lumma | ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f

Analysis

max time kernel
98s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe
Size

207KB
MD5

185054d2e41a2506ea7eac0a9e9772ae
SHA1

a61b4d4239c876690684c52834d3e7b554a69446
SHA256

ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f
SHA512

5e5daf16d28d9b948ea28dc59c72a4bb0f903c962c92a550da2be78216d1ee0e8d33be756e37ba0c5301057992b7e6269af7245a9c6b911afca923dfb5f9b220
SSDEEP

3072:0XwL62HYFexPDA5pjqrDXSDC/B5E9BuKfdnGRbExS8apb:wqHYFeZiaS+5eL/dybZp

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2236-133-0x0000000002C70000-0x0000000002C79000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

114 4936 rundll32.exe
157 4936 rundll32.exe
177 4936 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

5EB.exe5B6F.exe

pid process

2168 5EB.exe
4632 5B6F.exe

flow	pid	process
114	4936	rundll32.exe
157	4936	rundll32.exe
177	4936	rundll32.exe

pid	process
2168	5EB.exe
4632	5B6F.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acrobat_pdf\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\acrobat_pdf.dll퀀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acrobat_pdf\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4936 rundll32.exe
1888 svchost.exe
3556 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4936	rundll32.exe
1888	svchost.exe
3556	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4936 set thread context of 2892	4936	rundll32.exe	rundll32.exe
PID 4936 set thread context of 1660	4936	rundll32.exe	rundll32.exe
PID 4936 set thread context of 2120	4936	rundll32.exe	rundll32.exe
PID 4936 set thread context of 4556	4936	rundll32.exe	rundll32.exe

Drops file in Program Files directory 19 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobepdf.xdc	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\UnifiedShare.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ahclient.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pages_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons_retina.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_pdf.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

680 2168 WerFault.exe 5EB.exe
3260 4632 WerFault.exe 5B6F.exe

pid	pid_target	process	target process
680	2168	WerFault.exe	5EB.exe
3260	4632	WerFault.exe	5B6F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 57 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f56084f100054656d7000003a0009000400efbe6b558a6c2f560b4f2e00000000000000000000000000000000000000000000000000c4d2af00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2164

pid	process
2164

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe

pid	process
2236	ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe
2236	ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2164
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe

pid process

2236 ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe

pid	process
2164

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeDebugPrivilege	4936	rundll32.exe
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2892	rundll32.exe
2164
2164
2164
2164
2164
2164
2164
2164
4936	rundll32.exe
1660	rundll32.exe
2120	rundll32.exe
4936	rundll32.exe
4556	rundll32.exe
4936	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2164
2164

pid	process
2164
2164

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

5EB.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2164 wrote to memory of 2168	2164		5EB.exe
PID 2164 wrote to memory of 2168	2164		5EB.exe
PID 2164 wrote to memory of 2168	2164		5EB.exe
PID 2168 wrote to memory of 4936	2168	5EB.exe	rundll32.exe
PID 2168 wrote to memory of 4936	2168	5EB.exe	rundll32.exe
PID 2168 wrote to memory of 4936	2168	5EB.exe	rundll32.exe
PID 2164 wrote to memory of 4632	2164		5B6F.exe
PID 2164 wrote to memory of 4632	2164		5B6F.exe
PID 2164 wrote to memory of 4632	2164		5B6F.exe
PID 4936 wrote to memory of 2892	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 2892	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 2892	4936	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 3556	1888	svchost.exe	rundll32.exe
PID 1888 wrote to memory of 3556	1888	svchost.exe	rundll32.exe
PID 1888 wrote to memory of 3556	1888	svchost.exe	rundll32.exe
PID 4936 wrote to memory of 1660	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 1660	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 1660	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 1712	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 1712	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 1712	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4500	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4500	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4500	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 2120	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 2120	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 2120	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 2292	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 2292	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 2292	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4556	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 4556	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 4556	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 1008	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 1008	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 1008	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4660	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4660	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4660	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4716	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4716	4936	rundll32.exe	schtasks.exe
PID 4936 wrote to memory of 4716	4936	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe
"C:\Users\Admin\AppData\Local\Temp\ceedea4df97273dece8e141364b1e405008d36db88de2edae77a9bc8bd06299f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2236

