lumma | eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

Analysis

max time kernel
16s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe
Size

326KB
MD5

4ecc9d9d93e5ff84765dacbb1e54a4c9
SHA1

f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06
SHA256

eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524
SHA512

dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd
SSDEEP

6144:t8Dq7rJx+8v1/uqlAY1IyC2izMNaTPXECyd1uVhf11kNSEO:KDq6OlA2jjizMGXET4XfAkEO

Score

10^/10

lumma stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://drawzhotdog.shop/api

https://gutterydhowi.shop/api

https://ghostreedmnu.shop/api

https://offensivedzvju.shop/api

https://vozmeatillu.shop/api

https://fragnantbui.shop/api

https://stogeneratmns.shop/api

https://reinforcenh.shop/api

https://performenj.shop/api

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/4004-124-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-126-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-122-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-351-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-422-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-483-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-519-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-536-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-592-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-865-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-911-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-1037-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4004-1086-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	AdminBFCFBFBFBK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MFDBG.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9e4961fe58604cb78d294249173043cf.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d23c9e6f5646465abcb1c2f7b8e68e50.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_73c48e094f2348eba161985be1c82851.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30396d556d0e4ce38cd83d4d2cef0a06.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d3ed8ca233f74981aa69af35916dcab3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_19a0dad21ad0456a90f33af14546dca6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bf529febfc5e46c2a2c39d4661cc5712.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9c2930424719435e877d044b8da85233.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_be0e3f1157684796aacaaa9377aa6de8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ee770a5435cd416c8c586be3657b1a2b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d6455759738a4e49aabb49e7567755e1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_903239eb1f524fa695d8e841446bbf31.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a2e91d083e694e11940483df8a45ed21.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e3bdb27d31fd41d9a44f571164413926.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_494b00a4e0794be3921e692038ce812a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f0dc3a9ded9545e1badb68bed1df207c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_780c59b16ddd4483987ed114ce4ca440.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a0473975f2bf476f8899ebd3e0a571ea.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c55e28bee5c048b99ce33a6fd0f7caa7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9169f423a86045249367c0d4f2c896ef.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9c87f4b050d34514ab94a31ad27580bc.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_49335ccbfe684a4bb906507f9bb253d1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e66da80bda3e4502892f34cbd7bf991f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f553cadb27f54b529e3c2e24abb82d76.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_46377721b11a4eed82e805693de67678.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2a0cb2687a964b358f8625794cd3a199.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7ffbee6cbb5e4706a8bf968a46989eda.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_80b7ce471bd24c30bb69dfd77256176e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ea1e113d130142a0b578066902436844.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c06671db927340ee80920e802942ead3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ab1cdaf5bdd54e9eb47247103d82d2ce.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_66e6325532384394aadf121eff13b37b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b84ddea41a9041be9f2950024be3ba40.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_747e22ce0dee435ab51f06b1b13ab136.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_18783a0b64d9402fa361ba4c875dfd61.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5f99b0091cf4e4c8a92b2409363544e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_321b728683d24dd8a40fd90ae74a609a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8157f5bc90614073a1bf252130da4270.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc96a8a7c3d74419893bbfec89f8cd46.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_979ffccc42eb4a85ad059b72bcd415ab.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_69bfbce7854d45c7b1190ad249975743.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e18923e28af741efb3225b193214a7db.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_27a405c8983f4d12b811a05670ad54b7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1c4bd5f097804796960ceec53295cb12.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b13ed4cc5e3249328986e5e598dd568b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2a289016a8a44441ac09179fd5f3ebc7.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_92c7374d75c649f7b9b7c65ffe389a1f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1e1fe2a131774cd0b03dd0b6e38ec4a3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2ceb195cb30f41e0b3b3f7a90c74f418.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_555ee372c3ee4943bdcfd1bd5d24908b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e6e1278331054a4bbf000924aaedb883.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b8b411829a4e453faf020ec05f775d8d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c7afb0b2b16d4defb89a35b51601b7f0.lnk	AdminBFCFBFBFBK.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ad252c94fc03402db9198d783f045f89.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_079e7e96496f4f94b1bc9a1a02fef107.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3bf3229fad9d4d1d8ca8dd0113fca7dd.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2aa8e6a4bd8849e8950ee3c37e5b43e6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_225f8c7aaf934787bc1d905bd77832a0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_560218ae1fb14d6492146c19ec3ee6fc.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87aee9dd365d423d867662c4355c7495.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_33c03074da67442bb518acf90b0506f5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b47e0a422c7145dc82404a184aa325a2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ba8462a82f024cdd984118e2844e94e2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8b5926dbb04d4f6d9458ef1729f83cb5.lnk	MFDBG.exe

