lumma | 8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874

Analysis

max time kernel
114s
max time network
138s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16-01-2023 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe
Size

210KB
MD5

92bb8675d4eedd4d50603597ce85dbbf
SHA1

618f820d738a192c3e70875b01a612df48c03698
SHA256

8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874
SHA512

22ef20a9f4110f5718dacbc81f75dd94c96756b60b34c9d4058d78e68b58d0e4ce7bfb717b996ff26eb1c8dcabd30dbe3a641491a4c57f74a1ce89a9a2e4c564
SSDEEP

3072:1MXWFheF3d56wEZf+iV9uAw7Xw3c249xSqQNqi:1InFapZfMAb3Fh

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2300-139-0x00000000001E0000-0x00000000001E9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

20 3068 rundll32.exe
23 3068 rundll32.exe
25 3068 rundll32.exe
28 3068 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

4FE5.exe802D.exe

pid process

1896 4FE5.exe
1192 802D.exe

flow	pid	process
20	3068	rundll32.exe
23	3068	rundll32.exe
25	3068	rundll32.exe
28	3068	rundll32.exe

pid	process
1896	4FE5.exe
1192	802D.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AiodLite\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AiodLite.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AiodLite\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Deletes itself 1 IoCs

Processes:

pid process

2576
Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3068 rundll32.exe
4956 svchost.exe
2956 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2576

pid	process
3068	rundll32.exe
4956	svchost.exe
2956	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3068 set thread context of 4972 3068 rundll32.exe rundll32.exe

description	pid	process	target process
PID 3068 set thread context of 4972	3068	rundll32.exe	rundll32.exe

Drops file in Program Files directory 16 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_pdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-focus.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 36 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056a52c100054656d7000003a0009000400efbe0c55a7893056a52c2e000000000000000000000000000000000000000000000000000bd3de00540065006d007000000014000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2576

pid	process
2576

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe

pid	process
2300	8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe
2300	8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2576
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe

pid process

2300 8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe

pid	process
2576

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3068	rundll32.exe
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4972 rundll32.exe
2576
2576
2576
2576
3068 rundll32.exe
2576
2576
2576
2576
3068 rundll32.exe
3068 rundll32.exe
3068 rundll32.exe
3068 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2576
2576

pid	process
4972	rundll32.exe
2576
2576
2576
2576
3068	rundll32.exe
2576
2576
2576
2576
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe

pid	process
2576
2576

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

4FE5.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2576 wrote to memory of 1896	2576		4FE5.exe
PID 2576 wrote to memory of 1896	2576		4FE5.exe
PID 2576 wrote to memory of 1896	2576		4FE5.exe
PID 1896 wrote to memory of 3068	1896	4FE5.exe	rundll32.exe
PID 1896 wrote to memory of 3068	1896	4FE5.exe	rundll32.exe
PID 1896 wrote to memory of 3068	1896	4FE5.exe	rundll32.exe
PID 2576 wrote to memory of 1192	2576		802D.exe
PID 2576 wrote to memory of 1192	2576		802D.exe
PID 2576 wrote to memory of 1192	2576		802D.exe
PID 3068 wrote to memory of 4972	3068	rundll32.exe	rundll32.exe
PID 3068 wrote to memory of 4972	3068	rundll32.exe	rundll32.exe
PID 3068 wrote to memory of 4972	3068	rundll32.exe	rundll32.exe
PID 4956 wrote to memory of 2956	4956	svchost.exe	rundll32.exe
PID 4956 wrote to memory of 2956	4956	svchost.exe	rundll32.exe
PID 4956 wrote to memory of 2956	4956	svchost.exe	rundll32.exe
PID 3068 wrote to memory of 4148	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4148	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4148	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 3848	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 3848	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 3848	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 5044	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 5044	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 5044	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4224	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4224	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4224	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 2568	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 2568	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 2568	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4560	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4560	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4560	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 668	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 668	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 668	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 916	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 916	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 916	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 2212	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 2212	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 2212	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4040	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4040	3068	rundll32.exe	schtasks.exe
PID 3068 wrote to memory of 4040	3068	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe
"C:\Users\Admin\AppData\Local\Temp\8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2300

