lumma | b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6

Analysis

max time kernel
122s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe
Size

206KB
MD5

d3ed2aa324fd7210cf8cfe10e01614d0
SHA1

9286da31e15e89fff87a7f94885c4d956ab2b314
SHA256

b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6
SHA512

76f5deafeb32c63366720b4a9ced89e437a4d3924d5f8894324f11eb76e0a96b6e22c608760a1681981e1a39f87ebc8f687de7bc1a82cdaa85e5828601993164
SSDEEP

3072:IXtQlQYSV4saTMMJF5VA5VbG/FmapZhtlsxrXaapb:cBYSV4sJ0AcFpqp

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4160-133-0x0000000002DB0000-0x0000000002DB9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

29 424 rundll32.exe
32 424 rundll32.exe
35 424 rundll32.exe
48 424 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

DE8D.exeCE6D.exe

pid process

220 DE8D.exe
2948 CE6D.exe

flow	pid	process
29	424	rundll32.exe
32	424	rundll32.exe
35	424	rundll32.exe
48	424	rundll32.exe

pid	process
220	DE8D.exe
2948	CE6D.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeLinguistic\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AdobeLinguistic.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeLinguistic\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

424 rundll32.exe
4152 svchost.exe
432 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
424	rundll32.exe
4152	svchost.exe
432	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 424 set thread context of 2956 424 rundll32.exe rundll32.exe

description	pid	process	target process
PID 424 set thread context of 2956	424	rundll32.exe	rundll32.exe

Drops file in Program Files directory 28 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rename.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\form_responses.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-ui-theme.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DarkTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroLayoutRecognizer.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reader_sl.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeLinguistic.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Words.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\add_reviewer.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\SaveAsRTF.api	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

984 220 WerFault.exe DE8D.exe
2856 2948 WerFault.exe CE6D.exe

pid	pid_target	process	target process
984	220	WerFault.exe	DE8D.exe
2856	2948	WerFault.exe	CE6D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f568526100054656d7000003a0009000400efbe6b558a6c2f568a262e0000000000000000000000000000000000000000000000000004dca000540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2600

pid	process
2600

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe

pid	process
4160	b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe
4160	b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2600
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe

pid process

4160 b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe

pid	process
2600

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeDebugPrivilege	424	rundll32.exe
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

rundll32.exerundll32.exe

pid	process
2956	rundll32.exe
2600
2600
2600
2600
2600
2600
2600
2600
424	rundll32.exe
424	rundll32.exe
424	rundll32.exe
424	rundll32.exe
424	rundll32.exe
424	rundll32.exe
424	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2600
2600

pid	process
2600
2600

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

DE8D.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2600 wrote to memory of 220	2600		DE8D.exe
PID 2600 wrote to memory of 220	2600		DE8D.exe
PID 2600 wrote to memory of 220	2600		DE8D.exe
PID 220 wrote to memory of 424	220	DE8D.exe	rundll32.exe
PID 220 wrote to memory of 424	220	DE8D.exe	rundll32.exe
PID 220 wrote to memory of 424	220	DE8D.exe	rundll32.exe
PID 4152 wrote to memory of 432	4152	svchost.exe	rundll32.exe
PID 4152 wrote to memory of 432	4152	svchost.exe	rundll32.exe
PID 4152 wrote to memory of 432	4152	svchost.exe	rundll32.exe
PID 424 wrote to memory of 2956	424	rundll32.exe	rundll32.exe
PID 424 wrote to memory of 2956	424	rundll32.exe	rundll32.exe
PID 424 wrote to memory of 2956	424	rundll32.exe	rundll32.exe
PID 424 wrote to memory of 3500	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3500	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3500	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4708	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4708	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4708	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4916	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4916	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4916	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3148	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3148	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3148	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4404	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4404	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4404	424	rundll32.exe	schtasks.exe
PID 2600 wrote to memory of 2948	2600		CE6D.exe
PID 2600 wrote to memory of 2948	2600		CE6D.exe
PID 2600 wrote to memory of 2948	2600		CE6D.exe
PID 424 wrote to memory of 1924	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 1924	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 1924	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3200	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3200	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3200	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4008	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4008	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4008	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 372	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 372	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 372	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 428	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 428	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 428	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3220	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3220	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3220	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3496	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3496	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 3496	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 1176	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 1176	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 1176	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4620	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4620	424	rundll32.exe	schtasks.exe
PID 424 wrote to memory of 4620	424	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe
"C:\Users\Admin\AppData\Local\Temp\b6b52463d5c5360882db5a2998016ebee2eeac8565bbe601bfc48a64a6f36fc6.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4160

