lumma | 2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf

Analysis

max time kernel
113s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe
Size

206KB
MD5

f99b864047ef9e3816b7efeb78657f23
SHA1

50b8f2cdce7234b51422711a3252aec18c216072
SHA256

2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf
SHA512

e2cba7bc4d7424d4018d3fd6917e57f6902f12f45cd502533d2e2c737d83e7c8b6dd6c3fe17fe7e9d0308f90291bdd1bca87cf7d659093caf15e31074ca4ce13
SSDEEP

3072:MXtv5ilI+4YTVO5PHA8sBQEjmWgO7ksVmTGWRx76q0+apb:ImlI+4+YA89cmXdaQnWdbp

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4912-133-0x0000000002D30000-0x0000000002D39000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

24 2132 rundll32.exe
40 2132 rundll32.exe
44 2132 rundll32.exe
45 2132 rundll32.exe
53 2132 rundll32.exe
55 2132 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

CE90.exeCFF3.exe

pid process

4524 CE90.exe
4176 CFF3.exe

flow	pid	process
24	2132	rundll32.exe
40	2132	rundll32.exe
44	2132	rundll32.exe
45	2132	rundll32.exe
53	2132	rundll32.exe
55	2132	rundll32.exe

pid	process
4524	CE90.exe
4176	CFF3.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\base_uri\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\base_uri.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\base_uri\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2132 rundll32.exe
404 svchost.exe
3432 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2132	rundll32.exe
404	svchost.exe
3432	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2132 set thread context of 1576	2132	rundll32.exe	rundll32.exe
PID 2132 set thread context of 3592	2132	rundll32.exe	rundll32.exe
PID 2132 set thread context of 1300	2132	rundll32.exe	rundll32.exe
PID 2132 set thread context of 496	2132	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rename.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\base_uri.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Protect_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Stamp.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2004 4524 WerFault.exe CE90.exe
1372 4176 WerFault.exe CFF3.exe

pid	pid_target	process	target process
2004	4524	WerFault.exe	CE90.exe
1372	4176	WerFault.exe	CFF3.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 48 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f566a30100054656d7000003a0009000400efbe6b557d6c2f566e302e00000000000000000000000000000000000000000000000000cd45b500540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1032

pid	process
1032

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe

pid	process
4912	2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe
4912	2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe

pid process

4912 2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe

pid	process
1032

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeDebugPrivilege	2132	rundll32.exe
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

1576 rundll32.exe
1032
1032
1032
1032
1032
1032
1032
1032
2132 rundll32.exe
3592 rundll32.exe
2132 rundll32.exe
1300 rundll32.exe
496 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

1032
1032

pid	process
1576	rundll32.exe
1032
1032
1032
1032
1032
1032
1032
1032
2132	rundll32.exe
3592	rundll32.exe
2132	rundll32.exe
1300	rundll32.exe
496	rundll32.exe

pid	process
1032
1032

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

CE90.exesvchost.exerundll32.exe

description	pid	process	target process
PID 1032 wrote to memory of 4524	1032		CE90.exe
PID 1032 wrote to memory of 4524	1032		CE90.exe
PID 1032 wrote to memory of 4524	1032		CE90.exe
PID 4524 wrote to memory of 2132	4524	CE90.exe	rundll32.exe
PID 4524 wrote to memory of 2132	4524	CE90.exe	rundll32.exe
PID 4524 wrote to memory of 2132	4524	CE90.exe	rundll32.exe
PID 404 wrote to memory of 3432	404	svchost.exe	rundll32.exe
PID 404 wrote to memory of 3432	404	svchost.exe	rundll32.exe
PID 404 wrote to memory of 3432	404	svchost.exe	rundll32.exe
PID 2132 wrote to memory of 1576	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 1576	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 1576	2132	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 4176	1032		CFF3.exe
PID 1032 wrote to memory of 4176	1032		CFF3.exe
PID 1032 wrote to memory of 4176	1032		CFF3.exe
PID 2132 wrote to memory of 4668	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 4668	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 4668	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 3592	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 3592	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 3592	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 4088	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 4088	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 4088	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 3864	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 3864	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 3864	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 1300	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 1300	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 1300	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 1620	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 1620	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 1620	2132	rundll32.exe	schtasks.exe
PID 2132 wrote to memory of 496	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 496	2132	rundll32.exe	rundll32.exe
PID 2132 wrote to memory of 496	2132	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe
"C:\Users\Admin\AppData\Local\Temp\2b1d7c8979ca308ef002ff5162c97f68303deff25143adf26484ac75a4273cdf.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4912