Executes dropped EXE 5 IoCs

pid	Process
5036	AdminCFHIIEHJKK.exe
1864	AdminJEHIIDGCFH.exe
4628	AdminBFCFBFBFBK.exe
3484	MFDBG.exe
2064	FDWDZ.exe

Loads dropped DLL 2 IoCs

pid	Process
640	RegAsm.exe
640	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_d9eb0d3988b945b195dadf4402a4da7d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	AdminBFCFBFBFBK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2144 set thread context of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 5036 set thread context of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 1864 set thread context of 1860	1864	AdminJEHIIDGCFH.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminCFHIIEHJKK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminJEHIIDGCFH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminBFCFBFBFBK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1716	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	RegAsm.exe
640	RegAsm.exe
640	RegAsm.exe
640	RegAsm.exe
3484	MFDBG.exe
4004	RegAsm.exe
4004	RegAsm.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
3484	MFDBG.exe
2064	FDWDZ.exe
2064	FDWDZ.exe
3484	MFDBG.exe
3484	MFDBG.exe
2064	FDWDZ.exe
3484	MFDBG.exe
2064	FDWDZ.exe
3484	MFDBG.exe
3484	MFDBG.exe
2064	FDWDZ.exe
3484	MFDBG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	MFDBG.exe
Token: SeDebugPrivilege	2064	FDWDZ.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 2144 wrote to memory of 640	2144	eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe	85
PID 640 wrote to memory of 2340	640	RegAsm.exe	89
PID 640 wrote to memory of 2340	640	RegAsm.exe	89
PID 640 wrote to memory of 2340	640	RegAsm.exe	89
PID 2340 wrote to memory of 5036	2340	cmd.exe	92
PID 2340 wrote to memory of 5036	2340	cmd.exe	92
PID 2340 wrote to memory of 5036	2340	cmd.exe	92
PID 640 wrote to memory of 592	640	RegAsm.exe	94
PID 640 wrote to memory of 592	640	RegAsm.exe	94
PID 640 wrote to memory of 592	640	RegAsm.exe	94
PID 592 wrote to memory of 1864	592	cmd.exe	96
PID 592 wrote to memory of 1864	592	cmd.exe	96
PID 592 wrote to memory of 1864	592	cmd.exe	96
PID 640 wrote to memory of 4284	640	RegAsm.exe	98
PID 640 wrote to memory of 4284	640	RegAsm.exe	98
PID 640 wrote to memory of 4284	640	RegAsm.exe	98
PID 4284 wrote to memory of 4628	4284	cmd.exe	100
PID 4284 wrote to memory of 4628	4284	cmd.exe	100
PID 4284 wrote to memory of 4628	4284	cmd.exe	100
PID 4628 wrote to memory of 3484	4628	AdminBFCFBFBFBK.exe	101
PID 4628 wrote to memory of 3484	4628	AdminBFCFBFBFBK.exe	101
PID 4628 wrote to memory of 3484	4628	AdminBFCFBFBFBK.exe	101
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 5036 wrote to memory of 4004	5036	AdminCFHIIEHJKK.exe	102
PID 3484 wrote to memory of 2064	3484	MFDBG.exe	103
PID 3484 wrote to memory of 2064	3484	MFDBG.exe	103
PID 3484 wrote to memory of 2064	3484	MFDBG.exe	103
PID 1864 wrote to memory of 4028	1864	AdminJEHIIDGCFH.exe	104
PID 1864 wrote to memory of 4028	1864	AdminJEHIIDGCFH.exe	104
PID 1864 wrote to memory of 4028	1864	AdminJEHIIDGCFH.exe	104
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105
PID 1864 wrote to memory of 1860	1864	AdminJEHIIDGCFH.exe	105