C:\Users\Admin\AppData\Local\Temp\4FE5.exe
C:\Users\Admin\AppData\Local\Temp\4FE5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3068

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18680
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4972

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4148

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3848

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5044

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4224

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4560

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:668

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2212

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4040

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:300

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5104

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3624

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5056

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3764

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4276

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3972

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4932

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4776

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1252

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\802D.exe
C:\Users\Admin\AppData\Local\Temp\802D.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aiodlite.dll",hDlLSnQ1NGli
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\0__Power_Policy.provxml
Filesize
3KB

MD5
89e3f14ec51f25046860c425c5e443da

SHA1
c44ebf0b6e9ded5099fbe277d6f28bfa287f50c0

SHA256
1ca80f18d7f70b35c2c30e12b1b9f5c3c3dacfb17184998b8efe7ae782ba196e

SHA512
b005cc9f93ca79dd6fd6782a862b7217c74017ddee09097b455c33b59ef039b193d40ef938fa0deb99d9d473189dc79352ebd23e01ef98270fd5d31fdcd2ab92

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\107__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml
Filesize
480B

MD5
bfbff89c7d2533270a97429879704295

SHA1
61fe4d0adfcbc0400bb7408d053efdd1dac7f207

SHA256
939f86c8e33354025c9231816294414658f82a6f3f1fc4bda17e603aa9f0b584

SHA512
83ee9190296fbdd5ae465e9f35b93f9d7051f94db983e01c413e201f58bf5e99cfac2a9b2236acf0694fa0958df6643df3b0e36981c269e92c839118a4ac7c6a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\142__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml
Filesize
838B

MD5
89551f0137c7e6649db4a8160f604dff

SHA1
0b66aaeb0fa4aa9173defce30743c789ccec056d

SHA256
fd14e7e09957a2b26c0e431cc8bb225ad3a738304482bf7de382f6920d0779ff

SHA512
9a7232b3dc67f4557a41cee4f0bcf445b31f768f5000e3868744684e65086a29bcf85853f9a01562068a606d2642825d7bb50111c50783eaf979aeb6c0508667

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\147__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml
Filesize
707B

MD5
eff2445f7dc49fb189e46a53f44acf99

SHA1
a29740e70af2d1ed6b8063336f188269cd2ed899

SHA256
9cf573e616856ddbecf708313d49437895d570afe73d35747dcdbdf06e813ee2

SHA512
fcb308f4ee505ae49d0832de754abd85385fb148013819d8b419d1a81c17c7e54ebc06a9d6f325624673f9480b98ca1412fbd3502537a0964eaff4d9d5974769

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\167__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml
Filesize
651B

MD5
56663f92f315966861b37837af1d1d65

SHA1
58d94a1bc74fd31e5be29eb6bbcb7d3e76c9c6e7

SHA256
e0c75b46669b7b9457b51c859ae1d27d805f61a119d58e9e7723c5b1ea7305b3

SHA512
e324121cff95de4d4834a170aa4f22b6ab056ef2a87c2f0244d16c647b4c47b7abc7ee011aabefebc38a15a1c47e9fa26a09ee2241399bbd912c3a61f961719f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.Proof.Culture.msi.16.en-us.xml
Filesize
25KB

MD5
c61439f60c39268b94a18e5d51f0b26e

SHA1
4ee213d4f4438b2fd8841bcb7ee07ca0f4742b3a

SHA256
06bc78753a1130463805f6ee03e1c2fe991e04d14e02ad852e8f857c43e24213

SHA512
88310fcea8cfa7fa1f028d4af3d529ef92cad0002705a5c720e5779cf465555917ac63042d999c575c22889b229e624f3da01525797dd262309d95461b75b45c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.Proof.Culture.msi.16.es-es.xml
Filesize
23KB

MD5
156b3ab70b2cce134d493104d047e6fa

SHA1
9907a741812bef8c5b55d0e73c9ac5c0d973c4be

SHA256
5fba15e64d0ff7075951a8e6bf758d81d4c14fa98e6b8604d5bbc43317da8c01

SHA512
f3b2157c6aaf1b9e450872057fd5ddaad36bd30be98a48c28c0617c7a638a378dc38cbdbfb9f4b66858b32dfa3e79d577f99fd488b73b6000d1d8887640e7cbd