C:\Users\Admin\AppData\Local\Temp\CE90.exe
C:\Users\Admin\AppData\Local\Temp\CE90.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2132

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1576

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4668

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3592

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4088

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3864

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1620

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
- Suspicious use of FindShellTrayWindow
PID:496

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2180

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:4524

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3168

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:3476

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4508

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4960

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:1940

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1212

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1428

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:776

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:3584

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4220

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:4264

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4796

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1616

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 544
2⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4524 -ip 4524
1⤵
PID:2408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\base_uri.dll",h0BHTXdEVQ==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3432

C:\Users\Admin\AppData\Local\Temp\CFF3.exe
C:\Users\Admin\AppData\Local\Temp\CFF3.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1356
2⤵
- Program crash
PID:1372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4176 -ip 4176
1⤵
PID:4776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\base_uri.dll
Filesize
774KB

MD5
f4c39324a002a383c6d5ed28f5ef503a

SHA1
dbfe26c6e195ea5d40ae3a074fcd3ebfbdad2f9d

SHA256
e2a353bb0b1cd132beaec41592f98034cd46d9fb141df75fbf07a8dad76c4b6b

SHA512
c3bc072d00bc243c6d678250d4cb5e02848111be508528da48a90ba54d18aded4de16d013cf79c86adf4cd16868226da2ce03d9eb993c4496df0c5c28a5ccd6d

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\base_uri.dll
Filesize
774KB

MD5
f4c39324a002a383c6d5ed28f5ef503a

SHA1
dbfe26c6e195ea5d40ae3a074fcd3ebfbdad2f9d

SHA256
e2a353bb0b1cd132beaec41592f98034cd46d9fb141df75fbf07a8dad76c4b6b

SHA512
c3bc072d00bc243c6d678250d4cb5e02848111be508528da48a90ba54d18aded4de16d013cf79c86adf4cd16868226da2ce03d9eb993c4496df0c5c28a5ccd6d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.CredDialogHost_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
1KB

MD5
8c59faf203fc8a2a460920be06eb2b4e

SHA1
833cf94c8a893ed6199812f4ca6f177af7dc43c1

SHA256
b7e5f69aa3d04494c0a0d3a09b70d48b38b5264f74c04a49e5886bb6cc78889a

SHA512
5fa0271ecb6995cac9c003e6d3313c6fa5f89a360711ff4b80292379f58c33d8802413c8c63d1312913934a7144f0a2cfffddeab05d69afd4a1d810c5003bc5f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
843B

MD5
8a33c96712ba9c043f7a07d4c437a3fd

SHA1
dbd78a66c461017ee26a751925f9cecdea2590da

SHA256
eb8b0de59dd2efc380f7081af8975f37a83ee72c9c06ef25873f63d224adea1e

SHA512
7b9a15d219e4a5cd9146f8e7ae1d7c3b6f843ed060edf52e4928e349edd821a2d527f8f8402f774559f6cf282c83b751f02d2feaf9e040771c07bc4038a59e5a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SmsInterceptStore.jfm
Filesize
16KB

