lumma | 12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2

Analysis

max time kernel
108s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe
Size

210KB
MD5

a272c2456368521390a3b920e88cd39e
SHA1

1eb4a8adb3fbb1a6a5478a97054865a17e596e17
SHA256

12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2
SHA512

eff3f09fb644ab3e78b8ca9b6c838cc81efaa25d7a430444812f445e27f71cf5e14ac1ac33da00ee5b8f83865eb6abf47083e28cd1dd49dcc65fa1bbb1dfb65f
SSDEEP

3072:8YXj7gW0W5hed5Yu/BvIiER1Q50VM3MUAMOgbytz6yW0i:8sIWXfu5vJERO50VFUnOwoz2

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4656-133-0x00000000048D0000-0x00000000048D9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

37 4004 rundll32.exe
42 4004 rundll32.exe
48 4004 rundll32.exe
50 4004 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

E5B1.exewvhrjvgB2C6.exe

pid process

1688 E5B1.exe
1980 wvhrjvg
964 B2C6.exe

flow	pid	process
37	4004	rundll32.exe
42	4004	rundll32.exe
48	4004	rundll32.exe
50	4004	rundll32.exe

pid	process
1688	E5B1.exe
1980	wvhrjvg
964	B2C6.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\email_all\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\email_all.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\email_all\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4004 rundll32.exe
2072 svchost.exe
2744 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4004	rundll32.exe
2072	svchost.exe
2744	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4004 set thread context of 1600 4004 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4004 set thread context of 1600	4004	rundll32.exe	rundll32.exe

Drops file in Program Files directory 24 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\createpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-high-contrast.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3656 1688 WerFault.exe E5B1.exe
4520 964 WerFault.exe B2C6.exe

pid	pid_target	process	target process
3656	1688	WerFault.exe	E5B1.exe
4520	964	WerFault.exe	B2C6.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exewvhrjvg

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wvhrjvg
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wvhrjvg
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wvhrjvg

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056ba0b100054656d7000003a0009000400efbe0c55ec983056c00b2e000000000000000000000000000000000000000000000000006b3ec100540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2204

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe

pid	process
4656	12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe
4656	12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2204
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exewvhrjvg

pid process

4656 12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe
1980 wvhrjvg

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeDebugPrivilege	4004	rundll32.exe
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

rundll32.exerundll32.exe

pid	process
2204
2204
2204
2204
2204
2204
2204
2204
4004	rundll32.exe
1600	rundll32.exe
4004	rundll32.exe
4004	rundll32.exe
4004	rundll32.exe
4004	rundll32.exe
4004	rundll32.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2204
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2204
2204

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

E5B1.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2204 wrote to memory of 1688	2204		E5B1.exe
PID 2204 wrote to memory of 1688	2204		E5B1.exe
PID 2204 wrote to memory of 1688	2204		E5B1.exe
PID 1688 wrote to memory of 4004	1688	E5B1.exe	rundll32.exe
PID 1688 wrote to memory of 4004	1688	E5B1.exe	rundll32.exe
PID 1688 wrote to memory of 4004	1688	E5B1.exe	rundll32.exe
PID 2072 wrote to memory of 2744	2072	svchost.exe	rundll32.exe
PID 2072 wrote to memory of 2744	2072	svchost.exe	rundll32.exe
PID 2072 wrote to memory of 2744	2072	svchost.exe	rundll32.exe
PID 4004 wrote to memory of 1600	4004	rundll32.exe	rundll32.exe
PID 4004 wrote to memory of 1600	4004	rundll32.exe	rundll32.exe
PID 4004 wrote to memory of 1600	4004	rundll32.exe	rundll32.exe
PID 4004 wrote to memory of 3416	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3416	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3416	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3744	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3744	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3744	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2720	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2720	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2720	4004	rundll32.exe	schtasks.exe
PID 2204 wrote to memory of 964	2204		B2C6.exe
PID 2204 wrote to memory of 964	2204		B2C6.exe
PID 2204 wrote to memory of 964	2204		B2C6.exe
PID 4004 wrote to memory of 4504	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 4504	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 4504	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2112	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2112	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2112	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 1908	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 1908	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 1908	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3972	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3972	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3972	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3312	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3312	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3312	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 388	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 388	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 388	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 4624	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 4624	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 4624	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3552	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3552	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 3552	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2376	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2376	4004	rundll32.exe	schtasks.exe
PID 4004 wrote to memory of 2376	4004	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe
"C:\Users\Admin\AppData\Local\Temp\12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4656

C:\Users\Admin\AppData\Local\Temp\E5B1.exe
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1600