C:\Users\Admin\AppData\Local\Temp\eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe
"C:\Users\Admin\AppData\Local\Temp\eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCFHIIEHJKK.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\AdminCFHIIEHJKK.exe
      "C:\Users\AdminCFHIIEHJKK.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
      - C:\ProgramData\CFHIIEHJKK.exe
        
        "C:\ProgramData\CFHIIEHJKK.exe"
        6⤵
        
        PID:1136
      - C:\ProgramData\EHJDGCBGDB.exe
        
        "C:\ProgramData\EHJDGCBGDB.exe"
        6⤵
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4784
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EHJKJDGCGDAK" & exit
        6⤵
        
        PID:544
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJEHIIDGCFH.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Users\AdminJEHIIDGCFH.exe
      "C:\Users\AdminJEHIIDGCFH.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4028
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBFCFBFBFBK.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Users\AdminBFCFBFBFBK.exe
      "C:\Users\AdminBFCFBFBFBK.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EHJKJDGCGDAK\FBGCAA

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\EHJKJDGCGDAK\FBKECF

Filesize
11KB

MD5
6c08d09ba66940bbe76b3fd8e0b18c93

SHA1
816ce87358e6adac6bf194219ec28c15d844a8a7

SHA256
ca2737615456fab197e08ea8501e579b44d235fff4ed5e4cc9f005a50b14cffd

SHA512
6365a9b1d91fecfd72c72545594af3192918709503878bb9a3512fb11d74d7c105498bb4688e7282956284d2b9d5e163edff1d2c9e058842b90f198a7454ab0f

Download Submit
C:\ProgramData\EHJKJDGCGDAK\KECGHI

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminBFCFBFBFBK.exe

Filesize
25KB

MD5
168087c84c5ff3664e5e2f4eec18d7dd

SHA1
639e9e87103f576617ed08c50910ca92fe5c8c5b

SHA256
2a7cdb79045658b9c02ebbb159e5b3680d7d6d832dbd757572f7d202c3fa935d

SHA512
89491261e1234f917964566def4b1a50505ba4c2eb90d14c19e2130d78fe65cd61c4bba685909109c7088b35e7fd48f6311ace7a0dd8c703a6d1b1d23d1a54bb

Download Submit
C:\Users\AdminCFHIIEHJKK.exe

Filesize
403KB

MD5
c7f95fc671d7bf1bec293e9500577bcf

SHA1
5366030099354e76ab5f8b8df4b2e226a29679ef

SHA256
d1bd0c0a32f154e4a9c6eca1eafee762ccea17a390706025b63e657f0305f432

SHA512
82b932b03c091cf27c4671ae2bf14a35b4c9a80d0eca01204cc67b85ff215468d2de2db6f2950df9a86c165fbbe2156bb5314e8fcf841b7439badfa122eec99f

Download Submit
C:\Users\AdminJEHIIDGCFH.exe

Filesize
368KB

MD5
0cee1d66332dec523210f62e479284b9

SHA1
33f950916e13a6ec654c52160ee47e88c64a5724

SHA256
0a6a258bfdb9b1947f2945b44e274ff3f06a7c5c733ff83c2a71c5f911fa9cc0

SHA512
603aa4834c6d3a9f3b6b1629eeb2108cecfd7192110f0cf948f2971957a9231ad9d405d8424e3a41b32a8ff415d8f84e55afdec38bf996703093084162d11972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EHJDGCBGDB.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_045c5f4d0ae24f1d950532dd364ac0ce.lnk

Filesize
1KB

MD5
7a847b98d893ec9366a5d01241f5469a

SHA1
e0c23459a085d2510d30278534e94facc171fcae

SHA256
4a5f4e9f8174058bd4a4c126bd6c25e2031b05acfe852ebec9f9346a3add4e46

SHA512
064e99c30b85f099b1bf4f1587e74108179b061303e0ecf1467580fbc04cbcbd2b69965626a01b605bb51d92d9a88a517d6b736bb9444ebc566b3cfdeaeb6bcb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_18423fa6adb943c18b22981fc9f6fda5.lnk

