290021b8512fa83939da54a465e40a4fd258aff293e20944c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_62fc1a616dc14353ac83fd7a197cf848.lnk

Filesize
1KB

MD5
8b0e55898f09ee9fc2dace6742296fba

SHA1
ec3af6229722b282fcccdf57defe5840bf14debf

SHA256
c60599e745b03d288c4ca25ef5752226f3be9a356b2552558e9dc8fbbb06b7e5

SHA512
af2a454488c2091d6cc175296f60e9d3146e1fb4dbec6bcb6b48ac5e17f7f9b06a56d4ec186cae688135e72433e8dfa028275c623abb7b89778928fb8721830b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a2ba99e87bde437d97f3d518870eb29b.lnk

Filesize
1KB

MD5
20b507e2647e46911e4af876bde24e09

SHA1
4d9956de8b88c4f27b015c13c4bc95b3bb3d8553

SHA256
08b8cd182a4fe9fb619ffdec6797a7a4924a5cc711808526017e12ad02f76cac

SHA512
5bbcb84fc2a17cbd6816bc2d97aa560071a73b3caa12bad2f7f7180f443b4dcff3f492d0914e6d1947967ed1ea213bf9da4bb55c81577017e1a6092dc2669a47

Download Submit
memory/2004-712-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2004-530-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2004-527-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2192-1258-0x00000000002C0000-0x0000000000328000-memory.dmp

Filesize
416KB

Download
memory/2568-1-0x0000000000420000-0x0000000000488000-memory.dmp

Filesize
416KB

Download
memory/2568-11-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2568-78-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2568-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/2868-101-0x0000000071ECE000-0x0000000071ECF000-memory.dmp

Filesize
4KB

Download
memory/2868-120-0x0000000071EC0000-0x0000000072670000-memory.dmp

Filesize
7.7MB

Download
memory/2868-105-0x0000000071EC0000-0x0000000072670000-memory.dmp

Filesize
7.7MB

Download
memory/2868-102-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/3040-146-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3240-1536-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3728-347-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3728-345-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3728-331-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3860-251-0x0000000000350000-0x00000000003A6000-memory.dmp

Filesize
344KB

Download
memory/4416-1451-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4416-1449-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4416-2108-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4416-2060-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4416-2039-0x0000000022190000-0x00000000223EF000-memory.dmp

Filesize
2.4MB

Download
memory/4416-1447-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4416-1963-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4416-1927-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-20-0x0000000022580000-0x00000000227DF000-memory.dmp

Filesize
2.4MB

Download
memory/4464-53-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-35-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-87-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-52-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-77-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-79-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4464-86-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download