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3416

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3744

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2720

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4504

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2112

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1908

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3972

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3312

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:388

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4624

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3552

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4604

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4380

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3944

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3192

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2112

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:636

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3376

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:332

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4224

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 528
2⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1688 -ip 1688
1⤵
PID:3560

C:\Users\Admin\AppData\Roaming\wvhrjvg
C:\Users\Admin\AppData\Roaming\wvhrjvg
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\email_all.dll",gUk4eg==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\B2C6.exe
C:\Users\Admin\AppData\Local\Temp\B2C6.exe
1⤵
- Executes dropped EXE
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1380
2⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 964 -ip 964
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.dll
Filesize
774KB

MD5
804dfacc2e00460228761fb85bab28a2

SHA1
8ea923e82b16030d0ec82764dd39625be20b287d

SHA256
d646f501c9c807b12d8561ec64da2fd19042e4f71013ba80eec805d3c517484d

SHA512
5e490f5464b361b858b078527321521c9cb8c7ac3f9b78166c12d8219127a0b799f008516f8e8f6bb64a0c4a980370be62a0ea3889bfc3155134ffc56e0e3069

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.dll
Filesize
774KB

MD5
804dfacc2e00460228761fb85bab28a2

SHA1
8ea923e82b16030d0ec82764dd39625be20b287d

SHA256
d646f501c9c807b12d8561ec64da2fd19042e4f71013ba80eec805d3c517484d

SHA512
5e490f5464b361b858b078527321521c9cb8c7ac3f9b78166c12d8219127a0b799f008516f8e8f6bb64a0c4a980370be62a0ea3889bfc3155134ffc56e0e3069

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\318ab36738cde9fc7d1c6831baf5c185_4b401a7f-b7c1-4c1c-a9cf-2b1aa260545d
Filesize
1KB

MD5
f2eef515bb9f7d2c4fca0cecba604798

SHA1
62d5f82e06f02e1bbfbf48679f82320b2cc9c580

SHA256
fbddcd277640092b78215a454a49cbc4d69988e00ec1be4ea6e5f1fac8febbcb

SHA512
b0e12a93e81b38872ddf4527c6dee30694ff340f7e7b0e9fae3cbf70ae51fe338f5685d0a71e2894c7ecf93e9378f8e2725a86aca8babe3a9c4e47e7ddea95c3

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.officemui.msi.16.en-us.xml
Filesize
122KB

MD5
35acff0f35559eac959647a7501385f7

SHA1
28e052e01fe4e0eac3eab461385460eff7efe271

SHA256
2669d714f126be033270a9f2919d6152f45c5bec970dc1ab8da09f41351234c0

SHA512
f3fa4e7499e15a63d2503355705eb08d15be0a3736145c3b46cc79a4fcf7e00df871f62af769090aff7692b34d93365cf413be7b86b27a9df0ecb8f481898ed2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe.xml
Filesize
9KB

MD5
993d82e37af681bd65f1d428b6ee281e

SHA1
bb1a8402cfccd1d97ea58d6136847a4dd1ba0f65

SHA256
1bc1d4525a46e58edd165a9d792f50441ea3cbcecd14022dc112e02f3d9b5bf8

SHA512
4eb247e384ffa84460e43abe7563643de30f397b628c02f3e6e51c69669d5d7b8be6ebe51355586e5cd5a252652e0eef7f1bd0219b416b61e1db318db4ac833c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xml
Filesize
2KB

MD5
c8d6f0d26db52746e243b785c269cacd

SHA1
b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1

SHA256
d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21

SHA512
c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
34KB

MD5
49ab499fcfc79c613b8fd961693f4c6d

SHA1
145f086f024f268cfd67395e672f642cfc70e528

SHA256
e9be748ed4a3c102ea57b0a8f437768ce2a2f626d4cdfa5f0e1c4b96dd688a49

SHA512
4fbb6fd9529ca7e178060e3d8724d56d5fc088e313bd17fdd075c0bb57e97f113c65bb72bef1e2cf5a806682bb2e3d236986b31db20a51d1ff3b800d4e10c3b1

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\NetworkPrinters.xml
Filesize
2KB

MD5
774c9f44e6ff0b1798e092ed1df9a1fc

SHA1
a40a3292a55cb4f6f101a04f247f83196bf54716

SHA256
ef22a638f62476efac099497b1251bef64f115fa4752ad20467614571cf5ae5f

SHA512
529e66cd53361e631b7bfabff0063ac37a39e7adb0f2890db461a55de6430059015d6f6ca1cf447da759edd463b32c2007e6411d6d84a999a7d998f574fe2748

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
8653dd4e4d709a39759d4f163bb2e62a