C:\Users\Admin\AppData\Local\Temp\DE8D.exe
C:\Users\Admin\AppData\Local\Temp\DE8D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:424

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2956

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3500

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4708

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4916

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3148

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4404

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1924

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3200

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4008

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:372

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:428

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3220

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3496

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1176

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4620

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4444

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4164

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3768

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1928

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5000

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2816

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 556
2⤵
- Program crash
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 220 -ip 220
1⤵
PID:4724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobelinguistic.dll",ii9bVQ==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\CE6D.exe
C:\Users\Admin\AppData\Local\Temp\CE6D.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1364
2⤵
- Program crash
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2948 -ip 2948
1⤵
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeLinguistic.dll
Filesize
774KB

MD5
f50e6df3e26a0994c9cc93826189c177

SHA1
12637a7ac93c4e3cf1794bd8da767e3251b7afbd

SHA256
a86c451a7dc76e1e8d091c07d4ce7ba25f182443474bdee3d7752d911042235e

SHA512
fe6eb724232e18604603bbf4aa3bbed51c473bae482c5aff23d316a25d3e9b25fb6b9eefb9dc02bf3f2699640a0583521b87669fb8f97cd4cf4db21e0805e325

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeLinguistic.dll
Filesize
774KB

MD5
f50e6df3e26a0994c9cc93826189c177

SHA1
12637a7ac93c4e3cf1794bd8da767e3251b7afbd

SHA256
a86c451a7dc76e1e8d091c07d4ce7ba25f182443474bdee3d7752d911042235e

SHA512
fe6eb724232e18604603bbf4aa3bbed51c473bae482c5aff23d316a25d3e9b25fb6b9eefb9dc02bf3f2699640a0583521b87669fb8f97cd4cf4db21e0805e325

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml
Filesize
149KB

MD5
95fdba87a0835dce3d259c38ed7f9371

SHA1
cb539d0d5cf31d38ec78c1325ea4c1710b8ec89c

SHA256
f84ae8cef222f02e3fc7d05f76eb8bedc767de9310e8674eda522ae7c45bdd64

SHA512
ce0e66eb46fc6c97d1e05258e38fc58272989101c4f99c5e836a9600d2969f4a256c097da8c3ea6a8b7ee0b9471c3b674cdb88ff6281e7b4eb9e7f439465b96b

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml
Filesize
719KB

MD5
e9f03f8b71cac83b7d16ef685cabd0d0

SHA1
c5057520e0a65340360219618632037e7c0c474a

SHA256
fff80dc60d751bc2ff8c3085b5c338bc3f149a0e71976c3d82f30a0d43d284db

SHA512
1703ea88d9e8cd768308c246812cdd0d2a733a28e0beb039d019c1efd190ee05f9d045e280de7a75578d4282c161e768a48aebf8d97e58bfc7357cadbd5f208a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe.xml
Filesize
24KB

MD5
56cc188f572451b90ca1f71b44ac4e64

SHA1
790a449a478a6fbfd0fa2cc38d541ee62098746b

SHA256
df14300ee7cae37c4264ca6b10a60e30f8f94cba7b0e6430576decbf031c4eaa

SHA512
1b42c9e22cf3b8cb0433716364f8f775368c175ddce94026ae30743c352b73a1c4574603967120d28fdcad1f8cf977104f907c7f8140c41b2064d6658945fd83

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
839B

MD5
2f6bc19cc3de731b8eaec46910edaf83

SHA1
61fd41f1fd1e4c6d7178a204c8ab68add839a199

SHA256
6893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966

SHA512
841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013BackupWin32.xml
Filesize
12KB

