lumma | 1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29

Analysis

max time kernel
116s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-01-2023 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe
Size

207KB
MD5

e61bd1023de1c935149a998c33ae9f37
SHA1

f06f36974c483508c0616b5de63aa70472358b14
SHA256

1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29
SHA512

81999880f516b3b6b2ff584e4e8ae4b70e33fe2fcfb0ac15b8f3397e88666e1985d0b62a5660a32c5f6718ef374fa338a92be961dbf586c2a10d3fc9f3d8f475
SSDEEP

3072:ZXNhbS3y+k+BFCJ5vGgdBmRVDb5Lk3O5+n/06Pwx7apb:9fgy+k+uzPMRVDb58u6Pzp

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2432-136-0x00000000001E0000-0x00000000001E9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

17 4716 rundll32.exe
19 4716 rundll32.exe
30 4716 rundll32.exe
34 4716 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1A00.exe880D.exe

pid process

3760 1A00.exe
4640 880D.exe

flow	pid	process
17	4716	rundll32.exe
19	4716	rundll32.exe
30	4716	rundll32.exe
34	4716	rundll32.exe

pid	process
3760	1A00.exe
4640	880D.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Adobe.Reader.Dependencies.mani\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Adobe.Reader.Dependencies.mani.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Adobe.Reader.Dependencies.mani\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService㼀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Adobe.Reader.Dependencies.mani\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Deletes itself 1 IoCs

Processes:

pid process

3048
Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4716 rundll32.exe
4396 svchost.exe
2076 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3048

pid	process
4716	rundll32.exe
4396	svchost.exe
2076	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4716 set thread context of 1612 4716 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4716 set thread context of 1612	4716	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LightTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_received.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-high-contrast.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.mani.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Updater.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Checkers.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 36 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f56cc32100054656d7000003a0009000400efbe0c5553882f56cc322e00000000000000000000000000000000000000000000000000efb12f01540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3048

pid	process
3048

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe

pid	process
2432	1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe
2432	1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe

pid process

2432 1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe

pid	process
3048

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4716	rundll32.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1612 rundll32.exe
3048
3048
3048
3048
4716 rundll32.exe
3048
3048
3048
3048
4716 rundll32.exe
4716 rundll32.exe
4716 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3048
3048

pid	process
1612	rundll32.exe
3048
3048
3048
3048
4716	rundll32.exe
3048
3048
3048
3048
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe

pid	process
3048
3048

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

1A00.exerundll32.exesvchost.exe

description	pid	process	target process
PID 3048 wrote to memory of 3760	3048		1A00.exe
PID 3048 wrote to memory of 3760	3048		1A00.exe
PID 3048 wrote to memory of 3760	3048		1A00.exe
PID 3760 wrote to memory of 4716	3760	1A00.exe	rundll32.exe
PID 3760 wrote to memory of 4716	3760	1A00.exe	rundll32.exe
PID 3760 wrote to memory of 4716	3760	1A00.exe	rundll32.exe
PID 3048 wrote to memory of 4640	3048		880D.exe
PID 3048 wrote to memory of 4640	3048		880D.exe
PID 3048 wrote to memory of 4640	3048		880D.exe
PID 4716 wrote to memory of 1612	4716	rundll32.exe	rundll32.exe
PID 4716 wrote to memory of 1612	4716	rundll32.exe	rundll32.exe
PID 4716 wrote to memory of 1612	4716	rundll32.exe	rundll32.exe
PID 4396 wrote to memory of 2076	4396	svchost.exe	rundll32.exe
PID 4396 wrote to memory of 2076	4396	svchost.exe	rundll32.exe
PID 4396 wrote to memory of 2076	4396	svchost.exe	rundll32.exe
PID 4716 wrote to memory of 2140	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 2140	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 2140	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 2940	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 2940	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 2940	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4724	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4724	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4724	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3596	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3596	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3596	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4000	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4000	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4000	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3184	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3184	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3184	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3692	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3692	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3692	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4276	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4276	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 4276	4716	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe
"C:\Users\Admin\AppData\Local\Temp\1ce27fdc5a5869835ceaef65c07fc5cf0165d373aa9cae89a5f713d7d704fc29.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2432

C:\Users\Admin\AppData\Local\Temp\1A00.exe
C:\Users\Admin\AppData\Local\Temp\1A00.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4716

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18659
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2940

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4724

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3596

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4000

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3184

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3692

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4276

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:808

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:320

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2176

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3528

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4296

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5000

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4592

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5064

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4828

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1308

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4808

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\880D.exe
C:\Users\Admin\AppData\Local\Temp\880D.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobe.reader.dependencies.mani.dll",XRJL
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\137__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml
Filesize
708B