C:\Users\Admin\AppData\Local\Temp\5EB.exe
C:\Users\Admin\AppData\Local\Temp\5EB.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4936

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2892

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1712

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4500

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2120

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2292

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18651
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4556

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4660

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4716

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4864

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4384

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3624

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4944

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3352

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4252

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4808

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2620

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2400

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4844

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3720

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4632

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5048

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4964

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4380

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4632

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3588

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3920

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 528
2⤵
- Program crash
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2168 -ip 2168
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\5B6F.exe
C:\Users\Admin\AppData\Local\Temp\5B6F.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1360
2⤵
- Program crash
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4632 -ip 4632
1⤵
PID:4856

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\acrobat_pdf.dll",W1IJdTVVREk4
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_pdf.dll

Filesize
774KB

MD5
b866f4b28430b88526135b951e77dde9

SHA1
9693d63c45ad061f72f244102b9f95c106eaf58e

SHA256
eba031b73bda96944c1eb2fda4f8b9b6a2ca603bf75c6c61b948303c1f1d2b33

SHA512
39d75a8181b31c320b0a808c992fbe3fbc16ac674d6d9bcc1d51f8358923e0e95670e4ce9bbfad66fff4caca6e54d51e9e6cd8d1e60a6f7f829af9c8762ca5b6

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_pdf.dll

Filesize
774KB

MD5
b866f4b28430b88526135b951e77dde9

SHA1
9693d63c45ad061f72f244102b9f95c106eaf58e

SHA256
eba031b73bda96944c1eb2fda4f8b9b6a2ca603bf75c6c61b948303c1f1d2b33

SHA512
39d75a8181b31c320b0a808c992fbe3fbc16ac674d6d9bcc1d51f8358923e0e95670e4ce9bbfad66fff4caca6e54d51e9e6cd8d1e60a6f7f829af9c8762ca5b6

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.office32mui.msi.16.en-us.xml

Filesize
16KB

MD5
ada34b241139f06addc86a9e8d1108f0

SHA1
909a92a4e970ae4edcfc365a119d4f4410b0bcf6

SHA256
3069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a

SHA512
2797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\CiPT0000.000

Filesize
240B

MD5
087460c1587d00683133a105fb3ee045

SHA1
51e4b3d2db6790cb1500925225e7c7a262f7541f

SHA256
576f4cc0e8191dc82294ee47f6627f3f9a77fdb0030c962b9e18683fcc4284c2

SHA512
1978533c01a86cf8e6c61d4481487078b4a2ffa49447d4d56ae7514277cafa6d2de7f8cc4bb8d818b79d1bc72fa0ced49f29f2ebbd5d4365c229f3a1f0c63ef8

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
16KB

MD5
4194b927b32c56bb3a5ed72c164c917e

SHA1
ec60c6bb8b2d0181408c65b3456b7b3b92cca134

SHA256
86d065b6d87309122e9fce9b960f5d56a45dfcdd83122a4225ed9fd3136320d8

SHA512
c94baa6f849bb048e572667e19268754efc58bce6673373db9817c729b36acbfd0bb30975a441f2a5cd16e00be97db412dd82f1669c1701004a1e27307f75c1d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
6KB

MD5
d218cf550fbd777e789242cafb804d10

SHA1
05175dd84f05a7989944e48db6a811c297fa47e3

SHA256
8143763940b906ea93cd7288a08f251203d9f21da5282a6c20201ea7530df8c4

SHA512
9134ace4de9b6bae58b161af4ede7ca9b24bd396c6b1e24ec8301ecb90278bc8b61d7600be7248b2f35acc49b83fcd627045f18c61ee57a2da0e19d61330261d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
839B

