lumma | 2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8

Analysis

max time kernel
150s
max time network
112s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-01-2023 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe
Size

210KB
MD5

8271c0bd21442cc8c0fee75db44aab0c
SHA1

3c2ea01367688b8d989ee9b7e0bea966b329f050
SHA256

2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8
SHA512

6d37f495560cc4a7c1307f07949e69dbb5787d6ce4d316ba99fc4917018582bf260d29e64c4c62bbcfcac7210a072fb369d13d7427513094239c1caf36aeb6d0
SSDEEP

3072:EXDtnfcd6ys5EC7HHpCu8NgTD19l1jZLqi:AZY8r8o

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2692-147-0x0000000002BF0000-0x0000000002BF9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

21 3468 rundll32.exe
25 3468 rundll32.exe
28 3468 rundll32.exe
29 3468 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

D99C.exeADE.exe5e7a7179.exe5e7a7179.exeueujbhb

pid process

3416 D99C.exe
4100 ADE.exe
5080 5e7a7179.exe
1016 5e7a7179.exe
3300 ueujbhb

flow	pid	process
21	3468	rundll32.exe
25	3468	rundll32.exe
28	3468	rundll32.exe
29	3468	rundll32.exe

pid	process
3416	D99C.exe
4100	ADE.exe
5080	5e7a7179.exe
1016	5e7a7179.exe
3300	ueujbhb

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WCChromeNativeMessagingHost\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WCChromeNativeMessagingHost.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WCChromeNativeMessagingHost\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WCChromeNativeMessagingHost\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00"	rundll32.exe

Deletes itself 1 IoCs

Processes:

pid process

2328
Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3468 rundll32.exe
1068 svchost.exe
4972 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2328

pid	process
3468	rundll32.exe
1068	svchost.exe
4972	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3468 set thread context of 4928 3468 rundll32.exe rundll32.exe

description	pid	process	target process
PID 3468 set thread context of 4928	3468	rundll32.exe	rundll32.exe

Drops file in Program Files directory 16 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pages_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WCChromeNativeMessagingHost.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-focus.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exeueujbhb

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ueujbhb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ueujbhb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ueujbhb

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 36 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f56dc9c100054656d7000003a0009000400efbe0c554b882f56dc9c2e00000000000000000000000000000000000000000000000000e83b4800540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2328

pid	process
2328

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe

pid	process
2692	2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe
2692	2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2328
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exeueujbhb

pid process

2692 2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe
3300 ueujbhb

pid	process
2328

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

rundll32.exe5e7a7179.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3468	rundll32.exe
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeAssignPrimaryTokenPrivilege	3468	rundll32.exe
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeDebugPrivilege	5080	5e7a7179.exe
Token: SeAssignPrimaryTokenPrivilege	1068	svchost.exe
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

rundll32.exerundll32.exe5e7a7179.exe

pid process

4928 rundll32.exe
2328
2328
2328
2328
3468 rundll32.exe
2328
2328
2328
2328
3468 rundll32.exe
5080 5e7a7179.exe
3468 rundll32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

5e7a7179.exe

pid process

5080 5e7a7179.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2328
2328

pid	process
4928	rundll32.exe
2328
2328
2328
2328
3468	rundll32.exe
2328
2328
2328
2328
3468	rundll32.exe
5080	5e7a7179.exe
3468	rundll32.exe