MD5
0a3b9b8fb940095debcf0e31f234d539

SHA1
8833b5658e50e6c88ac9b0dc03f203299a1cfd26

SHA256
0f491d164d156d9e40f8ebb625c27fdcf739b44c22b3bfba49b77ae6c70ff271

SHA512
6f62d6891211181cf0140895b1b4947b2afe8bb302251c374f58984a001e1573c735b382119de27660e8acdf439336d06260faaf8aa3b0cd150452b9701ef8e1

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
4827c39224064e063c03549ba6980bed

SHA1
a3dd8121c5c38e2f9b5d7fcfe1f9f21815a23e70

SHA256
0152125cb444c2ebd0757cc83c1530d28916a11e89faa86137d0cecbebad0278

SHA512
94094cfa883ba3d50092115ea4be254e1c3f06cfd2457cde402d71eae2b051d69fc520c18ff8402c278f43dc916d84484cf3da2a325054b4091dfd6fd7152971

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
4827c39224064e063c03549ba6980bed

SHA1
a3dd8121c5c38e2f9b5d7fcfe1f9f21815a23e70

SHA256
0152125cb444c2ebd0757cc83c1530d28916a11e89faa86137d0cecbebad0278

SHA512
94094cfa883ba3d50092115ea4be254e1c3f06cfd2457cde402d71eae2b051d69fc520c18ff8402c278f43dc916d84484cf3da2a325054b4091dfd6fd7152971

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\device.png
Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml
Filesize
1KB

MD5
8a660378169f2615d70683a49d6540c9

SHA1
4e78f156eb4b8766568071e81b793f05b9ea7658

SHA256
f288b4ffdb060471a51dcea18c8e104c62cfcd8c37d7a41ee343145b4953cf46

SHA512
754bc1a9c90e4c4ea6cf1881d26c1afbb049870f41ff71c7c943726a1706f6b0b44a2f32742065f9d5eacc54d21cb54b76f5f17315af04614612f9cc58e46648

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE90.exe
Filesize
1.0MB

MD5
cdaa1a093ef0360df6c70af0baeeefbd

SHA1
b4417c52eaeccd47805d2d36c4ac6ed91d5fd582

SHA256
d31d4c78c9d18ec58bff005ffb8dc8314369116628168fe886c9568ec1e2086e

SHA512
0c9e82bdec30dc0a0e043e8109d715ee095335ade3a0a83011a430c50be0363780f3bc6feefbf71532655b1d550e4ecd7e7d5d68d5d3e77f232baaec6dabc5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE90.exe
Filesize
1.0MB

MD5
cdaa1a093ef0360df6c70af0baeeefbd

SHA1
b4417c52eaeccd47805d2d36c4ac6ed91d5fd582

SHA256
d31d4c78c9d18ec58bff005ffb8dc8314369116628168fe886c9568ec1e2086e

SHA512
0c9e82bdec30dc0a0e043e8109d715ee095335ade3a0a83011a430c50be0363780f3bc6feefbf71532655b1d550e4ecd7e7d5d68d5d3e77f232baaec6dabc5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFF3.exe
Filesize
245KB

MD5
f39ffa9812c55774a4dd1451b23fa2d4

SHA1
f9f60ac20bfe819d2a012d0fb19e88ea4e4a348d

SHA256
758601b7d2c4c1c3ba050f4c9b0fd65f31f8d411965e2529ee22af93623f4148

SHA512
d35209af1f3ed8f0249bc14f70b9c6e95e88abc5c7d10d9e906761a09b98731c1279f87bae9699158e65e07e55e7f6a9d71be0dc9c4a6f07c529d2a668266b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFF3.exe
Filesize
245KB

MD5
f39ffa9812c55774a4dd1451b23fa2d4

SHA1
f9f60ac20bfe819d2a012d0fb19e88ea4e4a348d

SHA256
758601b7d2c4c1c3ba050f4c9b0fd65f31f8d411965e2529ee22af93623f4148

SHA512
d35209af1f3ed8f0249bc14f70b9c6e95e88abc5c7d10d9e906761a09b98731c1279f87bae9699158e65e07e55e7f6a9d71be0dc9c4a6f07c529d2a668266b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\base_uri.dll
Filesize
774KB