MD5
2f6bc19cc3de731b8eaec46910edaf83

SHA1
61fd41f1fd1e4c6d7178a204c8ab68add839a199

SHA256
6893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966

SHA512
841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
27KB

MD5
1cef1a17af19cd221b168384320770e5

SHA1
1b694f2e2c2f87becfd9d4d1b271843c928dbfc4

SHA256
cf103015c20fbe6aebd3b83104eb034f2ff6e40187296a5a7e71a9f77013294b

SHA512
61a7f84dc4970a564056407549bc3664bf67d18a93f86a2be73ea39d8fb5d7007bb7531d881e516196c5139c1c5f67d7b602d0b26dfd1f13ebba7e90e3b8c377

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftLync2010.xml

Filesize
3KB

MD5
701beb4f8c252fb3c9f5dbdc94648048

SHA1
556ba20475a502b68b7992454be6c64ab355b4ec

SHA256
620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67

SHA512
28c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\OfficeIntegrator.ps1

Filesize
4KB

MD5
552d7c9707f6dedc9b275df20cfda14f

SHA1
6dfa65a6e2ab94e19deb7cac003674cc2bb4bcd7

SHA256
6e28d25e4b520aab2f2fd0983f62bae3cd8730cc07e003c1efd5cf635df474b2

SHA512
2fe977ef79afb53afd1ea5ba06453706c27c61f31125f9f5089eedad7211195bfcd3ea5c97e4a2a25bd82fa512cb16265e4e7c04fa54a06e3af6380e2a68d91c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
58d9796fe8146add28cba6cddf16f155

SHA1
ab22e674d9eae9f07dbef4ca79ff6f4af82d469b

SHA256
b9f5f0278f37f658f34f15a76622a9472148c67bc139d572509e74a529fde380

SHA512
0c02dfd541930e03fc26f5b5f1b32e2c3e227686241ec59d700c6a87b28caeeb6850bd31ce93b3360066f850ec24c6aaa63d33c4c52ab015525cbc0637eda71b

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edb.chk

Filesize
8KB

MD5
23a86b20cf66dfd2d0f47677ed4e4264

SHA1
e305170714392447308c804f73458bb9c069ef5a

SHA256
3185553519527ae7613eb80e9ead2874b0d7cce0bff2a75bdfad945709dd9043

SHA512
933943b152684c5b4aba6d326100fa2d99c56966139ebc4abae690a93bb4dec4fc2229c9f042c979d40d1250006f91424fc9a005659e336df9e9d99a419b8755

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B6F.exe

Filesize
245KB

MD5
4341e22f2a2b9cd03f1f269badc736bc

SHA1
12f2739b29db54de44adfef697b26cc00b3b352d

SHA256
59a17f7f20936d429ceb4729499ffc12fc2b9373a20ec277e396d7699fc6ebe0

SHA512
316803a0adac5d7ec7be0b4523f80f86eced66587ddcf50a4368d1d4b31bdda7e49f482f2dc8e36a3fbe1f6ab79ed20bd5cc18a262854b8e8a257f19a21b33ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B6F.exe

Filesize
245KB

MD5
4341e22f2a2b9cd03f1f269badc736bc

SHA1
12f2739b29db54de44adfef697b26cc00b3b352d

SHA256
59a17f7f20936d429ceb4729499ffc12fc2b9373a20ec277e396d7699fc6ebe0

SHA512
316803a0adac5d7ec7be0b4523f80f86eced66587ddcf50a4368d1d4b31bdda7e49f482f2dc8e36a3fbe1f6ab79ed20bd5cc18a262854b8e8a257f19a21b33ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EB.exe

Filesize
1.0MB

MD5
b9dcb77b91e5c0eb299376f572928c54

SHA1
418cd0e9586e7886df3e6169dfc100957126f23b

SHA256
49e31562b634542cdec295ea8dbcbd8de9457fd8447c9c3bfffb452dabb3ec56

SHA512
a664932f52e0fabbc22b8ca2d610f6202510fabb7cd808a6841c9d39553643a8d55022074288db4885d2ece095ddf7356951bc44e928b2b4cb44241f81f03a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EB.exe

