stealc | 6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd

Analysis

max time kernel
70s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe
Size

403KB
MD5

5456c9b238c54e52277972cdadf6764d
SHA1

512977a16b78c08e9aeb028e06a5995fc36c0d40
SHA256

6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd
SHA512

bf6cfbbc35edcfec8d8dd2c7be5c587b2b43ada1bb1a43620711cc713b122e41b978cfb1b5b0f8dfe107bea00d34de02c7a112926302652f3810a779a818944b
SSDEEP

12288:WAdGQU/9evJZ/vzqp68V09Ij7THMweRdj0EO:DdxJvJNvl+jPR2d4t

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Signatures

Detect Vidar Stealer 18 IoCs

stealer

resource	yara_rule
behavioral2/memory/436-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-7-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-52-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-53-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-60-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-78-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-85-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-86-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/436-87-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4764-3406-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4764-4001-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4764-4063-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4764-4165-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4764-4231-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DBAEHCGHII.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	MFDBG.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2d4c8f68795b4eb6a330c9f33fedc3be.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8fcd26f89a044ae784039ad2cf794830.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_73902c126f5b48db8c5269eb79df6a8d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da04b333b3d94ac6aaece862da29f5d4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_54eae61e50654850a31e60a443819b47.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3d8979c9f00a4b13bd47cfb203219f23.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_895e137a2de8443f8d8edd1417584597.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_816fbc4d9a184582a06dc24315b826bf.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4839e32d52d34fdfb5a1ed5a87457329.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_17277b56ac57424f820e543baa020e25.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9d4e96660d2f4a1b9be2eb4e594534b5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_facf9ba9562c4590b28a8a1037598cf8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d9cbcff48c964b258b741f8cfd8d217d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3c5b83cf3c10424ab0823fef3ba388e7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9eff0d5e1f7e495ebbe53fe981b85023.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e9ff662fbba2469f84e5434f7e96fea2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_afafd5ed8ca04ed19601651b43385cb3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_32c67866dcd54d1cabd555e7b9fee38e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0278e7546f0c4cbca55c4bdaaa6e1b6b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_58753eb2f7d14e9a983d7c9003310bd2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_74adcc88242b4b77a2e42028205639d7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7bce723a8546484ebb4d21690cb0cacf.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2ac11ad994394c48a9974f1eff3fa5a4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_31a44dd240eb4c2088c1ac378a9983d2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e3d5e7d346e643d09eb94c59a4840f3b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2427924b70dd4ed2aeae0f9fb162dd5f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7f36d09c5f19446cb3cf0613ab3d873a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_09f0f483e6db47f1be0577aa860ddf83.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_778b89a3ddb046e69cfe878ae5f35f2d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9b3b91100c1348db99fa7bf11cee10af.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9e65ab1be19a49c3adc13fac651ce7e6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2e2a174d3a9044e6bc89ecdeb4fee1d8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3bfef9d1faff4898b1010f7c750950ad.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3f7bd6bfa0c94fbba101146a95fcf80d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3eac4ebadb944b6e846ff14e5962a7f7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c268119c863140919a185a609f804727.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_871324a21c1a45a7a7c96ab0a5801b3e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b89bb7fb230f48fbbefd6b4a38e8cd79.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_38e188626df340e5ba9d6f21abc8a55f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8b772248754846b7ac6efe47a961a75f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c73d1079592a42f1828ea3bf393b61b1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0bf5f826938a46e19bc541eeec1d8f02.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cc621c1bccd446ec9f12522f5e3b3edf.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_af8180a59cdc455690b2cb388203e1b4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6f9f7a94f3f14a038802c3e253345dde.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_14b02eda8dda4d15b9f649235dd0ffab.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_daa0e826940f4234af4a6358423e1656.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6bdaf31d75d24af3b1dacb982fa2defa.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d8ac68d5c93488e9d78e1db0bdf4735.lnk	DBAEHCGHII.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7a1b0072b15c4a52b2438a55a3f90914.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d3d9a957134d4d9a89983dedfbd00eba.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b104c1554c6447468136023200e35e72.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1a848a415d6b4295b9eab8cd5148f476.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3739f06fd48d46959198960cb00454ad.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_16046e4cc2b946c98e6fc69bba37e385.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa230c78e4774208ae4d4508f52ac73e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_61f85e1d423f45d1ad9e285d37fc4334.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b0569d9d205c49de80c789d32f42300f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6950f9ea407647f89d72419fafb9eda9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f90cd61c37c341a194afb696c0f80e4c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9fe303dfc9bf434291caca7ad318cd7b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f528a3e151af4506b582c6928a9b07b6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2d02397944d545d28af6e5a00adc942b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ab9706ad5ed14e4c9553b9cd61b92ba0.lnk	MFDBG.exe

