Analysis
-
max time kernel
84s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 07:02
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
258KB
-
MD5
9edbea943982f7a94e9fbbeaad334299
-
SHA1
e671870f03ba365635b07b27f508c96c66de3bc4
-
SHA256
7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb
-
SHA512
3314db9ebdc307e8c5a987d1b2e619ed404a4d59f1e7ffdc97b64c51616782fd3e14b9f74d1154ffd244d6b2c50d1d225a4b0d7be3e998eb4a3bbfd4ef13c687
-
SSDEEP
6144:77PXfWLqmrvtrVxmhIsLkliDTrrj9U4zqQna:77P+2m7tfmqqkliDTrrxFP
Malware Config
Extracted
lumma
77.73.134.68
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4976-134-0x0000000002180000-0x0000000002189000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 51 2996 rundll32.exe 52 2996 rundll32.exe 59 2996 rundll32.exe 68 2996 rundll32.exe 70 2996 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
51AA.exe6717.exepid process 4384 51AA.exe 3104 6717.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TrackedSend.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\TrackedSend..dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TrackedSend.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 2996 rundll32.exe 4692 svchost.exe 4192 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
rundll32.exedescription pid process target process PID 2996 set thread context of 4972 2996 rundll32.exe rundll32.exe PID 2996 set thread context of 1344 2996 rundll32.exe rundll32.exe -
Drops file in Program Files directory 33 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\init.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\submission_history.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Scan_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\COPYING.LGPLv2.1.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend..dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ExtendScript.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Updater.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\StandardBusiness.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3996 4384 WerFault.exe 51AA.exe 3692 3104 WerFault.exe 6717.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exerundll32.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies registry class 39 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000030566438100054656d7000003a0009000400efbe21550a58305665382e0000000000000000000000000000000000000000000000000099584d00540065006d007000000014000000 Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 2640 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 4976 file.exe 4976 file.exe 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 2640 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2640 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid process 4976 file.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeDebugPrivilege 2996 rundll32.exe Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 Token: SeShutdownPrivilege 2640 Token: SeCreatePagefilePrivilege 2640 -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 4972 rundll32.exe 2640 2640 2640 2640 2640 2640 2640 2640 2996 rundll32.exe 1344 rundll32.exe 2996 rundll32.exe 2996 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 2640 2640 -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
51AA.exerundll32.exesvchost.exedescription pid process target process PID 2640 wrote to memory of 4384 2640 51AA.exe PID 2640 wrote to memory of 4384 2640 51AA.exe PID 2640 wrote to memory of 4384 2640 51AA.exe PID 2640 wrote to memory of 3104 2640 6717.exe PID 2640 wrote to memory of 3104 2640 6717.exe PID 2640 wrote to memory of 3104 2640 6717.exe PID 4384 wrote to memory of 2996 4384 51AA.exe rundll32.exe PID 4384 wrote to memory of 2996 4384 51AA.exe rundll32.exe PID 4384 wrote to memory of 2996 4384 51AA.exe rundll32.exe PID 2996 wrote to memory of 4972 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 4972 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 4972 2996 rundll32.exe rundll32.exe PID 4692 wrote to memory of 4192 4692 svchost.exe rundll32.exe PID 4692 wrote to memory of 4192 4692 svchost.exe rundll32.exe PID 4692 wrote to memory of 4192 4692 svchost.exe rundll32.exe PID 2996 wrote to memory of 4288 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4288 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4288 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 3664 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 3664 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 3664 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 1344 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 1344 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 1344 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 4064 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4064 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4064 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4128 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4128 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4128 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4708 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4708 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 4708 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 1360 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 1360 2996 rundll32.exe schtasks.exe PID 2996 wrote to memory of 1360 2996 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4976
-
C:\Users\Admin\AppData\Local\Temp\51AA.exeC:\Users\Admin\AppData\Local\Temp\51AA.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2996 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 186773⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4972 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4288
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3664
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 186773⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1344 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4064
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4128
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4708
