lumma | 6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e

Analysis

max time kernel
119s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe
Size

210KB
MD5

6a0c02d75b060ef9fee6cb9c6d6d2a7d
SHA1

686f49a408d80ef700393a2ccf523c1a7223f1b4
SHA256

6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e
SHA512

cc1513c8f17bfa152a036be33e1cfeca00dfc6af297c793463e8160af65e242f7b8998ea0ee1947cecf75f82b50930da02395ffa6a0cbdc61ff5c652c8ecdaca
SSDEEP

3072:PYXWECROUQJd5/oOe7Q3hC8CnOjuzncezcX69i:PstUQnekEnXzbzcq

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4800-133-0x00000000048D0000-0x00000000048D9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

53 3656 rundll32.exe
55 3656 rundll32.exe
64 3656 rundll32.exe
71 3656 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

62E0.exe

pid process

3712 62E0.exe

flow	pid	process
53	3656	rundll32.exe
55	3656	rundll32.exe
64	3656	rundll32.exe
71	3656	rundll32.exe

pid	process
3712	62E0.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\back-arrow-hover\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\back-arrow-hover.dll꤀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\back-arrow-hover\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\back-arrow-hover.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\back-arrow-hover\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3656 rundll32.exe
2940 svchost.exe
3172 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3656	rundll32.exe
2940	svchost.exe
3172	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3656 set thread context of 2904	3656	rundll32.exe	rundll32.exe
PID 3656 set thread context of 4436	3656	rundll32.exe	rundll32.exe

Drops file in Program Files directory 22 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Checkers.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-hover.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Words.pdf	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3728 3712 WerFault.exe 62E0.exe
2764 1856 WerFault.exe 27A8.exe

pid	pid_target	process	target process
3728	3712	WerFault.exe	62E0.exe
2764	1856	WerFault.exe	27A8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 39 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056a606100054656d7000003a0009000400efbe6b558a6c3056a6062e000000000000000000000000000000000000000000000000005aff0000540065006d007000000014000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

784

pid	process
784

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe

pid	process
4800	6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe
4800	6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784
784

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

784
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe

pid process

4800 6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe

pid	process
784

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeDebugPrivilege	3656	rundll32.exe
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784
Token: SeShutdownPrivilege	784
Token: SeCreatePagefilePrivilege	784

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

2904 rundll32.exe
784
784
784
784
3656 rundll32.exe
784
784
784
784
4436 rundll32.exe
3656 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

784
784

pid	process
2904	rundll32.exe
784
784
784
784
3656	rundll32.exe
784
784
784
784
4436	rundll32.exe
3656	rundll32.exe

pid	process
784
784

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

62E0.exesvchost.exerundll32.exe

description	pid	process	target process
PID 784 wrote to memory of 3712	784		62E0.exe
PID 784 wrote to memory of 3712	784		62E0.exe
PID 784 wrote to memory of 3712	784		62E0.exe
PID 3712 wrote to memory of 3656	3712	62E0.exe	rundll32.exe
PID 3712 wrote to memory of 3656	3712	62E0.exe	rundll32.exe
PID 3712 wrote to memory of 3656	3712	62E0.exe	rundll32.exe
PID 2940 wrote to memory of 3172	2940	svchost.exe	rundll32.exe
PID 2940 wrote to memory of 3172	2940	svchost.exe	rundll32.exe
PID 2940 wrote to memory of 3172	2940	svchost.exe	rundll32.exe
PID 3656 wrote to memory of 2904	3656	rundll32.exe	rundll32.exe
PID 3656 wrote to memory of 2904	3656	rundll32.exe	rundll32.exe
PID 3656 wrote to memory of 2904	3656	rundll32.exe	rundll32.exe
PID 3656 wrote to memory of 2636	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 2636	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 2636	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 1584	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 1584	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 1584	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 4436	3656	rundll32.exe	rundll32.exe
PID 3656 wrote to memory of 4436	3656	rundll32.exe	rundll32.exe
PID 3656 wrote to memory of 4436	3656	rundll32.exe	rundll32.exe
PID 3656 wrote to memory of 2172	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 2172	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 2172	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 4904	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 4904	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 4904	3656	rundll32.exe	schtasks.exe
PID 3656 wrote to memory of 2220	3656	rundll32.exe	rundll32.exe
PID 3656 wrote to memory of 2220	3656	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe
"C:\Users\Admin\AppData\Local\Temp\6ca5c9a22c5917d0a429c64601bdc9014425ec20463e2a90c1c1a7317e397c9e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4800