MD5
879dbf8cded6ac59df3fb0f32aa9eec6

SHA1
844be6baee27e23e5821491fc9532269b1143142

SHA256
3e0f02c2bd9c695d43963c9085e496ab42e7914bdc05f511d56442883c6c9687

SHA512
2d3be800531b56ea768c458fbcb2a563df27a2c981b6e0203dd98559eda4772c93588374b12b5a239de64e63f0b922556bcccd68a3ea4ffcbb8e53740a9e65ab

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Pending.GRL
Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SettingsLocationTemplate2013A.xsd
Filesize
13KB

MD5
91452b27335b69acc128a8a841bfe405

SHA1
7d63c758a2d4d16ef4175637ed17d5ad2080a329

SHA256
ce07da21a959291739ec76f403576ef995d1bb29826b490184c2fe6a4e5c7b10

SHA512
ba5ff3e4e596e685ec3dff0951c298c76fd2240f774d0d01b80bce6ad5e234a208d0f775c0d2b30d0b9dfefb3e8bce173db4b1e77a9ca16251dde662a005163b

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SmsInterceptStore.jfm
Filesize
16KB

MD5
8ad8eabf315217362a2392acce762345

SHA1
1a2dafdf90dd56fd53dc623b7cfa00f13f1d24e8

SHA256
9d6bac58cea0733dd170ce5aa77c11217f00bb395cf569f8a5f645ac2919445a

SHA512
6da2b3309f948e2244840ccc7301eafaf7e0db2426f8b6cc01027d821d89f6fc724fc1043ddfa645ea23991c64ea5a82d356baaddb43dd76a77be89955f01e77

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\ThemeSettings2013.xml
Filesize
2KB

MD5
986d31966b8370330842dc0cd8eac1f1

SHA1
3e96a8f449cc3930a0cec85f2e24190452b058eb

SHA256
56e478dcefd0863a8af9edb7d4f8bc746d077e5f5df637bad19e66cbbbe20cb0

SHA512
7ed19b3eeeb35882795a3d4a20193b9a60e905ea855704afdc5ea7e3b27c3d954061ba04eff5ed9f7cf44aff7c9b4f443c74cfd6088027fb830ad49c59eceefd

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
6132a24c5fd3952bcf63694f273e99fe

SHA1
8eb6485f2c8ddfde4cb787b49574f61f64bcc826

SHA256
0b12d4f9f86259efc4ff49f24c35ced5c9578d1de59c9cc12edce7c63c42cb40

SHA512
fca5b24827febdbaef7c05da0c681c2819a20a130c695d68bbd989f866b5d32299adb69c0b52db547de25ac137de44d332eaeff53f341596f442405817bca2b5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\qmgr.db
Filesize
768KB

MD5
707dc7d7859b13a4567b0372750d161b

SHA1
f789e7e0d22d3f1c552e5ec3a25eacc85440cac5

SHA256
cf61d6151c927ff309edb77bd1578d3c191bb1fa0fc71050f29ed80d6ccbb718

SHA512
17aac6dccf2920a8dfbf33001b6aceaaebda5923b3e60a125851b58c43931cd4ae8da4d37470c3604780016fce1a6560b215b2db7f3c7b9f94ab865b2f3feb8a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\setup.ini
Filesize
214B

MD5
d8b2e1bfe12db863bdccdd49a5e1c8b5

SHA1
9c979907f03887b270d4e87b0cdd5377cff3692c

SHA256
00b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301

SHA512
3bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\stream.x64.en-us.hash
Filesize
128B

MD5
73f303800be636585f9ec14701cd8d5e

SHA1
456304dc888d5eaa159fa0fa34fc9bcc3bacb633

SHA256
c8e3762853e17a3bd49882b0d36afa285bed5639f8f9e88f716c3942e28b6ace

SHA512
8a80ee6d1b074d68a55bbb3d5be251cfaae89b0345a6b0e84a6359e8c1453c8bf0969e6d33a7d0523d30d586c46c1eede9e71f7a89f7bc67ea0ad866671b81b4