Executes dropped EXE 4 IoCs

pid	Process
1752	DBAEHCGHII.exe
3252	MFDBG.exe
1120	FDWDZ.exe
3272	GIEBFHCAKF.exe

Loads dropped DLL 2 IoCs

pid	Process
436	RegAsm.exe
436	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_28b994cab37e4c56b3e663717b5b3d4f = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	DBAEHCGHII.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
76	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GIEBFHCAKF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBAEHCGHII.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1664	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
436	RegAsm.exe
436	RegAsm.exe
436	RegAsm.exe
436	RegAsm.exe
436	RegAsm.exe
436	RegAsm.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe
3252	MFDBG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	MFDBG.exe
Token: SeDebugPrivilege	1120	FDWDZ.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1312	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 1456 wrote to memory of 1312	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 1456 wrote to memory of 1312	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 1456 wrote to memory of 1440	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	84
PID 1456 wrote to memory of 1440	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	84
PID 1456 wrote to memory of 1440	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	84
PID 1456 wrote to memory of 2604	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	85
PID 1456 wrote to memory of 2604	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	85
PID 1456 wrote to memory of 2604	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	85
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 1456 wrote to memory of 436	1456	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	86
PID 436 wrote to memory of 1752	436	RegAsm.exe	96
PID 436 wrote to memory of 1752	436	RegAsm.exe	96
PID 436 wrote to memory of 1752	436	RegAsm.exe	96
PID 1752 wrote to memory of 3252	1752	DBAEHCGHII.exe	98
PID 1752 wrote to memory of 3252	1752	DBAEHCGHII.exe	98
PID 1752 wrote to memory of 3252	1752	DBAEHCGHII.exe	98
PID 3252 wrote to memory of 1120	3252	MFDBG.exe	99
PID 3252 wrote to memory of 1120	3252	MFDBG.exe	99
PID 3252 wrote to memory of 1120	3252	MFDBG.exe	99
PID 436 wrote to memory of 3272	436	RegAsm.exe	100
PID 436 wrote to memory of 3272	436	RegAsm.exe	100
PID 436 wrote to memory of 3272	436	RegAsm.exe	100

C:\Users\Admin\AppData\Local\Temp\6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe
"C:\Users\Admin\AppData\Local\Temp\6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\ProgramData\DBAEHCGHII.exe
    "C:\ProgramData\DBAEHCGHII.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
      "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
- - C:\ProgramData\GIEBFHCAKF.exe
    "C:\ProgramData\GIEBFHCAKF.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5052
- - C:\ProgramData\FBFCFIEBKE.exe
    "C:\ProgramData\FBFCFIEBKE.exe"
    3⤵
    PID:1572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3168
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBAEBFIIECB.exe"
        5⤵
        
        PID:3900
      - C:\Users\AdminBAEBFIIECB.exe
        
        "C:\Users\AdminBAEBFIIECB.exe"
        6⤵
        
        PID:224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDGIJDAFCFH.exe"
        5⤵
        
        PID:1352
      - C:\Users\AdminDGIJDAFCFH.exe
        
        "C:\Users\AdminDGIJDAFCFH.exe"
        6⤵
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminECBAEBGHDA.exe"
        5⤵
        
        PID:2796
      - C:\Users\AdminECBAEBGHDA.exe
        
        "C:\Users\AdminECBAEBGHDA.exe"
        6⤵
        
        PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HIIIDAKKJJJK" & exit
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AFHIEBKK

Filesize
114KB

MD5
242b4242b3c1119f1fb55afbbdd24105

SHA1
e1d9c1ed860b67b926fe18206038cd10f77b9c55

SHA256
2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

SHA512
7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

Download Submit
C:\ProgramData\AKEGDAKEHJDH\DHJDAK

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\AKEGDAKEHJDH\JJKFBA

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\AKEGDAKEHJDH\JJKFBA

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\DBAEHCGHII.exe

Filesize
25KB

MD5
168087c84c5ff3664e5e2f4eec18d7dd

SHA1
639e9e87103f576617ed08c50910ca92fe5c8c5b

SHA256
2a7cdb79045658b9c02ebbb159e5b3680d7d6d832dbd757572f7d202c3fa935d

SHA512
89491261e1234f917964566def4b1a50505ba4c2eb90d14c19e2130d78fe65cd61c4bba685909109c7088b35e7fd48f6311ace7a0dd8c703a6d1b1d23d1a54bb

Download Submit
C:\ProgramData\FBFCFIEBKE.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
C:\ProgramData\GIEBFHCAKF.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\ProgramData\HIEHDAFHDHCBFIDGCFID