C:\Users\Admin\AppData\Local\Temp\62E0.exe
C:\Users\Admin\AppData\Local\Temp\62E0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3656

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2904

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2636

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1584

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4436

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2172

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4904

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:2220

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2468

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4248

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:2304

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3372

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:1312

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3632

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1452

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 556
2⤵
- Program crash
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3712 -ip 3712
1⤵
PID:3524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\back-arrow-hover.dll",W0cUNWMzVnhl
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\27A8.exe
C:\Users\Admin\AppData\Local\Temp\27A8.exe
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1356
2⤵
- Program crash
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1856 -ip 1856
1⤵
PID:3276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-hover.dll
Filesize
774KB

MD5
17d3fbde47ef29a4e1f0431afd60cb7a

SHA1
58c105bd31e420b83be62f65e8bff5d5429f4d54

SHA256
f6e6dd1e40717198b9f1aa989eb9dd6f552161d4cbc131fac6456d6704286f56

SHA512
b20149b7f41e673636acb64baf9d7c53d59b0b3834dee92d6b9106797fca6fa608abb24787d8679fef62737a87fbf04f297e54cf2fa92e4a8bfc7fa6d23c5be8

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-hover.dll
Filesize
774KB

MD5
17d3fbde47ef29a4e1f0431afd60cb7a

SHA1
58c105bd31e420b83be62f65e8bff5d5429f4d54

SHA256
f6e6dd1e40717198b9f1aa989eb9dd6f552161d4cbc131fac6456d6704286f56

SHA512
b20149b7f41e673636acb64baf9d7c53d59b0b3834dee92d6b9106797fca6fa608abb24787d8679fef62737a87fbf04f297e54cf2fa92e4a8bfc7fa6d23c5be8

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Active.GRL
Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml
Filesize
14KB

MD5
cc78ff3a9bbf1967185797f3eac2090a

SHA1
80204fdfac8110dddc7e5c59ada69feef33a0614

SHA256
7afbc0905a69b223e8098f1a9b34fcf454ba79535873933df9c12dc8660174c3

SHA512
5ecf695a9be7c5521d1429fe696cb7d1d4d361b43f819b77e76828d5314e444ad61bd3c66f1cd7b7fea9c6138808a1194bc556cd5195658132121444d5a3636d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\DeploymentConfig.0.xml
Filesize
1KB

MD5
e4b9cc9585f7c7605c9b9ffbb6b2f621

SHA1
c0719259211262ee6f0fea428bba4fb5f7cfae08

SHA256
e3fe8fc8edfe491475b3ca4dc91b111e8b8ed5eac2594b12e86c2ca9e1da1477

SHA512
bbfae4ff1b1c5fe0ef2999ea0c2fc82ab392eb9780c3293626c519b12c00e0450f69db0942bd44afe2984f6a5a3d0bedc276da48d8a9654c7dc037e58d6bcad0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\EventStore.db
Filesize
20KB

MD5
c300bfadd4db74e36f9c1440f979837c

SHA1
80dcf4d62725fd51aa900ee17f1e11b1c9033ab9

SHA256
1d68f52452adc40ffb6d639a48be2f1bcb699c75022fc2f57a4a8b6de6ddf85e

SHA512
e5254c7f58076a78ecd253f4fe1a0d6f509376b0576dad5d44b71d5c128753a675262a134a79dab90fdee615879591ebbe840fb7a52e0f8bbb0bfc2c3b1839f4

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
db0acdbf49f80d3f3b0fb65a71b39341

SHA1
12c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae

SHA256
f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f

SHA512
3d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013BackupWin64.xml
Filesize
12KB