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\sync.ico
Filesize
48KB

MD5
d1c012ba7049a4525a89b26c846ce0d3

SHA1
769fccd1ed39b3b6ce1ec6e44f096107b4375c58

SHA256
fce3d2b3ca14bbb41fcb8956ef80af38976f4c32787cc1ac3cc1e465ce0453cc

SHA512
538b3c161e3192d3cb8b78f0fb5f863ae84d04a9f236a876e5002a90189cb4b5beea496aefb444de2dd9ea45d1f530359b38d6a45f3260d1d14924bd31918dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE6D.exe
Filesize
244KB

MD5
7f26c94a8f67858ed74eb7d484c3a04b

SHA1
259a8e19c2f8dd5217d2587e0ae33ca8261bfa40

SHA256
3d108804bd4bc7f3c132bcd3d4cc6405bb0c5a7408f0774a87c2ff9f856ac4f0

SHA512
2f4be4df4abb8b8bc2ee249a27c8ee9d049cb6b0f69c7f6906b7440a00e1031f32ac92b8f928147edb313c5c90aef61d85fb30d02dcb13d2355751e9bf27df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE6D.exe
Filesize
244KB

MD5
7f26c94a8f67858ed74eb7d484c3a04b

SHA1
259a8e19c2f8dd5217d2587e0ae33ca8261bfa40

SHA256
3d108804bd4bc7f3c132bcd3d4cc6405bb0c5a7408f0774a87c2ff9f856ac4f0

SHA512
2f4be4df4abb8b8bc2ee249a27c8ee9d049cb6b0f69c7f6906b7440a00e1031f32ac92b8f928147edb313c5c90aef61d85fb30d02dcb13d2355751e9bf27df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE8D.exe
Filesize
1.0MB

MD5
ee055bcdd3d46fe8bf8c62e12fe6891b

SHA1
be3130de2b153f3666f375cd317fba13d0083a01

SHA256
6db754fef312e7d40ba60209145baac2a8b45684a35fc353c468e405554245af

SHA512
7133e039a0cf8886c89f5f28d3ae06f6098cdd52955b1bc98ecb8e08422d3cacb96d8b3a032c7803a07e8671e5c9fd853e4f11dc5ec52e0f8e1b12824776bed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE8D.exe
Filesize
1.0MB

MD5
ee055bcdd3d46fe8bf8c62e12fe6891b

SHA1
be3130de2b153f3666f375cd317fba13d0083a01

SHA256
6db754fef312e7d40ba60209145baac2a8b45684a35fc353c468e405554245af

SHA512
7133e039a0cf8886c89f5f28d3ae06f6098cdd52955b1bc98ecb8e08422d3cacb96d8b3a032c7803a07e8671e5c9fd853e4f11dc5ec52e0f8e1b12824776bed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\adobelinguistic.dll
Filesize
774KB

MD5
f50e6df3e26a0994c9cc93826189c177

SHA1
12637a7ac93c4e3cf1794bd8da767e3251b7afbd

SHA256
a86c451a7dc76e1e8d091c07d4ce7ba25f182443474bdee3d7752d911042235e

SHA512
fe6eb724232e18604603bbf4aa3bbed51c473bae482c5aff23d316a25d3e9b25fb6b9eefb9dc02bf3f2699640a0583521b87669fb8f97cd4cf4db21e0805e325