SHA1
d6a8af82e7dd5658266682dccf22befbd2002d56

SHA256
4d90a14747045872c2c35334cc5a0ec0f87dd7c9840d342b0cab0a0c5bd4827e

SHA512
f5d395a9a6104360ece1c8ed5c5b7d171e2f95879fc3363133c37c764c55b2569c44ca29f673b1e0284eba436d5ab5f72a794fe5dcffc793fb5d8e09132e32bc

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\print_queue.ico
Filesize
55KB

MD5
0f3c6d90637f0fdc57b1d303cf8d76cd

SHA1
91cef4325b363b31e4555302a70321a2110b51cf

SHA256
4858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261

SHA512
6f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\stream.x64.en-us.hash
Filesize
128B

MD5
73f303800be636585f9ec14701cd8d5e

SHA1
456304dc888d5eaa159fa0fa34fc9bcc3bacb633

SHA256
c8e3762853e17a3bd49882b0d36afa285bed5639f8f9e88f716c3942e28b6ace

SHA512
8a80ee6d1b074d68a55bbb3d5be251cfaae89b0345a6b0e84a6359e8c1453c8bf0969e6d33a7d0523d30d586c46c1eede9e71f7a89f7bc67ea0ad866671b81b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2C6.exe
Filesize
248KB

MD5
d4371171249f45f3af6095825378c055

SHA1
7c38214ddc9fdf6598f5247272997dd682147717

SHA256
73cfa816bd989fa7dd51fc1aeff7657323836d86fdc30da54f3d0140376096c5

SHA512
96f1118afbc83d3738ac00e4b9b9e08f9773fa47edcd422d9951168341f61a63c1e388d775595a23325b6a227a0704a333de14855286cc7a13bc37406b8aba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2C6.exe
Filesize
248KB

MD5
d4371171249f45f3af6095825378c055

SHA1
7c38214ddc9fdf6598f5247272997dd682147717

SHA256
73cfa816bd989fa7dd51fc1aeff7657323836d86fdc30da54f3d0140376096c5

SHA512
96f1118afbc83d3738ac00e4b9b9e08f9773fa47edcd422d9951168341f61a63c1e388d775595a23325b6a227a0704a333de14855286cc7a13bc37406b8aba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
Filesize
1.1MB

MD5
4c0166d076c46c39e7d33531e2c4672b

SHA1
2351ae6f33d6776664178480b950bbba8d41e58a

SHA256
3d0e57799cbf940ede579b88534b2bcc61f0ea14946ae459d91b1d9240524b6d

SHA512
676ad2e3ef2fdc5eadc20cf21e62b1d7c42ad74b1a655334ed34357af65f3838519194c21e39741b56363d013a74f687f32561bdb9d8303ee21993eb07563829

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
Filesize
1.1MB

MD5
4c0166d076c46c39e7d33531e2c4672b

SHA1
2351ae6f33d6776664178480b950bbba8d41e58a

SHA256
3d0e57799cbf940ede579b88534b2bcc61f0ea14946ae459d91b1d9240524b6d

SHA512
676ad2e3ef2fdc5eadc20cf21e62b1d7c42ad74b1a655334ed34357af65f3838519194c21e39741b56363d013a74f687f32561bdb9d8303ee21993eb07563829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Roaming\wvhrjvg
Filesize
210KB

MD5
a272c2456368521390a3b920e88cd39e

SHA1
1eb4a8adb3fbb1a6a5478a97054865a17e596e17

SHA256
12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2

SHA512
eff3f09fb644ab3e78b8ca9b6c838cc81efaa25d7a430444812f445e27f71cf5e14ac1ac33da00ee5b8f83865eb6abf47083e28cd1dd49dcc65fa1bbb1dfb65f

Download Submit
C:\Users\Admin\AppData\Roaming\wvhrjvg
Filesize
210KB

MD5
a272c2456368521390a3b920e88cd39e

SHA1
1eb4a8adb3fbb1a6a5478a97054865a17e596e17

SHA256
12ca778b2f964c751dedf8211fb4959be500022d1b26ce2d427b4736bb3fa9f2

SHA512
eff3f09fb644ab3e78b8ca9b6c838cc81efaa25d7a430444812f445e27f71cf5e14ac1ac33da00ee5b8f83865eb6abf47083e28cd1dd49dcc65fa1bbb1dfb65f

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\email_all.dll
Filesize
774KB

MD5
804dfacc2e00460228761fb85bab28a2

SHA1
8ea923e82b16030d0ec82764dd39625be20b287d

SHA256
d646f501c9c807b12d8561ec64da2fd19042e4f71013ba80eec805d3c517484d

SHA512
5e490f5464b361b858b078527321521c9cb8c7ac3f9b78166c12d8219127a0b799f008516f8e8f6bb64a0c4a980370be62a0ea3889bfc3155134ffc56e0e3069