MD5
d24bea7d3b999f28e375d1d061a03d97

SHA1
95b207708762aa4752c77728128cbe3033646204

SHA256
57184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2

SHA512
3d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
2c52827738da727fbcb6ab72c55fca6e

SHA1
392cee834a4a3cdbef36778c672165febfb05a25

SHA256
20af6271bdc9b2627f0076995182d2b8cbf6d24a8110fd3d923c4316faf5896c

SHA512
843fa17da02dae8c104b3c135426840f2f45d7895f81bc5da8fae9ba7c074b1790df24ff721f16e9ae65afa9db1c5b60da3ac9b00e4c803dd8609fea2b5dfa8d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\qmgr.db
Filesize
768KB

MD5
707dc7d7859b13a4567b0372750d161b

SHA1
f789e7e0d22d3f1c552e5ec3a25eacc85440cac5

SHA256
cf61d6151c927ff309edb77bd1578d3c191bb1fa0fc71050f29ed80d6ccbb718

SHA512
17aac6dccf2920a8dfbf33001b6aceaaebda5923b3e60a125851b58c43931cd4ae8da4d37470c3604780016fce1a6560b215b2db7f3c7b9f94ab865b2f3feb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\27A8.exe
Filesize
248KB

MD5
d4371171249f45f3af6095825378c055

SHA1
7c38214ddc9fdf6598f5247272997dd682147717

SHA256
73cfa816bd989fa7dd51fc1aeff7657323836d86fdc30da54f3d0140376096c5

SHA512
96f1118afbc83d3738ac00e4b9b9e08f9773fa47edcd422d9951168341f61a63c1e388d775595a23325b6a227a0704a333de14855286cc7a13bc37406b8aba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\27A8.exe
Filesize
248KB

MD5
d4371171249f45f3af6095825378c055

SHA1
7c38214ddc9fdf6598f5247272997dd682147717

SHA256
73cfa816bd989fa7dd51fc1aeff7657323836d86fdc30da54f3d0140376096c5

SHA512
96f1118afbc83d3738ac00e4b9b9e08f9773fa47edcd422d9951168341f61a63c1e388d775595a23325b6a227a0704a333de14855286cc7a13bc37406b8aba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\62E0.exe
Filesize
1.1MB

MD5
4c0166d076c46c39e7d33531e2c4672b

SHA1
2351ae6f33d6776664178480b950bbba8d41e58a

SHA256
3d0e57799cbf940ede579b88534b2bcc61f0ea14946ae459d91b1d9240524b6d

SHA512
676ad2e3ef2fdc5eadc20cf21e62b1d7c42ad74b1a655334ed34357af65f3838519194c21e39741b56363d013a74f687f32561bdb9d8303ee21993eb07563829

Download Submit
C:\Users\Admin\AppData\Local\Temp\62E0.exe
Filesize
1.1MB

MD5
4c0166d076c46c39e7d33531e2c4672b

SHA1
2351ae6f33d6776664178480b950bbba8d41e58a

SHA256
3d0e57799cbf940ede579b88534b2bcc61f0ea14946ae459d91b1d9240524b6d

SHA512
676ad2e3ef2fdc5eadc20cf21e62b1d7c42ad74b1a655334ed34357af65f3838519194c21e39741b56363d013a74f687f32561bdb9d8303ee21993eb07563829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\back-arrow-hover.dll
Filesize
774KB

MD5
17d3fbde47ef29a4e1f0431afd60cb7a

SHA1
58c105bd31e420b83be62f65e8bff5d5429f4d54

SHA256
f6e6dd1e40717198b9f1aa989eb9dd6f552161d4cbc131fac6456d6704286f56

SHA512
b20149b7f41e673636acb64baf9d7c53d59b0b3834dee92d6b9106797fca6fa608abb24787d8679fef62737a87fbf04f297e54cf2fa92e4a8bfc7fa6d23c5be8