MD5
d6bedd2796699e97157137050c59961f

SHA1
ee15aff5a20bf437f7f5ebdc20901e9b7d62b80d

SHA256
6d20f7ebbde92f2d41c65599620b4fa5a67f41b0de55f800a9c4471a016a422d

SHA512
8cb791c97a28c94407f4fcfb2fb3966c1a10d8308d05cbef3176e668820841dd3f52e5c661009bdedf3e0033174ac0ef6d3742435c8fcc227ea55b1b0c3f25be

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\160__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml
Filesize
730B

MD5
df07014b0d6e8316a94732fa4e66aeae

SHA1
2ea69d0bc68bc077fe76293c4bca9d5144010b43

SHA256
91eabd593f0c860e78fa901051589a1c6dac9094fb10aa68e11ec78bed05234e

SHA512
954aecd51ef683a91270a40e140b22b66010bf2409e6c1d83b0f3936ee67bbb8a8ddcefbeed78d3ad80cd100b7ee7e1166e9fd2981d8f4bfbb6cef614acb3b6d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\168__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml
Filesize
650B

MD5
c3d32147407330eec6d5e13418c2d171

SHA1
e6c219273a6406f5e41f8875025e990e0112b1bd

SHA256
76f53ab389831b6618ee97962c557b3ca659dc0fa392a1748308c3fdad7096ec

SHA512
d41ef58b234b00b2469102d248ec5475093459c54b039647b65eefb35fe31fe4d0684bc33bf7622cd77a9b200df908feb4f3bbae49d03abd12a0894a55fa370f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
fb7bee492747f24a93a5036d232a4941

SHA1
b2606ec8b13a625f705d680924bdcf288811f576

SHA256
8fdb82de4eccaa7c7c90aa606f6bc1eeb5409e2983392af1f5b7e7b25b44e264

SHA512
c0e747fbbddb69261aa2b35497be33757c411aac78f0a62feb0e41114de0d64df5cd049fd08e96b7f2965b12094d4802d65429f069dfa9f8783408303593a7b2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\background.png
Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\folder.ico
Filesize
52KB

MD5
bbf9dbdc079c0cd95f78d728aa3912d4

SHA1
051f76cc8c6520768bac9559bb329abeebd70d7c

SHA256
bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2

SHA512
af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A00.exe
Filesize
1.0MB

MD5
cdaa1a093ef0360df6c70af0baeeefbd

SHA1
b4417c52eaeccd47805d2d36c4ac6ed91d5fd582

SHA256
d31d4c78c9d18ec58bff005ffb8dc8314369116628168fe886c9568ec1e2086e

SHA512
0c9e82bdec30dc0a0e043e8109d715ee095335ade3a0a83011a430c50be0363780f3bc6feefbf71532655b1d550e4ecd7e7d5d68d5d3e77f232baaec6dabc5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A00.exe
Filesize
1.0MB

MD5
cdaa1a093ef0360df6c70af0baeeefbd

SHA1
b4417c52eaeccd47805d2d36c4ac6ed91d5fd582

SHA256
d31d4c78c9d18ec58bff005ffb8dc8314369116628168fe886c9568ec1e2086e

SHA512
0c9e82bdec30dc0a0e043e8109d715ee095335ade3a0a83011a430c50be0363780f3bc6feefbf71532655b1d550e4ecd7e7d5d68d5d3e77f232baaec6dabc5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\880D.exe
Filesize
245KB

MD5
f39ffa9812c55774a4dd1451b23fa2d4

SHA1
f9f60ac20bfe819d2a012d0fb19e88ea4e4a348d

SHA256
758601b7d2c4c1c3ba050f4c9b0fd65f31f8d411965e2529ee22af93623f4148

SHA512
d35209af1f3ed8f0249bc14f70b9c6e95e88abc5c7d10d9e906761a09b98731c1279f87bae9699158e65e07e55e7f6a9d71be0dc9c4a6f07c529d2a668266b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\880D.exe
Filesize
245KB

MD5
f39ffa9812c55774a4dd1451b23fa2d4

SHA1
f9f60ac20bfe819d2a012d0fb19e88ea4e4a348d

SHA256
758601b7d2c4c1c3ba050f4c9b0fd65f31f8d411965e2529ee22af93623f4148

SHA512
d35209af1f3ed8f0249bc14f70b9c6e95e88abc5c7d10d9e906761a09b98731c1279f87bae9699158e65e07e55e7f6a9d71be0dc9c4a6f07c529d2a668266b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\adobe.reader.dependencies.mani.dll
Filesize
774KB

MD5
6764f2be973fc88e4c7615e0bb520def

SHA1
cf09f1c226571b40d6d1090710d2555618a639e9

SHA256
fede22edfc2f432a63336ff9f072f37161cdc5c184bf7bd3ce4c08f8daf4c6e9

SHA512
dd21252983a6c85ded4331213b9d9b594eecd16d83eb946b47a9c64c3eb1ab45403320a5445e1f688f6dfd7ea23203ed5ddb16fc5cf64e63bc9005d6cd5b5473