Filesize
11KB

MD5
9762bd8ad44da0a92c6b1eb922c283b9

SHA1
326989b9794e09e5a3ee88ccb89493ce037ede93

SHA256
56cf82d6110b56efd4dbb2d871ea23d0c33c753a04f0b6b8fea12830fde45ef2

SHA512
52c629a1c6ae25210aba211924c836783b81681879ee28cec907a2e459332f59f358fbcf6e8b2784983bbf1e3cbc576d59f3bf380ccf60ae3c7d8ca5d30862b6

Download Submit
C:\ProgramData\JJEGCBGI

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\freebl3.dll

Filesize
13KB

MD5
bb1dcddc7b08e7b683da9426d2895d3a

SHA1
69ce635788997b1ee4b7d69fa70765a66cd6a71f

SHA256
cb46725d09ec7238ed21005d54c6e89c680cf0877953f6c9856833133f935867

SHA512
3c64779607766e09594294510b597c06ce750698918ad8aa1f811b54d736d9ddeb6ce362490b3b91e28cb0cc9a3aef177699812440374b34d5aa1afd10e5f1e3

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
13KB

MD5
e416a22acaeff6cec5aa36a72becbede

SHA1
9fefce2eafd2e79ce0f0c60e2174b0052bfd0d2f

SHA256
edc0250d8dfe5b4049a64b6171d12ad701784f4650484d35315ab5286384e79e

SHA512
8ab549504e9c7f787e4ace97bcce5eed5bd9758b8cc223eae537e5ba3dc0f22ddd84802b1c43c2e947aa0a97742793b8cd09a5563ccd21820fa00bb5c1294421

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
39KB

MD5
1f1aa00a2d160ce959e0ac0c004abfcd

SHA1
d362ea0a7c66195f99a22b8e9a450be1618e0127

SHA256
83e5cea6e50f2a2f5aa6b9b3e09bdbf43e259126561959675e971f2a39fd27da

SHA512
718f5b6009a40dac032ccb656e639d01765537e7994983fe2daf6328f7a90af98e72723eb4f5fd7e3a472cba8cbca25705075d9ab3e8a2b542dfca7d07f2e3aa

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminBAEBFIIECB.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
3d0514f5227d0ba8f91af3531108aa9e

SHA1
e785caa409acb468d4cc46790320a54f1ff99db6

SHA256
aac8c93892fef76efc9790da21d518ed553e974256217b4244b34d73bdd0f8ee

SHA512
2990a16921b56e0e00ef40e01c6a5d8ab425475de36fad0228d5f9d31643e476de620f594063fd5a253b47219c10e0de1094aeeea215be00225c7cb79fbc3eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
62d29f8d01459d34574811541cc1bf15

SHA1
66b5e1ecb7f143b4e706008703c0fcdd25ac71ae

SHA256
f1ac37132e9fd81d97253ab32020cb85dfc7b7284539d5fca5a199d1ffc5829f

SHA512
be4e7317dfbbfc8eb3f76df72245f12e921860603288841f79c7597c9cfc71738162719d5fcc8eeac485b7d1c3fb952de4336858714750c6c405d2a981fba709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminBAEBFIIECB.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\76561199780418869[1].htm

Filesize
33KB

MD5
40662e6177aa5f4c31256b444f8b56b4

SHA1
a5810a10552eac814c2e17cf16e60f637c085bd2

SHA256
0cff1e621cb894b8e425180b04e23fa18da379449c43102d1a01610c49da533f

SHA512
8b702fba39ceb0434971754c70eee7b805e54041fa2edcd256d43ced7cb264522f62ffdafc007612c728be862be96012dc250717f2fc16f5f85a17a0ff105ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_03c49a6e69d444d0b8d572bec1dc0e74.lnk

Filesize
1KB

MD5
f637a2e75cbab4b707bc665efdde111b

SHA1
a99c6f3dc0a43b5df5ba58cd6d057f59e0165f6a

SHA256
e372a9e6343ce3a3f394a1141298e5e4595c711b0f9985659e0de61a58d262aa

SHA512
53a0f4a0bc2cae1d720e628f217141f25d0c326550a8b3eca1f3c1fa6ccd54b1bf001f967e5f69804ebc3865ef471ad1b100e74564e6517897822205c6ef4747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_24c49284041244eb850bd38b295f6c6d.lnk

Filesize
1KB

MD5
c1bce610feb04003614173a2af8223e8

SHA1
ccd9e5bd39fcbc96a254eb848ea2e6b31d4477f5

SHA256
606fba0b50539c3ee8205bf9ea30b00b3a424a5413404726abf77eeb509b9947

SHA512
02d72981e46b4d472f580c6ad59c20017fc58222bc709c5482a7f2cb87a6bb6491d8d76d2d512d6db187784b64c476d7760ce8c9f69b4487873d66b4d2bb6402