Download Submit
memory/1220-236-0x0000010CEBC90000-0x0000010CEBDD0000-memory.dmp

Filesize
1.2MB

Download
memory/1220-233-0x00007FF7916E6890-mapping.dmp

Download
memory/1220-234-0x0000010CEBC90000-0x0000010CEBDD0000-memory.dmp

Filesize
1.2MB

Download
memory/1220-239-0x0000010CEA230000-0x0000010CEA4E5000-memory.dmp

Filesize
2.7MB

Download
memory/1220-238-0x0000010CEA230000-0x0000010CEA4E5000-memory.dmp

Filesize
2.7MB

Download
memory/1312-245-0x00007FF7916E6890-mapping.dmp

Download
memory/1312-250-0x000001B4EF650000-0x000001B4EF905000-memory.dmp

Filesize
2.7MB

Download
memory/1312-246-0x000001B4F10B0000-0x000001B4F11F0000-memory.dmp

Filesize
1.2MB

Download
memory/1312-247-0x000001B4F10B0000-0x000001B4F11F0000-memory.dmp

Filesize
1.2MB

Download
memory/1312-248-0x000001B4EF650000-0x000001B4EF905000-memory.dmp

Filesize
2.7MB

Download
memory/1452-251-0x0000000000000000-mapping.dmp

Download
memory/1540-240-0x0000000000000000-mapping.dmp

Download
memory/1584-177-0x0000000000000000-mapping.dmp

Download
memory/1856-227-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/1856-198-0x0000000000000000-mapping.dmp

Download
memory/1856-214-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/1856-213-0x00000000047C0000-0x00000000047EA000-memory.dmp