Download Submit
memory/332-210-0x0000000000000000-mapping.dmp

Download
memory/388-196-0x0000000000000000-mapping.dmp

Download
memory/636-206-0x0000000000000000-mapping.dmp

Download
memory/764-208-0x0000000000000000-mapping.dmp

Download
memory/964-188-0x0000000002EE9000-0x0000000002F03000-memory.dmp

Filesize
104KB

Download
memory/964-189-0x0000000002E00000-0x0000000002E2A000-memory.dmp

Filesize
168KB

Download
memory/964-183-0x0000000000000000-mapping.dmp

Download
memory/964-193-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/964-190-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/1600-178-0x0000000000700000-0x00000000009A4000-memory.dmp

Filesize
2.6MB

Download
memory/1600-177-0x000002A6B2440000-0x000002A6B2580000-memory.dmp

Filesize
1.2MB

Download
memory/1600-176-0x000002A6B2440000-0x000002A6B2580000-memory.dmp

Filesize
1.2MB

Download
memory/1600-179-0x000002A6B09E0000-0x000002A6B0C95000-memory.dmp

Filesize
2.7MB

Download
memory/1600-175-0x00007FF7181A6890-mapping.dmp

Download
memory/1660-209-0x0000000000000000-mapping.dmp

Download
memory/1688-136-0x0000000000000000-mapping.dmp

Download
memory/1688-144-0x0000000000400000-0x0000000002C76000-memory.dmp

Filesize
40.5MB

Download
memory/1688-143-0x0000000004AC0000-0x0000000004BEE000-memory.dmp

Filesize
1.2MB

Download
memory/1688-142-0x000000000497C000-0x0000000004A65000-memory.dmp

Filesize
932KB

Download
memory/1908-192-0x0000000000000000-mapping.dmp

Download
memory/1972-203-0x0000000000000000-mapping.dmp

Download
memory/1980-151-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/1980-149-0x0000000002ED8000-0x0000000002EE8000-memory.dmp

Filesize
64KB

Download
memory/1980-150-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2072-158-0x0000000003E10000-0x0000000004965000-memory.dmp

Filesize
11.3MB

Download
memory/2072-186-0x0000000003E10000-0x0000000004965000-memory.dmp

Filesize
11.3MB

Download
memory/2112-205-0x0000000000000000-mapping.dmp

Download
memory/2112-191-0x0000000000000000-mapping.dmp

Download
memory/2376-199-0x0000000000000000-mapping.dmp

Download
memory/2720-182-0x0000000000000000-mapping.dmp

Download
memory/2744-169-0x00000000049D0000-0x0000000005525000-memory.dmp

Filesize
11.3MB

Download
memory/2744-173-0x00000000049D0000-0x0000000005525000-memory.dmp

Filesize
11.3MB

Download
memory/2744-167-0x0000000000000000-mapping.dmp

Download
memory/3192-204-0x0000000000000000-mapping.dmp

Download
memory/3312-195-0x0000000000000000-mapping.dmp

Download
memory/3376-207-0x0000000000000000-mapping.dmp

Download
memory/3416-180-0x0000000000000000-mapping.dmp

Download
memory/3552-198-0x0000000000000000-mapping.dmp

Download
memory/3744-181-0x0000000000000000-mapping.dmp

Download
memory/3944-202-0x0000000000000000-mapping.dmp

Download
memory/3972-194-0x0000000000000000-mapping.dmp

Download
memory/4004-152-0x0000000005790000-0x00000000062E5000-memory.dmp

Filesize
11.3MB

Download
memory/4004-154-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/4004-174-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/4004-172-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/4004-139-0x0000000000000000-mapping.dmp

Download
memory/4004-171-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/4004-170-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/4004-145-0x0000000005790000-0x00000000062E5000-memory.dmp

Filesize
11.3MB

Download
memory/4004-146-0x0000000005790000-0x00000000062E5000-memory.dmp

Filesize
11.3MB

Download
memory/4004-153-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/4224-211-0x0000000000000000-mapping.dmp

Download
memory/4344-212-0x0000000000000000-mapping.dmp

Download
memory/4380-201-0x0000000000000000-mapping.dmp

Download
memory/4504-187-0x0000000000000000-mapping.dmp

Download
memory/4604-200-0x0000000000000000-mapping.dmp

Download
memory/4624-197-0x0000000000000000-mapping.dmp

Download
memory/4656-132-0x0000000002D38000-0x0000000002D49000-memory.dmp

Filesize
68KB

Download
memory/4656-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4656-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4656-133-0x00000000048D0000-0x00000000048D9000-memory.dmp

Filesize
36KB

Download