MD5
f4c39324a002a383c6d5ed28f5ef503a

SHA1
dbfe26c6e195ea5d40ae3a074fcd3ebfbdad2f9d

SHA256
e2a353bb0b1cd132beaec41592f98034cd46d9fb141df75fbf07a8dad76c4b6b

SHA512
c3bc072d00bc243c6d678250d4cb5e02848111be508528da48a90ba54d18aded4de16d013cf79c86adf4cd16868226da2ce03d9eb993c4496df0c5c28a5ccd6d

Download Submit
memory/404-155-0x0000000004330000-0x0000000004E85000-memory.dmp

Filesize
11.3MB

Download
memory/404-154-0x0000000004330000-0x0000000004E85000-memory.dmp

Filesize
11.3MB

Download
memory/404-196-0x0000000004330000-0x0000000004E85000-memory.dmp

Filesize
11.3MB

Download
memory/496-219-0x0000022C83270000-0x0000022C833B0000-memory.dmp

Filesize
1.2MB

Download
memory/496-217-0x00007FF695B96890-mapping.dmp

Download
memory/496-218-0x0000022C83270000-0x0000022C833B0000-memory.dmp

Filesize
1.2MB

Download
memory/496-222-0x0000022C81810000-0x0000022C81AC5000-memory.dmp

Filesize
2.7MB

Download
memory/496-220-0x0000022C81810000-0x0000022C81AC5000-memory.dmp

Filesize
2.7MB

Download
memory/776-265-0x0000000000000000-mapping.dmp

Download
memory/1212-254-0x0000000000000000-mapping.dmp

Download
memory/1300-205-0x00007FF695B96890-mapping.dmp

Download
memory/1300-208-0x000002290B1F0000-0x000002290B330000-memory.dmp

Filesize
1.2MB

Download
memory/1300-206-0x000002290B1F0000-0x000002290B330000-memory.dmp

Filesize
1.2MB

Download
memory/1300-212-0x0000022909790000-0x0000022909A45000-memory.dmp

Filesize
2.7MB

Download
memory/1300-210-0x0000022909790000-0x0000022909A45000-memory.dmp

Filesize
2.7MB

Download
memory/1576-179-0x0000000000990000-0x0000000000C34000-memory.dmp

Filesize
2.6MB

Download
memory/1576-180-0x000001B17AD30000-0x000001B17AFE5000-memory.dmp

Filesize
2.7MB

Download
memory/1576-172-0x00007FF695B96890-mapping.dmp

Download
memory/1576-176-0x000001B17C790000-0x000001B17C8D0000-memory.dmp

Filesize
1.2MB

Download
memory/1576-174-0x000001B17C790000-0x000001B17C8D0000-memory.dmp

Filesize
1.2MB

Download
memory/1576-182-0x000001B17AD30000-0x000001B17AFE5000-memory.dmp

Filesize
2.7MB

Download
memory/1616-286-0x0000000000000000-mapping.dmp

Download
memory/1620-211-0x0000000000000000-mapping.dmp

Download
memory/1664-260-0x00007FF695B96890-mapping.dmp

Download
memory/1664-261-0x00000228D93C0000-0x00000228D9500000-memory.dmp

Filesize
1.2MB

Download
memory/1664-262-0x00000228D93C0000-0x00000228D9500000-memory.dmp

Filesize
1.2MB

Download
memory/1664-263-0x00000228D7960000-0x00000228D7C15000-memory.dmp

Filesize
2.7MB

Download
memory/1664-264-0x00000228D7960000-0x00000228D7C15000-memory.dmp

Filesize
2.7MB

Download
memory/1940-250-0x00007FF695B96890-mapping.dmp

Download
memory/1940-251-0x000001DC6F6E0000-0x000001DC6F820000-memory.dmp

Filesize
1.2MB

Download
memory/1940-252-0x000001DC6F6E0000-0x000001DC6F820000-memory.dmp

Filesize
1.2MB

Download
memory/1940-253-0x000001DC6DC80000-0x000001DC6DF35000-memory.dmp

Filesize
2.7MB

Download
memory/1940-255-0x000001DC6DC80000-0x000001DC6DF35000-memory.dmp

Filesize
2.7MB

Download
memory/2132-170-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-236-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-183-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-184-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-185-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-295-0x0000000004858000-0x000000000485A000-memory.dmp