pid	process
5080	5e7a7179.exe

pid	process
2328
2328

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

D99C.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2328 wrote to memory of 3416	2328		D99C.exe
PID 2328 wrote to memory of 3416	2328		D99C.exe
PID 2328 wrote to memory of 3416	2328		D99C.exe
PID 3416 wrote to memory of 3468	3416	D99C.exe	rundll32.exe
PID 3416 wrote to memory of 3468	3416	D99C.exe	rundll32.exe
PID 3416 wrote to memory of 3468	3416	D99C.exe	rundll32.exe
PID 2328 wrote to memory of 4100	2328		ADE.exe
PID 2328 wrote to memory of 4100	2328		ADE.exe
PID 2328 wrote to memory of 4100	2328		ADE.exe
PID 3468 wrote to memory of 4928	3468	rundll32.exe	rundll32.exe
PID 3468 wrote to memory of 4928	3468	rundll32.exe	rundll32.exe
PID 3468 wrote to memory of 4928	3468	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 4972	1068	svchost.exe	rundll32.exe
PID 1068 wrote to memory of 4972	1068	svchost.exe	rundll32.exe
PID 1068 wrote to memory of 4972	1068	svchost.exe	rundll32.exe
PID 3468 wrote to memory of 4720	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 4720	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 4720	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 1300	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 1300	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 1300	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 4820	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 4820	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 4820	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 3352	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 3352	3468	rundll32.exe	schtasks.exe
PID 3468 wrote to memory of 3352	3468	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe
"C:\Users\Admin\AppData\Local\Temp\2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2692

C:\Users\Admin\AppData\Local\Temp\D99C.exe
C:\Users\Admin\AppData\Local\Temp\D99C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3468

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18633
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4928

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4720

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\5e7a7179.exe
C:\Users\Admin\AppData\Local\Temp\5e7a7179.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4820

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\ADE.exe
C:\Users\Admin\AppData\Local\Temp\ADE.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\wcchromenativemessaginghost.dll",fyFec1M0TVpR
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4972

C:\Windows\TEMP\5e7a7179.exe
C:\Windows\TEMP\5e7a7179.exe
2⤵
- Executes dropped EXE
PID:1016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1816

C:\Users\Admin\AppData\Roaming\ueujbhb
C:\Users\Admin\AppData\Roaming\ueujbhb
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\152__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml

Filesize
728B

MD5
33e7e4daac7410f6d59929a13f14c1dc

SHA1
dc36702d783b61a699e4cf9014fc0ac1efa916cd

SHA256
af107025dfb23e62ed05b3db631020ab26f6512a65c877675305c7ef902df686

SHA512
b75a111da60aebef4148ee8b825a3b957b891872a1067814a0ab8b3fefbcd3c3ca157e4b082676fd14375b8601f5ff60ecf939ca33c392f4dd263819fe007eb4

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml

Filesize
719B

MD5
4c387be25b6b7e96062f8c8aa50d187c

SHA1
862eb3032e34d5c89cc7b23bab962e8a1e85221f

SHA256
ff64f361e99a00311898f61dab4579f6bf9ee4cac1207f124e0d419c07f432d5

SHA512
489ad3b5a40515d9d8617e05c39a87063eb1a765bd822c79cf9a56c28e6807560a145831273a435047d3efed0b2c179d7363fc1afd12ebf1d6728590e266fc9d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\RunTime.xml

Filesize
251B

MD5
585e0da2ec87617422335cce20b25a3c

SHA1
1532c38218dbea8af9c2dde70c2f9dd1f51e96d2

SHA256
4fedaaf9a06af2a055bb68ccc3d81a6ba0de24c0d6a302ca713b4571d17eb5e6

SHA512
dcbc187fb097b74b3ccfefa7cfd8ce270bdfdfff94e86108799a329a82a015ce5711eb3f80b5880b32f680ac83c017e8503bee673d90ea52fbd74c3bff8fddc5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
fe7bcd9e388d0a3eae0972d931902d1c

SHA1
fc851218907e9c11a3a3f219e740a67f6213a8f7

SHA256
08ebaccfe1bcab74b9c74e2459caf06cb9235d6a2ab6130b8fc7e664e16bd2d9

SHA512
a94704df3b797409386f995447ac9d073cd8b9e5be41daef87c078a0b01345bd27ebc0bda445a64ff3b8fde98b633256c12b8f306b057cdb6e6e2f755a4c9a79

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\customizations.xml

Filesize
2KB

MD5
923094628f5beb49bfd4ef7e88e396a1

SHA1
6c618d7d58eab9ea4d442d269596205fd0199277

SHA256
1271cfef64de7d7aa1eb7524b91e426d5cb9afe8abfb05fcd33ab2f466082b0b

SHA512
575fa16f7a1d87fea9df41201a2d6221997a29ed5f7c91fe8e468e01096088e10febfa7e89c27c98e8511e1b11864d6a22b540bfc1e1ffaf2acd328f996c25df