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2de264651ed541d894f78419dfa314a2.lnk

Filesize
1KB

MD5
2175bc120a9b9410e98ef7678e770456

SHA1
d24567b6686b530b286e0d080e0d042cedf8f991

SHA256
86af751ad5e51f16c7b87e392584933e6625347633e4c7d53face74651fb33b5

SHA512
b6c3c89d7fe3f2a7a61ac498f624965b336d565063193f1e34b534344e8fb08fd7fbb35170ccc6ad2d6082cecd4eda0b541e4920253140b1e25755a597ca17c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_33e8018057be41b5bfefc044efdcd83b.lnk

Filesize
1KB

MD5
01bbbe1466e98271b3b70480002c1a32

SHA1
85a9adacc5ec07080b94ad0ede2fb7d64c5c9d52

SHA256
a53d4cca6c00d6d2f9a70e87cb737866ba91c919ad92999d97a0605ab46adb58

SHA512
be20b5da183cfd589a90673b014f91b0e9d4c6ee106a76968faa70070ea7c2032f520f98f716a81f9f91308a7c457620e67f1cb77175b27dc2980a4903b8e980

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d8ac68d5c93488e9d78e1db0bdf4735.lnk

Filesize
1KB

MD5
d3acb3ab352e367dbbe66467ec4a1dc4

SHA1
74c44c3858b8361942fc63f2995add4811f5162f

SHA256
f45382a2ce74ed32899213803bece53a4c84cb1faf99665100b95c2b8e35c53f

SHA512
6b826154fe7d8ec9f79bdc8a1a019a1195402ce897e0690f8163180d455612bebc6518035ae24d19857dee69ee8feb4997174bf37f7a1165a5c591f36337bb0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_84c61eb79e7f4d73a751ff661be2bc84.lnk

Filesize
1KB

MD5
b876e5451646b587a1ebbf21d3dd34aa

SHA1
54e83d3479289edf9179f53eb1bde3e1f34f9cb1

SHA256
25e382fd04177768e867f32b0083173045374b5a1759d7c7b2c44d610b81970a

SHA512
c34f80c9d07812aed202754b774b471af811d2fd876070a41c0392df7917e52dbfd04e24c694afad6031b18e85393c98d60e4cb8734d5085899dbead8dd6884e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_98362ced808f46a8a8444c1a210b2c6b.lnk

Filesize
1KB

MD5
877bed03a36880da9857012402dce858

SHA1
a3df6c930c5e943e5490f2c61dc57a9938903594

SHA256
eb4e6295c6eb26076ad4e7b76bc6086c67c88647a69d110e8d9c81b0907482ea

SHA512
9f990418a8d3a6e143db12225eb64f75f5453917adfe3ccfb0b44959b63abe644e15d85d3ff47a97a2ee331ade9a829b10bffc00983777968e9729257785b390

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ab7c3be0f4524d88bf5bcd6e8e355b81.lnk

Filesize
1KB

MD5
12f1f6d28d1e0812f165be95a8af66f0

SHA1
d0cb1191489eed6172a99734d4ca262ff16c3cd0

SHA256
fcc23e5d1fed23818b329ea566b8cd35719f49838f411af46abd48951c400cd2

SHA512
9e76ac2b52fee2451260077241ceb28b1798e654bf93d3bd3a89978f067038acd31ad72070aef5ccafdb2308eb9a5e6d5469e9207a773d9c79f614156363a185

Download Submit
memory/224-3119-0x0000000000D50000-0x0000000000DB8000-memory.dmp

Filesize
416KB

Download
memory/436-78-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-87-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-53-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-60-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-85-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-86-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/436-22-0x0000000022710000-0x000000002296F000-memory.dmp

Filesize
2.4MB

Download
memory/436-52-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1456-20-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/1456-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/1456-5-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/1456-1-0x0000000000A10000-0x0000000000A78000-memory.dmp

Filesize
416KB

Download
memory/1484-3469-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1572-1290-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/1752-105-0x0000000072720000-0x0000000072ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1752-102-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/1752-101-0x000000007272E000-0x000000007272F000-memory.dmp

Filesize
4KB

Download
memory/1752-122-0x0000000072720000-0x0000000072ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3168-2576-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3168-1540-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3168-1538-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3272-374-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/4764-4001-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4764-3406-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4764-4063-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4764-4141-0x0000000021D90000-0x0000000021FEF000-memory.dmp

Filesize
2.4MB

Download
memory/4764-4165-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4764-4231-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/5052-619-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5052-623-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5052-625-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download