Filesize
1.0MB

MD5
b9dcb77b91e5c0eb299376f572928c54

SHA1
418cd0e9586e7886df3e6169dfc100957126f23b

SHA256
49e31562b634542cdec295ea8dbcbd8de9457fd8447c9c3bfffb452dabb3ec56

SHA512
a664932f52e0fabbc22b8ca2d610f6202510fabb7cd808a6841c9d39553643a8d55022074288db4885d2ece095ddf7356951bc44e928b2b4cb44241f81f03a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\acrobat_pdf.dll

Filesize
774KB

MD5
b866f4b28430b88526135b951e77dde9

SHA1
9693d63c45ad061f72f244102b9f95c106eaf58e

SHA256
eba031b73bda96944c1eb2fda4f8b9b6a2ca603bf75c6c61b948303c1f1d2b33

SHA512
39d75a8181b31c320b0a808c992fbe3fbc16ac674d6d9bcc1d51f8358923e0e95670e4ce9bbfad66fff4caca6e54d51e9e6cd8d1e60a6f7f829af9c8762ca5b6

Download Submit
memory/1008-217-0x0000000000000000-mapping.dmp

Download
memory/1660-192-0x00007FF7D66F6890-mapping.dmp

Download
memory/1660-194-0x000001EEE1380000-0x000001EEE14C0000-memory.dmp

Filesize
1.2MB

Download
memory/1660-195-0x000001EEE1510000-0x000001EEE17C5000-memory.dmp

Filesize
2.7MB

Download
memory/1660-193-0x000001EEE1380000-0x000001EEE14C0000-memory.dmp

Filesize
1.2MB

Download
memory/1660-196-0x000001EEE1510000-0x000001EEE17C5000-memory.dmp

Filesize
2.7MB

Download
memory/1712-189-0x0000000000000000-mapping.dmp

Download
memory/1888-181-0x0000000004110000-0x0000000004C65000-memory.dmp

Filesize
11.3MB

Download
memory/1888-170-0x0000000004110000-0x0000000004C65000-memory.dmp

Filesize
11.3MB

Download
memory/1888-205-0x0000000004110000-0x0000000004C65000-memory.dmp

Filesize
11.3MB

Download
memory/2120-203-0x00000258B04E0000-0x00000258B0620000-memory.dmp

Filesize
1.2MB

Download
memory/2120-202-0x00007FF7D66F6890-mapping.dmp

Download
memory/2120-206-0x00000258AEC10000-0x00000258AEEC5000-memory.dmp

Filesize
2.7MB

Download
memory/2120-207-0x00000258AEC10000-0x00000258AEEC5000-memory.dmp

Filesize
2.7MB

Download
memory/2120-204-0x00000258B04E0000-0x00000258B0620000-memory.dmp

Filesize
1.2MB

Download
memory/2168-136-0x0000000000000000-mapping.dmp

Download
memory/2168-144-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/2168-140-0x00000000048EE000-0x00000000049D7000-memory.dmp

Filesize
932KB

Download
memory/2168-141-0x00000000049E0000-0x0000000004B0E000-memory.dmp

Filesize
1.2MB

Download
memory/2236-133-0x0000000002C70000-0x0000000002C79000-memory.dmp

Filesize
36KB

Download
memory/2236-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2236-132-0x0000000002CA8000-0x0000000002CB9000-memory.dmp

Filesize
68KB

Download
memory/2236-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2292-208-0x0000000000000000-mapping.dmp