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\qmgr.jfm

Filesize
16KB

MD5
96d802e7560cd0a92ebecfad3075c1e2

SHA1
10ddb6c95b5bdc2557b098ab354656bd963330ea

SHA256
0dc25048676f7379f43428e32167264968366f8cb670869f7907e214a3f6f6b2

SHA512
e0d0ad03ad368bc916709b4a5130d14cff022ee5b7b809e4bff4744f7452f5d04744e3cfa386242d8fc70ed33cf8c0dcdb7292b57ba0bdc629ed5c33e74c21b4

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\s640.hash

Filesize
106B

MD5
bef40d5a19278ca19b56fbcdde7e26ef

SHA1
4f01d5b8de038e120c64bd7cc22cf150af1452fb

SHA256
7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d

SHA512
5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e7a7179.exe

Filesize
2.6MB

MD5
b4985dcbd4cd1e1529a87adbebec34f1

SHA1
0a9d1c53967da5c078e702251a10d4e7a7f3db16

SHA256
5c1b9418f3afac3767d38544a19b3cbcff8ebf91f5bc38273c5b71e040516586

SHA512
4f27d43f280426da183b78e3cd8bf0ac1ac43301cd0af75b5c56adb2ffb213f702e717ddc381ab1122e675e415cd2b7b323ebe7687d7cef9de1c1d753616bdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e7a7179.exe

Filesize
2.6MB

MD5
b4985dcbd4cd1e1529a87adbebec34f1

SHA1
0a9d1c53967da5c078e702251a10d4e7a7f3db16

SHA256
5c1b9418f3afac3767d38544a19b3cbcff8ebf91f5bc38273c5b71e040516586

SHA512
4f27d43f280426da183b78e3cd8bf0ac1ac43301cd0af75b5c56adb2ffb213f702e717ddc381ab1122e675e415cd2b7b323ebe7687d7cef9de1c1d753616bdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADE.exe

Filesize
248KB

MD5
8fb1199711c3b6afd7aa7b8595929e7f

SHA1
ff8f1814fff095fa7cfd6c2bb07a1595b83c89c0

SHA256
f30ab3c5c9a72ef605d9e171dc9d22e39d1f1114c36d87c24a16b8ccb4a5f749

SHA512
dbd8765a9fcebee920335e41da43fc1b025460e3c1293a803be4f440a3cd6c0823f1f3bcd618a49ac8c7d07c29876ec8e2023e11c491f32faf16401a60821926

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADE.exe

Filesize
248KB

MD5
8fb1199711c3b6afd7aa7b8595929e7f

SHA1
ff8f1814fff095fa7cfd6c2bb07a1595b83c89c0

SHA256
f30ab3c5c9a72ef605d9e171dc9d22e39d1f1114c36d87c24a16b8ccb4a5f749

SHA512
dbd8765a9fcebee920335e41da43fc1b025460e3c1293a803be4f440a3cd6c0823f1f3bcd618a49ac8c7d07c29876ec8e2023e11c491f32faf16401a60821926

Download Submit
C:\Users\Admin\AppData\Local\Temp\D99C.exe

Filesize
1.1MB

MD5
9cbdebd30262dff137a1b9995d0627d9

SHA1
31be5635d7b6ab5b359db799a00276c35cdd3177

SHA256
ebd03a5a1da8adbde8bf48e710abeee4ea314a28cc423c23eb21029b0e58624f

SHA512
21c3b8963010524b1db58e406827e099f5efd069d0f0ed5b78cddca4ae75a93e9b39372dc7c69416a6f6bf47ed52b059ea12d71ff4778617147478ead9e2ea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\D99C.exe

Filesize
1.1MB

MD5
9cbdebd30262dff137a1b9995d0627d9

SHA1
31be5635d7b6ab5b359db799a00276c35cdd3177

SHA256
ebd03a5a1da8adbde8bf48e710abeee4ea314a28cc423c23eb21029b0e58624f

SHA512
21c3b8963010524b1db58e406827e099f5efd069d0f0ed5b78cddca4ae75a93e9b39372dc7c69416a6f6bf47ed52b059ea12d71ff4778617147478ead9e2ea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Roaming\ueujbhb