Filesize
168KB

Download
memory/1856-212-0x0000000002DF9000-0x0000000002E13000-memory.dmp

Filesize
104KB

Download
memory/2172-188-0x0000000000000000-mapping.dmp

Download
memory/2220-203-0x000001B102180000-0x000001B102435000-memory.dmp

Filesize
2.7MB

Download
memory/2220-197-0x000001B103BE0000-0x000001B103D20000-memory.dmp

Filesize
1.2MB

Download
memory/2220-195-0x00007FF7916E6890-mapping.dmp

Download
memory/2220-196-0x000001B103BE0000-0x000001B103D20000-memory.dmp

Filesize
1.2MB

Download
memory/2220-201-0x000001B102180000-0x000001B102435000-memory.dmp

Filesize
2.7MB

Download
memory/2304-222-0x00007FF7916E6890-mapping.dmp

Download
memory/2304-223-0x000001E7540F0000-0x000001E754230000-memory.dmp

Filesize
1.2MB

Download
memory/2304-226-0x000001E752680000-0x000001E752935000-memory.dmp

Filesize
2.7MB

Download
memory/2304-228-0x000001E752680000-0x000001E752935000-memory.dmp

Filesize
2.7MB

Download
memory/2304-224-0x000001E7540F0000-0x000001E754230000-memory.dmp

Filesize
1.2MB

Download
memory/2468-202-0x0000000000000000-mapping.dmp

Download
memory/2636-176-0x0000000000000000-mapping.dmp

Download
memory/2904-175-0x00000170009B0000-0x0000017000C65000-memory.dmp

Filesize
2.7MB

Download
memory/2904-179-0x00000170009B0000-0x0000017000C65000-memory.dmp

Filesize
2.7MB

Download
memory/2904-173-0x0000000000500000-0x00000000007A4000-memory.dmp

Filesize
2.6MB

Download
memory/2904-174-0x0000017002280000-0x00000170023C0000-memory.dmp

Filesize
1.2MB

Download
memory/2904-172-0x0000017002280000-0x00000170023C0000-memory.dmp

Filesize
1.2MB

Download
memory/2904-171-0x00007FF7916E6890-mapping.dmp

Download
memory/2940-178-0x00000000045C0000-0x0000000005115000-memory.dmp

Filesize
11.3MB

Download
memory/2940-153-0x00000000045C0000-0x0000000005115000-memory.dmp

Filesize
11.3MB

Download
memory/2940-161-0x00000000045C0000-0x0000000005115000-memory.dmp

Filesize
11.3MB

Download
memory/3120-259-0x0000022D636A0000-0x0000022D63955000-memory.dmp

Filesize
2.7MB

Download
memory/3120-260-0x0000022D65100000-0x0000022D65240000-memory.dmp

Filesize
1.2MB

Download
memory/3120-258-0x0000022D65100000-0x0000022D65240000-memory.dmp

Filesize
1.2MB

Download
memory/3120-256-0x00007FF7916E6890-mapping.dmp

Download
memory/3172-165-0x00000000052C0000-0x0000000005E15000-memory.dmp

Filesize
11.3MB

Download
memory/3172-166-0x00000000052C0000-0x0000000005E15000-memory.dmp

Filesize
11.3MB

Download
memory/3172-162-0x0000000000000000-mapping.dmp

Download
memory/3372-235-0x0000000000000000-mapping.dmp

Download
memory/3632-249-0x0000000000000000-mapping.dmp

Download
memory/3656-244-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-221-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-229-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-257-0x0000000005B91000-0x0000000005B93000-memory.dmp

Filesize
8KB

Download
memory/3656-231-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-243-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-205-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-206-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-207-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-208-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-230-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-255-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-254-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-253-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-183-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-181-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-252-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-139-0x0000000000000000-mapping.dmp

Download
memory/3656-194-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-218-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-219-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-220-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-182-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-146-0x0000000004E90000-0x00000000059E5000-memory.dmp

Filesize
11.3MB

Download
memory/3656-180-0x00000000075C0000-0x0000000007700000-memory.dmp

Filesize
1.2MB

Download
memory/3656-170-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-242-0x00000000075C0000-0x0000000007700000-memory.dmp

Filesize
1.2MB

Download
memory/3656-169-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-168-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-167-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-193-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-241-0x00000000075C0000-0x0000000007700000-memory.dmp

Filesize
1.2MB

Download
memory/3656-147-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-232-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-148-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-145-0x0000000004E90000-0x00000000059E5000-memory.dmp

Filesize
11.3MB

Download
memory/3656-191-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-192-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/3656-237-0x0000000005B91000-0x0000000005B93000-memory.dmp

Filesize
8KB

Download
memory/3656-149-0x0000000004E90000-0x00000000059E5000-memory.dmp

Filesize
11.3MB

Download
memory/3696-225-0x0000000000000000-mapping.dmp

Download
memory/3712-144-0x0000000000400000-0x0000000002C76000-memory.dmp

Filesize
40.5MB

Download
memory/3712-143-0x0000000004B20000-0x0000000004C4E000-memory.dmp

Filesize
1.2MB

Download
memory/3712-136-0x0000000000000000-mapping.dmp

Download
memory/3712-142-0x0000000004A2B000-0x0000000004B14000-memory.dmp

Filesize
932KB

Download
memory/3836-204-0x0000000000000000-mapping.dmp

Download
memory/4248-216-0x0000000000000000-mapping.dmp

Download
memory/4436-189-0x00000151E5550000-0x00000151E5805000-memory.dmp

Filesize
2.7MB

Download
memory/4436-186-0x00000151E6FB0000-0x00000151E70F0000-memory.dmp

Filesize
1.2MB

Download
memory/4436-185-0x00000151E6FB0000-0x00000151E70F0000-memory.dmp

Filesize
1.2MB

Download
memory/4436-187-0x00000151E5550000-0x00000151E5805000-memory.dmp

Filesize
2.7MB

Download
memory/4436-184-0x00007FF7916E6890-mapping.dmp

Download
memory/4680-215-0x0000013018260000-0x0000013018515000-memory.dmp

Filesize
2.7MB

Download
memory/4680-217-0x0000013018260000-0x0000013018515000-memory.dmp

Filesize
2.7MB

Download
memory/4680-211-0x0000013019B30000-0x0000013019C70000-memory.dmp

Filesize
1.2MB

Download
memory/4680-210-0x0000013019B30000-0x0000013019C70000-memory.dmp

Filesize
1.2MB

Download
memory/4680-209-0x00007FF7916E6890-mapping.dmp

Download
memory/4800-132-0x0000000002C78000-0x0000000002C89000-memory.dmp

Filesize
68KB

Download
memory/4800-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4800-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4800-133-0x00000000048D0000-0x00000000048D9000-memory.dmp

Filesize
36KB

Download
memory/4904-190-0x0000000000000000-mapping.dmp

Download