Filesize
8KB

Download
memory/2132-186-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-294-0x0000000004858000-0x000000000485A000-memory.dmp

Filesize
8KB

Download
memory/2132-279-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-278-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-277-0x00000000070F0000-0x0000000007230000-memory.dmp

Filesize
1.2MB

Download
memory/2132-191-0x0000000004887000-0x0000000004889000-memory.dmp

Filesize
8KB

Download
memory/2132-276-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-269-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-268-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-173-0x0000000004851000-0x0000000004853000-memory.dmp

Filesize
8KB

Download
memory/2132-267-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-266-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-140-0x0000000000000000-mapping.dmp

Download
memory/2132-200-0x0000000004851000-0x0000000004853000-memory.dmp

Filesize
8KB

Download
memory/2132-201-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-202-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-203-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-204-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-178-0x0000000004887000-0x0000000004889000-memory.dmp

Filesize
8KB

Download
memory/2132-259-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-207-0x0000000004887000-0x0000000004889000-memory.dmp

Filesize
8KB

Download
memory/2132-258-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-209-0x0000000004887000-0x0000000004889000-memory.dmp

Filesize
8KB

Download
memory/2132-169-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-168-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-257-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-213-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-214-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-215-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-216-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-166-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-256-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-146-0x0000000005150000-0x0000000005CA5000-memory.dmp

Filesize
11.3MB

Download
memory/2132-147-0x0000000005150000-0x0000000005CA5000-memory.dmp

Filesize
11.3MB

Download
memory/2132-221-0x0000000004887000-0x0000000004889000-memory.dmp

Filesize
8KB

Download
memory/2132-150-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-148-0x0000000005150000-0x0000000005CA5000-memory.dmp

Filesize
11.3MB

Download
memory/2132-224-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-225-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-226-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-227-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-149-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-249-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-248-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-247-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-246-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-233-0x0000000004887000-0x0000000004889000-memory.dmp

Filesize
8KB

Download
memory/2132-238-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-235-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2132-237-0x00000000047E0000-0x0000000004920000-memory.dmp