Filesize
210KB

MD5
8271c0bd21442cc8c0fee75db44aab0c

SHA1
3c2ea01367688b8d989ee9b7e0bea966b329f050

SHA256
2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8

SHA512
6d37f495560cc4a7c1307f07949e69dbb5787d6ce4d316ba99fc4917018582bf260d29e64c4c62bbcfcac7210a072fb369d13d7427513094239c1caf36aeb6d0

Download Submit
C:\Users\Admin\AppData\Roaming\ueujbhb

Filesize
210KB

MD5
8271c0bd21442cc8c0fee75db44aab0c

SHA1
3c2ea01367688b8d989ee9b7e0bea966b329f050

SHA256
2ab2e601ad80dbb63fde3da22130da04cc2763068a451fc3a85ca96c2c40e7a8

SHA512
6d37f495560cc4a7c1307f07949e69dbb5787d6ce4d316ba99fc4917018582bf260d29e64c4c62bbcfcac7210a072fb369d13d7427513094239c1caf36aeb6d0

Download Submit
C:\Windows\TEMP\5e7a7179.exe

Filesize
2.6MB

MD5
b4985dcbd4cd1e1529a87adbebec34f1

SHA1
0a9d1c53967da5c078e702251a10d4e7a7f3db16

SHA256
5c1b9418f3afac3767d38544a19b3cbcff8ebf91f5bc38273c5b71e040516586

SHA512
4f27d43f280426da183b78e3cd8bf0ac1ac43301cd0af75b5c56adb2ffb213f702e717ddc381ab1122e675e415cd2b7b323ebe7687d7cef9de1c1d753616bdf3

Download Submit
C:\Windows\Temp\5e7a7179.exe

Filesize
2.6MB

MD5
b4985dcbd4cd1e1529a87adbebec34f1

SHA1
0a9d1c53967da5c078e702251a10d4e7a7f3db16

SHA256
5c1b9418f3afac3767d38544a19b3cbcff8ebf91f5bc38273c5b71e040516586

SHA512
4f27d43f280426da183b78e3cd8bf0ac1ac43301cd0af75b5c56adb2ffb213f702e717ddc381ab1122e675e415cd2b7b323ebe7687d7cef9de1c1d753616bdf3

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\wcchromenativemessaginghost.dll

Filesize
774KB

MD5
5dbcaa3e66e0a9c7f6aeba99ef1813aa

SHA1
62a488c13134288ee8a1a104da3bca91483d1d4e

SHA256
8583f9bc839747518ddec9eeb4a3af679e5ccdc02285d41398123739e42e83c7

SHA512
25de90692e18ca58929a1cad96643ecede83ecf8b31a1ed4665c747bee4a122fad8a9dcd399c1d484a948d8456bc55595dcfcce3a3b38dca0b1610880181a856

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\WCChromeNativeMessagingHost.dll

Filesize
774KB

MD5
5dbcaa3e66e0a9c7f6aeba99ef1813aa

SHA1
62a488c13134288ee8a1a104da3bca91483d1d4e

SHA256
8583f9bc839747518ddec9eeb4a3af679e5ccdc02285d41398123739e42e83c7

SHA512
25de90692e18ca58929a1cad96643ecede83ecf8b31a1ed4665c747bee4a122fad8a9dcd399c1d484a948d8456bc55595dcfcce3a3b38dca0b1610880181a856

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\WCChromeNativeMessagingHost.dll

Filesize
774KB

MD5
5dbcaa3e66e0a9c7f6aeba99ef1813aa

SHA1
62a488c13134288ee8a1a104da3bca91483d1d4e

SHA256
8583f9bc839747518ddec9eeb4a3af679e5ccdc02285d41398123739e42e83c7

SHA512
25de90692e18ca58929a1cad96643ecede83ecf8b31a1ed4665c747bee4a122fad8a9dcd399c1d484a948d8456bc55595dcfcce3a3b38dca0b1610880181a856