Filesize
1KB

MD5
da5c2112b753b7002ee28ee65ac18d71

SHA1
6f39fb13a586014b6c3bc5c84d625c2647012664

SHA256
97c2a98050de7d29925a615dff40adc4214bf77018cc53a3423e68835a6fe1a9

SHA512
c0e9696d1216e949be4a589d0a3d972d4cb6a022da33a8605a04a060f67ba4a33ee28bbd498480f676a56999cc3dedc1f5237693ec358e471cac0b3357b58ab0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_19c9634a00cc41d482b38cc5f355e727.lnk

Filesize
1KB

MD5
153941e23e5ae5bb204fb3eda389d288

SHA1
a8196ccf810101a03792bdd4467c0ab1e5ba4c1c

SHA256
3b6365ca9a6fa75f1ed51208edcc6d79ce4563fa325062b224480fa40b257aa0

SHA512
cdd09062d556f405f2be30702943c28230779f95b00c426cea0b6b72451841ff5c9fbe1227d029f72c30ce221fcc63d4a64dff520fe3633cedb8b6000fcdd609

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1d70e9cb89fd4c72acdc158731d029d8.lnk

Filesize
1KB

MD5
288f21381f29b95ce0b37de90f58e72b

SHA1
e57dc34cdc77b430fd52a501c83e98b323278bf0

SHA256
f354aa42d8376db05c18c3f1d465ba324625f4bb49f37aad82703416285684a8

SHA512
fcc99be42dff1415da041d3232aa0c549f7c8ac362c96191b6507a798201ddf569ce78568c8036028798c9f287fbb59b1b665ed68888573d91ff16952f5bbe0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3477c328417548ca987d736b21a0720a.lnk

Filesize
1KB

MD5
8feabe77bb67d03b35cbae5c9e998f0c

SHA1
370f2edeb67c2a6600074d72b98d193b64f30547

SHA256
3247d2ccb4e8d9e040fa6d8a5d6dd25891cba100076c4b5e3132dc835f56d7fb

SHA512
f098bc6a0d2331615abdfb7d1b623e90e131e017830259d70134d700ba838413709f03a7a0e84944b616c84f12c2fb2b217dcccb3392bab46cd75086e0944672

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_45e7a4c5173c456c8697c6e06abf40ef.lnk

Filesize
1KB

MD5
d7d3d94f82818633def26f6c511b8e62

SHA1
cc97e04b8fcb3f705fe648903e436e2cc2c70a00

SHA256
435c473c193dc43f7e1a86a6633c4bd920194f51c9bb9285cdd14972db1f7454

SHA512
d28b8d920b9adc4f4d013cc870d1a414b858cc6bb75bc803160fb053fc122bbd6669fca93c7973dd1af4ae5d9b79be72179bd1ec3f6fcb1a10989fa6fad38976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_46dc4f65550b4e80a70e562a7f6b1a2e.lnk

Filesize
1KB

MD5
995b4c679bd9b8bf97304e2eaaa1e733

SHA1
f0248b8fcbabcf8bd2466676b1f0a20882dc5469

SHA256
20357b792ab195cf86f5a93453b32643b75edbc2f1cc5fa55e287f8aee0247a6

SHA512
74747d36cabce333d0e8258f7f8386e37d28377098c4e70a5acfa49e0f29b02442eb5b296f5c64d199f0b9320d3928e0a9341f48f40608e118aab0b504f1ef5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_75a140dff0614a84a4a6874fd34ce29e.lnk

Filesize
1KB

MD5
b6ec598b80e1553ba58cfb1abd194ef1

SHA1
df8566752e46f908b0d888b20fdc509819e85e16

SHA256
48fe7e147af0751dcc01e0fcae976e35de1f829fa4c0ac261ac16277a93d1c71

SHA512
4dc744ae818a9775db68c57d0bbcb9fa60f0f2c06d5b32dbab415cea3c7684aa745f9ecc4a4633f056f493ca53b063b5dc1275e9b428eca4fe601c62a63d6d62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9f5173568b9f4f97a7d6fbfd8cf45d90.lnk