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.mani.dll
Filesize
774KB

MD5
6764f2be973fc88e4c7615e0bb520def

SHA1
cf09f1c226571b40d6d1090710d2555618a639e9

SHA256
fede22edfc2f432a63336ff9f072f37161cdc5c184bf7bd3ce4c08f8daf4c6e9

SHA512
dd21252983a6c85ded4331213b9d9b594eecd16d83eb946b47a9c64c3eb1ab45403320a5445e1f688f6dfd7ea23203ed5ddb16fc5cf64e63bc9005d6cd5b5473

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.mani.dll
Filesize
774KB

MD5
6764f2be973fc88e4c7615e0bb520def

SHA1
cf09f1c226571b40d6d1090710d2555618a639e9

SHA256
fede22edfc2f432a63336ff9f072f37161cdc5c184bf7bd3ce4c08f8daf4c6e9

SHA512
dd21252983a6c85ded4331213b9d9b594eecd16d83eb946b47a9c64c3eb1ab45403320a5445e1f688f6dfd7ea23203ed5ddb16fc5cf64e63bc9005d6cd5b5473

Download Submit
\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
memory/320-718-0x0000000000000000-mapping.dmp

Download
memory/808-700-0x0000000000000000-mapping.dmp

Download
memory/1308-862-0x0000000000000000-mapping.dmp

Download
memory/1612-442-0x0000024268020000-0x00000242682D5000-memory.dmp

Filesize
2.7MB

Download
memory/1612-440-0x0000000000DA0000-0x0000000001044000-memory.dmp

Filesize
2.6MB

Download
memory/1612-414-0x00007FF7AE175FD0-mapping.dmp

Download
memory/2076-469-0x0000000000000000-mapping.dmp

Download
memory/2076-560-0x0000000006900000-0x0000000007455000-memory.dmp

Filesize
11.3MB

Download
memory/2140-548-0x0000000000000000-mapping.dmp

Download
memory/2176-736-0x0000000000000000-mapping.dmp

Download
memory/2432-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-115-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-148-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-151-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2432-152-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2432-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-116-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-138-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-117-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-118-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-119-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-136-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2432-137-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-134-0x0000000002BA0000-0x0000000002CEA000-memory.dmp

Filesize
1.3MB

Download
memory/2432-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-140-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-127-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2432-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2940-573-0x0000000000000000-mapping.dmp

Download
memory/3184-646-0x0000000000000000-mapping.dmp

Download
memory/3528-754-0x0000000000000000-mapping.dmp

Download
memory/3596-609-0x0000000000000000-mapping.dmp

Download
memory/3692-664-0x0000000000000000-mapping.dmp

Download
memory/3720-898-0x0000000000000000-mapping.dmp

Download
memory/3760-166-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-188-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-189-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-186-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-195-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/3760-153-0x0000000000000000-mapping.dmp

Download
memory/3760-211-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/3760-185-0x0000000004990000-0x0000000004A80000-memory.dmp

Filesize
960KB

Download
memory/3760-184-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-156-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-183-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-181-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-157-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-158-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-159-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-187-0x0000000004A80000-0x0000000004BAE000-memory.dmp

Filesize
1.2MB

Download
memory/3760-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-182-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-179-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-176-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-175-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-169-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-167-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3760-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/4000-628-0x0000000000000000-mapping.dmp

Download
memory/4276-682-0x0000000000000000-mapping.dmp

Download
memory/4296-772-0x0000000000000000-mapping.dmp

Download
memory/4396-480-0x0000000006430000-0x0000000006F85000-memory.dmp

Filesize
11.3MB

Download
memory/4396-614-0x0000000006430000-0x0000000006F85000-memory.dmp

Filesize
11.3MB

Download
memory/4592-808-0x0000000000000000-mapping.dmp

Download
memory/4640-360-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4640-359-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4640-357-0x00000000047A0000-0x00000000047CA000-memory.dmp

Filesize
168KB

Download
memory/4640-356-0x0000000002BB0000-0x0000000002C5E000-memory.dmp

Filesize
696KB

Download
memory/4640-303-0x0000000000000000-mapping.dmp

Download
memory/4716-363-0x0000000007650000-0x00000000081A5000-memory.dmp

Filesize
11.3MB

Download
memory/4716-302-0x0000000007650000-0x00000000081A5000-memory.dmp

Filesize
11.3MB

Download
memory/4716-201-0x0000000000000000-mapping.dmp

Download
memory/4724-591-0x0000000000000000-mapping.dmp

Download
memory/4808-880-0x0000000000000000-mapping.dmp

Download
memory/4828-844-0x0000000000000000-mapping.dmp

Download
memory/5000-790-0x0000000000000000-mapping.dmp

Download
memory/5064-826-0x0000000000000000-mapping.dmp

Download