Download Submit
\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
memory/1068-479-0x0000000006050000-0x0000000006BA5000-memory.dmp

Filesize
11.3MB

Download
memory/1068-645-0x0000000006050000-0x0000000006BA5000-memory.dmp

Filesize
11.3MB

Download
memory/1300-566-0x0000000000000000-mapping.dmp

Download
memory/2328-673-0x000000000AB80000-0x000000000B380000-memory.dmp

Filesize
8.0MB

Download
memory/2328-689-0x000000000AB80000-0x000000000B380000-memory.dmp

Filesize
8.0MB

Download
memory/2692-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-119-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-155-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2692-156-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2692-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-146-0x0000000002C10000-0x0000000002D5A000-memory.dmp

Filesize
1.3MB

Download
memory/2692-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-147-0x0000000002BF0000-0x0000000002BF9000-memory.dmp

Filesize
36KB

Download
memory/2692-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3300-729-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3300-728-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3300-727-0x0000000002BA0000-0x0000000002C4E000-memory.dmp

Filesize
696KB

Download
memory/3300-726-0x0000000002BA0000-0x0000000002CEA000-memory.dmp

Filesize
1.3MB

Download
memory/3352-633-0x0000000000000000-mapping.dmp

Download
memory/3416-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-192-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-193-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-197-0x0000000000400000-0x0000000002C76000-memory.dmp

Filesize
40.5MB

Download
memory/3416-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-184-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-183-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-185-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-181-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-187-0x0000000004AA0000-0x0000000004BCE000-memory.dmp

Filesize
1.2MB

Download
memory/3416-188-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-189-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-191-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-157-0x0000000000000000-mapping.dmp

Download
memory/3416-190-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-160-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-179-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-178-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-186-0x00000000048C0000-0x00000000049B4000-memory.dmp

Filesize
976KB

Download
memory/3416-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-217-0x0000000000400000-0x0000000002C76000-memory.dmp

Filesize
40.5MB

Download
memory/3416-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3416-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-368-0x0000000006C30000-0x0000000007785000-memory.dmp

Filesize
11.3MB

Download
memory/3468-364-0x0000000006C30000-0x0000000007785000-memory.dmp

Filesize
11.3MB

Download
memory/3468-205-0x0000000000000000-mapping.dmp

Download
memory/4100-342-0x0000000002DB6000-0x0000000002DD0000-memory.dmp

Filesize
104KB

Download
memory/4100-253-0x0000000000000000-mapping.dmp

Download
memory/4100-312-0x0000000002DB6000-0x0000000002DD0000-memory.dmp

Filesize
104KB

Download
memory/4100-315-0x0000000002BB0000-0x0000000002CFA000-memory.dmp

Filesize
1.3MB

Download
memory/4100-323-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/4100-343-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/4720-492-0x0000000000000000-mapping.dmp

Download
memory/4820-615-0x0000000000000000-mapping.dmp

Download
memory/4928-378-0x00007FF6DFD95FD0-mapping.dmp

Download
memory/4928-391-0x0000018B0F800000-0x0000018B0FAB5000-memory.dmp

Filesize
2.7MB

Download
memory/4928-388-0x00000000004E0000-0x0000000000784000-memory.dmp

Filesize
2.6MB

Download
memory/4972-483-0x0000000000000000-mapping.dmp

Download
memory/4972-567-0x00000000064F0000-0x0000000007045000-memory.dmp

Filesize
11.3MB

Download
memory/4972-591-0x00000000064F0000-0x0000000007045000-memory.dmp

Filesize
11.3MB

Download
memory/5080-688-0x0000000004B50000-0x0000000004DCF000-memory.dmp

Filesize
2.5MB

Download
memory/5080-670-0x0000000000400000-0x0000000002E03000-memory.dmp

Filesize
42.0MB

Download
memory/5080-669-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download
memory/5080-668-0x0000000004B50000-0x0000000004DCF000-memory.dmp

Filesize
2.5MB

Download