Filesize
1KB

MD5
be4dbeb3949d27aabd3d8f08bbfdb77f

SHA1
7fc5826efb63885a09aa0cca93d4c61d223cb66a

SHA256
6844f254af32db687140d3e9addf877b29fba0454e022890e0e55a4d5f821db9

SHA512
e44fb933b170cfd7d81fb1ab558bb6d79c949d93beeaef2b0bab938c0de22596c8d0667c85dccebc11e035a8543a7912933251128b19f7957ef7a69606d3dbf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b8d544c7eab548009bdbd5641b354657.lnk

Filesize
1KB

MD5
0124c90ace2c8a35542e96e566cbaedd

SHA1
76bc88b0c32f5ed22b31235f9f50745d6759343c

SHA256
00cf20f94fa1e2d025b0ba411393615e24defb1edfeb83b7b585e2ff9c36c635

SHA512
f4b4d64ce4e942ff767b2238f09f71fe66bac6ec22d4042931ac8d6e9269206ad98552cfe913ba95abd014a2b0f7ed6032c52a1b68a6dd1dd7b9ce306f8b9e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c7afb0b2b16d4defb89a35b51601b7f0.lnk

Filesize
1KB

MD5
4accad58a4bf3c6fddc80e3d399438d3

SHA1
d58016cdf2ba4b8b18d40c0b60ef3217db638c4b

SHA256
8c64a302cf1194957fa312f2a614398f369d1e406e600f65ae7bf8d044282622

SHA512
1a24217b9391b7a04b690ab4150114e77269292876c85203c7328fdba54ab1cb63769ff7ca2077583bd5d537467f0d377c21b263195da321fbe7daab49556228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e0453b8583ee4d818192165ed3af757f.lnk

Filesize
1KB

MD5
76ec27d16f8a568cc356a231676d312f

SHA1
362b1b6a71592da2c1481ce7e3337aad0503a5c2

SHA256
7e24d039e3f0ddeb86915f083f2cd8d4155c68a0852573a96765a443c8d7cec9

SHA512
62fa8cfa19aa0090088aa3dda6ab66522891db5c7bde3a964e0d5a55d6988fc79238c878c0594a91727d19bd1f507f06cf9862a444da75162372ae1096042f17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ff41f4c7bf424aa299c052b6bb7f01fe.lnk

Filesize
1KB

MD5
ce40cb040589c7fadb60d7e50ffd1d26

SHA1
017a2577d52bb2c964bd565a69a2c5e1d08f6670

SHA256
4a2993988e9e06755900bbaa58862a9ed509e500e744e05fa24ef479650b2cd0

SHA512
aaae908c91c6415dc5fd1ecce05ca57228f8a506a74164a535649240ebb59a9d6819690fd7bfdf9e26c74c3702521fc03b5077d5695e2166329e49d5caad7e95

Download Submit
memory/640-2718-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/640-9-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/640-3-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/640-7-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/640-215-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/640-8-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1860-142-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1860-140-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1860-144-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1864-98-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/2144-152-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/2144-5-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/2144-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2144-1-0x0000000000450000-0x00000000004A6000-memory.dmp

Filesize
344KB

Download
memory/4004-483-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-1037-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-1086-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-911-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-865-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-592-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-536-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-519-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-469-0x0000000020160000-0x00000000203BF000-memory.dmp

Filesize
2.4MB

Download
memory/4004-422-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-351-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-122-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-126-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4004-124-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4628-102-0x0000000000F80000-0x0000000000F8C000-memory.dmp

Filesize
48KB

Download
memory/5036-88-0x00000000002E0000-0x0000000000348000-memory.dmp

Filesize
416KB

Download
memory/5036-87-0x0000000072D6E000-0x0000000072D6F000-memory.dmp

Filesize
4KB

Download