Download Submit
memory/220-144-0x0000000000400000-0x0000000002C75000-memory.dmp

Filesize
40.5MB

Download
memory/220-136-0x0000000000000000-mapping.dmp

Download
memory/220-142-0x00000000049D3000-0x0000000004ABC000-memory.dmp

Filesize
932KB

Download
memory/220-143-0x0000000004AC0000-0x0000000004BEE000-memory.dmp

Filesize
1.2MB

Download
memory/220-145-0x0000000000400000-0x0000000002C75000-memory.dmp

Filesize
40.5MB

Download
memory/372-199-0x0000000000000000-mapping.dmp

Download
memory/424-172-0x0000000005420000-0x0000000005560000-memory.dmp

Filesize
1.2MB

Download
memory/424-173-0x0000000005420000-0x0000000005560000-memory.dmp

Filesize
1.2MB

Download
memory/424-150-0x0000000005420000-0x0000000005560000-memory.dmp

Filesize
1.2MB

Download
memory/424-149-0x0000000005420000-0x0000000005560000-memory.dmp

Filesize
1.2MB

Download
memory/424-148-0x0000000004800000-0x0000000005355000-memory.dmp

Filesize
11.3MB

Download
memory/424-147-0x0000000004800000-0x0000000005355000-memory.dmp

Filesize
11.3MB

Download
memory/424-146-0x0000000004800000-0x0000000005355000-memory.dmp

Filesize
11.3MB

Download
memory/424-170-0x0000000005420000-0x0000000005560000-memory.dmp

Filesize
1.2MB

Download
memory/424-171-0x0000000005420000-0x0000000005560000-memory.dmp

Filesize
1.2MB

Download
memory/424-139-0x0000000000000000-mapping.dmp

Download
memory/428-200-0x0000000000000000-mapping.dmp

Download
memory/432-168-0x0000000000000000-mapping.dmp

Download
memory/432-179-0x00000000045D0000-0x0000000005125000-memory.dmp

Filesize
11.3MB

Download
memory/432-181-0x00000000045D0000-0x0000000005125000-memory.dmp

Filesize
11.3MB

Download
memory/432-180-0x00000000045D0000-0x0000000005125000-memory.dmp

Filesize
11.3MB

Download
memory/1176-203-0x0000000000000000-mapping.dmp

Download
memory/1300-208-0x0000000000000000-mapping.dmp

Download
memory/1924-191-0x0000000000000000-mapping.dmp

Download
memory/1928-210-0x0000000000000000-mapping.dmp

Download
memory/2816-212-0x0000000000000000-mapping.dmp

Download
memory/2948-197-0x0000000002D39000-0x0000000002D53000-memory.dmp

Filesize
104KB

Download
memory/2948-192-0x0000000002D39000-0x0000000002D53000-memory.dmp

Filesize
104KB

Download
memory/2948-194-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/2948-193-0x0000000002C20000-0x0000000002C4A000-memory.dmp

Filesize
168KB

Download
memory/2948-198-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/2948-188-0x0000000000000000-mapping.dmp

Download
memory/2956-178-0x0000027F70960000-0x0000027F70C15000-memory.dmp

Filesize
2.7MB

Download
memory/2956-177-0x0000000000670000-0x0000000000914000-memory.dmp

Filesize
2.6MB

Download
memory/2956-176-0x0000027F723C0000-0x0000027F72500000-memory.dmp

Filesize
1.2MB

Download
memory/2956-175-0x0000027F723C0000-0x0000027F72500000-memory.dmp

Filesize
1.2MB

Download
memory/2956-174-0x00007FF686AF6890-mapping.dmp

Download
memory/3100-205-0x0000000000000000-mapping.dmp

Download
memory/3148-186-0x0000000000000000-mapping.dmp

Download
memory/3200-195-0x0000000000000000-mapping.dmp

Download
memory/3220-201-0x0000000000000000-mapping.dmp

Download
memory/3496-202-0x0000000000000000-mapping.dmp

Download
memory/3500-182-0x0000000000000000-mapping.dmp

Download
memory/3768-209-0x0000000000000000-mapping.dmp

Download
memory/4008-196-0x0000000000000000-mapping.dmp

Download
memory/4152-184-0x0000000004530000-0x0000000005085000-memory.dmp

Filesize
11.3MB

Download
memory/4152-154-0x0000000004530000-0x0000000005085000-memory.dmp

Filesize
11.3MB

Download
memory/4160-132-0x0000000002DE8000-0x0000000002DF9000-memory.dmp

Filesize
68KB

Download
memory/4160-133-0x0000000002DB0000-0x0000000002DB9000-memory.dmp

Filesize
36KB

Download
memory/4160-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/4160-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/4164-207-0x0000000000000000-mapping.dmp

Download
memory/4404-187-0x0000000000000000-mapping.dmp

Download
memory/4444-206-0x0000000000000000-mapping.dmp

Download
memory/4620-204-0x0000000000000000-mapping.dmp

Download
memory/4708-183-0x0000000000000000-mapping.dmp

Download
memory/4708-213-0x0000000000000000-mapping.dmp

Download
memory/4916-185-0x0000000000000000-mapping.dmp

Download
memory/5000-211-0x0000000000000000-mapping.dmp

Download