Filesize
1.2MB

Download
memory/2180-223-0x0000000000000000-mapping.dmp

Download
memory/3168-232-0x0000000000000000-mapping.dmp

Download
memory/3432-167-0x0000000004810000-0x0000000005365000-memory.dmp

Filesize
11.3MB

Download
memory/3432-165-0x0000000004810000-0x0000000005365000-memory.dmp

Filesize
11.3MB

Download
memory/3432-164-0x0000000004810000-0x0000000005365000-memory.dmp

Filesize
11.3MB

Download
memory/3432-162-0x0000000000000000-mapping.dmp

Download
memory/3476-239-0x00007FF695B96890-mapping.dmp

Download
memory/3476-240-0x0000019B43470000-0x0000019B435B0000-memory.dmp

Filesize
1.2MB

Download
memory/3476-241-0x0000019B43470000-0x0000019B435B0000-memory.dmp

Filesize
1.2MB

Download
memory/3476-242-0x0000019B419F0000-0x0000019B41CA5000-memory.dmp

Filesize
2.7MB

Download
memory/3476-245-0x0000019B419F0000-0x0000019B41CA5000-memory.dmp

Filesize
2.7MB

Download
memory/3584-275-0x000002CE9EDA0000-0x000002CE9F055000-memory.dmp

Filesize
2.7MB

Download
memory/3584-272-0x000002CEA0670000-0x000002CEA07B0000-memory.dmp

Filesize
1.2MB

Download
memory/3584-271-0x000002CEA0670000-0x000002CEA07B0000-memory.dmp

Filesize
1.2MB

Download
memory/3584-270-0x00007FF695B96890-mapping.dmp

Download
memory/3584-273-0x000002CE9EDA0000-0x000002CE9F055000-memory.dmp

Filesize
2.7MB

Download
memory/3592-188-0x0000016EAD1E0000-0x0000016EAD320000-memory.dmp

Filesize
1.2MB

Download
memory/3592-187-0x00007FF695B96890-mapping.dmp

Download
memory/3592-195-0x0000016EAB780000-0x0000016EABA35000-memory.dmp

Filesize
2.7MB

Download
memory/3592-197-0x0000016EAB780000-0x0000016EABA35000-memory.dmp

Filesize
2.7MB

Download
memory/3592-189-0x0000016EAD1E0000-0x0000016EAD320000-memory.dmp

Filesize
1.2MB

Download
memory/3864-198-0x0000000000000000-mapping.dmp

Download
memory/4088-190-0x0000000000000000-mapping.dmp

Download
memory/4176-199-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4176-192-0x0000000002C69000-0x0000000002C83000-memory.dmp

Filesize
104KB

Download
memory/4176-193-0x0000000002C20000-0x0000000002C4A000-memory.dmp

Filesize
168KB

Download
memory/4176-171-0x0000000000000000-mapping.dmp

Download
memory/4176-194-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4220-274-0x0000000000000000-mapping.dmp

Download
memory/4264-285-0x00000263B51F0000-0x00000263B54A5000-memory.dmp

Filesize
2.7MB

Download
memory/4264-280-0x00007FF695B96890-mapping.dmp

Download
memory/4264-282-0x00000263B51F0000-0x00000263B54A5000-memory.dmp

Filesize
2.7MB

Download
memory/4264-281-0x00000263B6C50000-0x00000263B6D90000-memory.dmp

Filesize
1.2MB

Download
memory/4392-296-0x000001A556510000-0x000001A5567C5000-memory.dmp

Filesize
2.7MB

Download
memory/4392-291-0x00007FF695B96890-mapping.dmp

Download
memory/4508-243-0x0000000000000000-mapping.dmp

Download
memory/4524-229-0x00000177ED160000-0x00000177ED2A0000-memory.dmp

Filesize
1.2MB

Download
memory/4524-228-0x00007FF695B96890-mapping.dmp

Download
memory/4524-234-0x00000177ED2B0000-0x00000177ED565000-memory.dmp

Filesize
2.7MB

Download
memory/4524-231-0x00000177ED2B0000-0x00000177ED565000-memory.dmp

Filesize
2.7MB

Download
memory/4524-137-0x0000000000000000-mapping.dmp

Download
memory/4524-143-0x00000000047D1000-0x00000000048BA000-memory.dmp

Filesize
932KB

Download
memory/4524-230-0x00000177ED160000-0x00000177ED2A0000-memory.dmp

Filesize
1.2MB

Download
memory/4524-144-0x00000000049D0000-0x0000000004AFE000-memory.dmp

Filesize
1.2MB

Download
memory/4524-145-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/4668-181-0x0000000000000000-mapping.dmp

Download
memory/4796-284-0x0000000000000000-mapping.dmp

Download
memory/4912-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/4912-132-0x0000000002D78000-0x0000000002D89000-memory.dmp

Filesize
68KB

Download
memory/4912-133-0x0000000002D30000-0x0000000002D39000-memory.dmp

Filesize
36KB

Download
memory/4912-136-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/4912-135-0x0000000002D78000-0x0000000002D89000-memory.dmp

Filesize
68KB

Download
memory/4960-244-0x0000000000000000-mapping.dmp

Download