Download
memory/2400-229-0x0000000000000000-mapping.dmp

Download
memory/2620-228-0x0000000000000000-mapping.dmp

Download
memory/2892-166-0x0000015E713E0000-0x0000015E71695000-memory.dmp

Filesize
2.7MB

Download
memory/2892-165-0x0000000000FC0000-0x0000000001264000-memory.dmp

Filesize
2.6MB

Download
memory/2892-164-0x0000015E71260000-0x0000015E713A0000-memory.dmp

Filesize
1.2MB

Download
memory/2892-186-0x0000015E713E0000-0x0000015E71695000-memory.dmp

Filesize
2.7MB

Download
memory/2892-163-0x0000015E71260000-0x0000015E713A0000-memory.dmp

Filesize
1.2MB

Download
memory/2892-162-0x00007FF7D66F6890-mapping.dmp

Download
memory/3040-227-0x0000000000000000-mapping.dmp

Download
memory/3352-224-0x0000000000000000-mapping.dmp

Download
memory/3556-180-0x0000000000000000-mapping.dmp

Download
memory/3556-183-0x00000000053D0000-0x0000000005F25000-memory.dmp

Filesize
11.3MB

Download
memory/3556-184-0x00000000053D0000-0x0000000005F25000-memory.dmp

Filesize
11.3MB

Download
memory/3556-185-0x00000000053D0000-0x0000000005F25000-memory.dmp

Filesize
11.3MB

Download
memory/3588-237-0x0000000000000000-mapping.dmp

Download
memory/3624-222-0x0000000000000000-mapping.dmp

Download
memory/3720-231-0x0000000000000000-mapping.dmp

Download
memory/3832-239-0x0000000000000000-mapping.dmp

Download
memory/3920-238-0x0000000000000000-mapping.dmp

Download
memory/4252-225-0x0000000000000000-mapping.dmp

Download
memory/4380-235-0x0000000000000000-mapping.dmp

Download
memory/4384-221-0x0000000000000000-mapping.dmp

Download
memory/4500-197-0x0000000000000000-mapping.dmp

Download
memory/4556-214-0x000001BEF4710000-0x000001BEF4850000-memory.dmp

Filesize
1.2MB

Download
memory/4556-213-0x00007FF7D66F6890-mapping.dmp

Download
memory/4556-216-0x000001BEF2E40000-0x000001BEF30F5000-memory.dmp

Filesize
2.7MB

Download
memory/4556-215-0x000001BEF4710000-0x000001BEF4850000-memory.dmp

Filesize
1.2MB

Download
memory/4632-236-0x0000000000000000-mapping.dmp

Download
memory/4632-147-0x0000000000000000-mapping.dmp

Download
memory/4632-232-0x0000000000000000-mapping.dmp

Download
memory/4632-150-0x0000000002EB9000-0x0000000002ED3000-memory.dmp

Filesize
104KB

Download
memory/4632-151-0x0000000002CF0000-0x0000000002D1A000-memory.dmp

Filesize
168KB

Download
memory/4632-152-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4632-156-0x0000000002EB9000-0x0000000002ED3000-memory.dmp

Filesize
104KB

Download
memory/4632-159-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4660-218-0x0000000000000000-mapping.dmp

Download
memory/4716-219-0x0000000000000000-mapping.dmp

Download
memory/4808-226-0x0000000000000000-mapping.dmp

Download
memory/4844-230-0x0000000000000000-mapping.dmp

Download
memory/4864-220-0x0000000000000000-mapping.dmp

Download
memory/4936-200-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-190-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-158-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-161-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-212-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-209-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-157-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-187-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-139-0x0000000000000000-mapping.dmp

Download
memory/4936-155-0x0000000005900000-0x0000000006455000-memory.dmp

Filesize
11.3MB

Download
memory/4936-154-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-210-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-153-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-160-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-191-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-211-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-188-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-201-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-145-0x0000000005900000-0x0000000006455000-memory.dmp

Filesize
11.3MB

Download
memory/4936-146-0x0000000005900000-0x0000000006455000-memory.dmp

Filesize
11.3MB

Download
memory/4936-198-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-199-0x0000000004F80000-0x00000000050C0000-memory.dmp

Filesize
1.2MB

Download
memory/4944-223-0x0000000000000000-mapping.dmp

Download
memory/4964-234-0x0000000000000000-mapping.dmp

Download
memory/5048-233-0x0000000000000000-mapping.dmp

Download