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
7bc7feaf721822eb4fe4d4f97aab91d6

SHA1
7f458265e5e8d6083d43c61890f1866891dfc8df

SHA256
b454f1c3251c49494ad607c0807bc7b892f0d82ab5f6c28611a64b6a46794d8f

SHA512
2c775b4eaea93b3f5270652f0e7285a5b124e855909332aadc7e20d277135484433ad95fff6593b7d4ac117ea2762e9e1911fe27a89e8fe9f8bba32f6b7b0f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FE5.exe
Filesize
1.1MB

MD5
fd94680e7257e1ab0f52814dd2a9405c

SHA1
f70f02d0c46846492b7488f177e7b98e004f0bcf

SHA256
b7f022a18ffa2c3794fd4d33c1a276bce9dd2f31b7b4c3060fcfaa44a643f556

SHA512
ac238a3f96cb0d27ecb864ea298d62cdded12f626ceca56a323014c04313a3af23aade1ec4b72e81ea109b506647eadde618ce85398e54c924e86d6361081e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FE5.exe
Filesize
1.1MB

MD5
fd94680e7257e1ab0f52814dd2a9405c

SHA1
f70f02d0c46846492b7488f177e7b98e004f0bcf

SHA256
b7f022a18ffa2c3794fd4d33c1a276bce9dd2f31b7b4c3060fcfaa44a643f556

SHA512
ac238a3f96cb0d27ecb864ea298d62cdded12f626ceca56a323014c04313a3af23aade1ec4b72e81ea109b506647eadde618ce85398e54c924e86d6361081e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\802D.exe
Filesize
248KB

MD5
e2d40676fa2b1dd7966d50ccbf5acbde

SHA1
e54498df173d571cff586b7594762b054ced5ea6

SHA256
7b9e17219d79e0535177f413836088cf5fafb5854f3d2b18856a9834e0ef2084

SHA512
3b70d0ad0b660360381654a63bc4989a982ba505ae2183bc4b31573c083eb703c8c01ae57df7c48a4dde937774067fbd7680054c90b50abcb7e056bc445059df

Download Submit
C:\Users\Admin\AppData\Local\Temp\802D.exe
Filesize
248KB

MD5
e2d40676fa2b1dd7966d50ccbf5acbde

SHA1
e54498df173d571cff586b7594762b054ced5ea6

SHA256
7b9e17219d79e0535177f413836088cf5fafb5854f3d2b18856a9834e0ef2084

SHA512
3b70d0ad0b660360381654a63bc4989a982ba505ae2183bc4b31573c083eb703c8c01ae57df7c48a4dde937774067fbd7680054c90b50abcb7e056bc445059df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\aiodlite.dll
Filesize
774KB

MD5
f9e41f86ea4c6f3290b081a08f322f7c

SHA1
ca554d95b4170534c67b1d1c1e6339319ff09c7e

SHA256
d89545a48685b760b2115fc999e93da2ff1a9f7a2720d35440bbd307e959ba04

SHA512
dca0a631d704a1ad5e5a1ee8a65b64034b8b455d59446d5bc855a99f6097965396e1f10a1eb77eedb3cd542ba017f5dbf7334cbcd3de2894aca5c799d33f300d

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll
Filesize
774KB

MD5
f9e41f86ea4c6f3290b081a08f322f7c

SHA1
ca554d95b4170534c67b1d1c1e6339319ff09c7e

SHA256
d89545a48685b760b2115fc999e93da2ff1a9f7a2720d35440bbd307e959ba04

SHA512
dca0a631d704a1ad5e5a1ee8a65b64034b8b455d59446d5bc855a99f6097965396e1f10a1eb77eedb3cd542ba017f5dbf7334cbcd3de2894aca5c799d33f300d

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll
Filesize
774KB

MD5
f9e41f86ea4c6f3290b081a08f322f7c

SHA1
ca554d95b4170534c67b1d1c1e6339319ff09c7e

SHA256
d89545a48685b760b2115fc999e93da2ff1a9f7a2720d35440bbd307e959ba04

SHA512
dca0a631d704a1ad5e5a1ee8a65b64034b8b455d59446d5bc855a99f6097965396e1f10a1eb77eedb3cd542ba017f5dbf7334cbcd3de2894aca5c799d33f300d

Download Submit
\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
memory/300-743-0x0000000000000000-mapping.dmp

Download
memory/668-671-0x0000000000000000-mapping.dmp

Download
memory/916-689-0x0000000000000000-mapping.dmp

Download
memory/1192-327-0x0000000002BB0000-0x0000000002CFA000-memory.dmp

Filesize
1.3MB

Download
memory/1192-325-0x0000000002EB6000-0x0000000002ED0000-memory.dmp

Filesize
104KB

Download
memory/1192-335-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/1192-343-0x0000000002EB6000-0x0000000002ED0000-memory.dmp

Filesize
104KB

Download
memory/1192-344-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/1192-237-0x0000000000000000-mapping.dmp

Download
memory/1252-941-0x0000000000000000-mapping.dmp

Download
memory/1588-797-0x0000000000000000-mapping.dmp

Download
memory/1688-905-0x0000000000000000-mapping.dmp

Download
memory/1896-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-188-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-186-0x0000000004950000-0x0000000004A3A000-memory.dmp

Filesize
936KB

Download
memory/1896-217-0x0000000000400000-0x0000000002C76000-memory.dmp

Filesize
40.5MB

Download
memory/1896-196-0x0000000000400000-0x0000000002C76000-memory.dmp

Filesize
40.5MB

Download
memory/1896-194-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-193-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-192-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-191-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-158-0x0000000000000000-mapping.dmp

Download
memory/1896-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-190-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-189-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-184-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-187-0x0000000004A40000-0x0000000004B6E000-memory.dmp

Filesize
1.2MB

Download
memory/2092-959-0x0000000000000000-mapping.dmp

Download
memory/2212-707-0x0000000000000000-mapping.dmp

Download
memory/2300-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-157-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2300-156-0x0000000002D06000-0x0000000002D17000-memory.dmp

Filesize
68KB

Download
memory/2300-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-146-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2300-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-139-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2300-138-0x0000000002D06000-0x0000000002D17000-memory.dmp

Filesize
68KB

Download
memory/2300-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2568-635-0x0000000000000000-mapping.dmp

Download
memory/2956-561-0x00000000069A0000-0x00000000074F5000-memory.dmp

Filesize
11.3MB

Download
memory/2956-477-0x0000000000000000-mapping.dmp

Download
memory/3068-206-0x0000000000000000-mapping.dmp

Download
memory/3068-363-0x0000000006D80000-0x00000000078D5000-memory.dmp

Filesize
11.3MB

Download
memory/3068-377-0x0000000006D80000-0x00000000078D5000-memory.dmp

Filesize
11.3MB

Download
memory/3624-779-0x0000000000000000-mapping.dmp

Download
memory/3764-833-0x0000000000000000-mapping.dmp

Download
memory/3848-580-0x0000000000000000-mapping.dmp

Download
memory/3972-869-0x0000000000000000-mapping.dmp

Download
memory/4040-725-0x0000000000000000-mapping.dmp

Download
memory/4148-562-0x0000000000000000-mapping.dmp

Download
memory/4224-617-0x0000000000000000-mapping.dmp

Download
memory/4276-851-0x0000000000000000-mapping.dmp

Download
memory/4560-653-0x0000000000000000-mapping.dmp

Download
memory/4776-923-0x0000000000000000-mapping.dmp

Download
memory/4932-887-0x0000000000000000-mapping.dmp

Download
memory/4956-459-0x0000000005C10000-0x0000000006765000-memory.dmp

Filesize
11.3MB

Download
memory/4956-598-0x0000000005C10000-0x0000000006765000-memory.dmp

Filesize
11.3MB

Download
memory/4972-378-0x00000000009E0000-0x0000000000C84000-memory.dmp

Filesize
2.6MB

Download
memory/4972-381-0x000001859BC70000-0x000001859BF25000-memory.dmp

Filesize
2.7MB

Download
memory/4972-372-0x00007FF6C04C5FD0-mapping.dmp

Download
memory/5044-599-0x0000000000000000-mapping.dmp

Download
memory/5056-815-0x0000000000000000-mapping.dmp

Download
memory/5104-761-0x0000000000000000-mapping.dmp

Download