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1360
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1036
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3828
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1960
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4848
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:424
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2688
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2704
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4836
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4948
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2344
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3216
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3164
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4976
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3936
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1572
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1300
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3980
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4888
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1880
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1232
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3828
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 5322⤵
- Program crash
PID:3996
-
C:\Users\Admin\AppData\Local\Temp\6717.exeC:\Users\Admin\AppData\Local\Temp\6717.exe1⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 13522⤵
- Program crash
PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4384 -ip 43841⤵PID:4328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3104 -ip 31041⤵PID:2824
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\trackedsend..dll",gU4zM0Iz2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4192
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend..dllFilesize
774KB
MD52b567c62a7308e4f45a6ccad5837ea60
SHA1c8a2b333f93bf9118c2743c8db104ee2ff05e224
SHA256b472e3d0c5f32d0dc28fd7ea9a08e0fab4de4a92cea6d5b2aaf0b9f028726bed
SHA5124468e9bbd86fa2360ae1dfba9520652357d5f3ae720d229395dfe2634be8c22e35fde03285b7937d7c578e1420d33ebb517b4a8c0d235b4801593d00a30997cc
-
C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend..dllFilesize
774KB
MD52b567c62a7308e4f45a6ccad5837ea60
SHA1c8a2b333f93bf9118c2743c8db104ee2ff05e224
SHA256b472e3d0c5f32d0dc28fd7ea9a08e0fab4de4a92cea6d5b2aaf0b9f028726bed
SHA5124468e9bbd86fa2360ae1dfba9520652357d5f3ae720d229395dfe2634be8c22e35fde03285b7937d7c578e1420d33ebb517b4a8c0d235b4801593d00a30997cc
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\6f0ee53c300e9acf16f91c5a0f78ea21_4cfb5922-b036-4c14-9ed1-03c0dad19fbdFilesize
1KB
MD5ce9ae4a8f766920fdf288499bb16211c
SHA1625d89fe8d03755bf941a21e71e4944d0a2e45b9
SHA256f3358e4453dc9084230cacacc73299bdbfefc10f6867cd82be14f52730917c0e
SHA512c6eb7646c13a1a27bad7c83399e0c716c03e6a41993cddf6e49b9a636d424810dba349333826eccc548352d5f2d2a7d020155da6ced40e0a46f4203d070dcb98
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.office32ww.msi.16.x-none.xmlFilesize
331KB
MD5b5cf5d15a8e6c6f2eb99a5645a2c2336
SHA17efe1b634ce1253a6761eb0c54f79dd42b79325f
SHA256f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c
SHA51283f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\CiPT0000.002Filesize
64KB
MD59fb48482cf535e1ce23cbfa8d0c6c078
SHA1942e26a921b9bc03c8f78574b72a7a684bb268f9
SHA256eb0d8cfa71bf388bf4a5c0e6df5e8054b578cbc9548c07235238188786635dff
SHA512bdf522140adae8a297c4c17c84e20860d54ed0899b7d34497c5c06afaa335ff4f382f75f6e265b0e8fdce4a4646056e77fe47dc710c0ef74d5831012997a13b7
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\EventStore.dbFilesize
48KB
MD533d2376c73080475e1175bd957bd1477
SHA1aa3b3060f5d71c4348b977df9536a664b602425c
SHA256a3a0164bdc97019eaa36234e26a4096136e4838728fe7e1c6d7fc4d2f6f81b79
SHA51228747342f8aac2a3467261af0bf10d58c7866d9812f9a139d0411c5fe7317ddd30a25fdb6db0a14f90b3cfd14ef46d209f9d7bc0ffaf2ca09514fe1af3c87756
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe.xmlFilesize
17KB
MD588edd5a41ab82f584c96038657f61fa0
SHA17196dd2233a620172932cbe75afc1eae004de540
SHA256fc79e5ee3a80f00498b8be20796daacc279aee43b522cf3a968266c629e27ff5
SHA512d75a11ab48d11114c753a1cb7c1cb3ef19e5b5e90818d6842278d28d72d85582aabfbcf324af94abc1fe47ed7b1d7cfd9660852dc59f9026f812a662adfbee4d
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013BackupWin64.xmlFilesize
12KB
MD5d24bea7d3b999f28e375d1d061a03d97
SHA195b207708762aa4752c77728128cbe3033646204
SHA25657184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2
SHA5123d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOutlook2013CAWin32.xmlFilesize
1KB
MD542acdf1f7faad8e138134083a57424bd
SHA1f6b05b2eba7723ed2b61c698377053b05ee8eeb5
SHA25691bcc8d78d76422bf8a162c10d96ce91435470d8601290ddcbe3216c3bb7009c
SHA512ca976b96bb036d2a72a61f5d0da83de6e4deb694353ca57e3016124db4a041c3ba7391bb1f508e3fa010b0f412df2b71b3acbaa5ad99c189beace9fcc5193abb
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft_Office_Office Feature Updates Logon.xmlFilesize
3KB
MD59663230fbff7b7ea27acf7cb5b2eb224
SHA1c9061dc5a74944235155461a761456af38ec7de5
SHA256189d7c143926ab4402258ecf47d9b4a6a2b55aa7564b853ddd81bbfcd2113bdb
SHA512b96f74946a99d9cca64f7727dd0664fafd16a6a1242af773b36c5f531c071dbf1b91ff873962be2cd160bdcc128b3aaa5715a38f997e5cfa1b78863ab146493d
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SystemIndex.1.CrwlFilesize
1KB
MD5a6c1043c3fa0c52648d52c2f7fc68d20
SHA11dcb91d73fe567eb3ddfb0c821e4d208f0d8a587
SHA2565b378e85a5fff9ab2c62747a0ec157b16200ed1ffcafe6d09072e2823569da1c
SHA512a4fd2d2f8d59b52dd684d7e289d0a4042808335a4b663ba107e0394df93484d14e61abfd5b177ba45df4c9fff98c2717748fdc0e98ad450d6316e0c890f7a2ea
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmpFilesize
3.5MB
MD561e7df4ab76b9c117e0297369880bae6
SHA1eb90ed18180ab275f5b0f42ed8e7206143de4acb
SHA256bba1992012d2f704575247e6ea2dbb0fb379fe72e08ebe14493d0d68d424dcb3
SHA512972d034faa541ccb0aaa17baed460b3962f79af95d7212fd5ee834ad72668669c810e60c9943bdfe76f57766d8058f7c9a09538b88d7af922e6d90368fe41295
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edb.jcpFilesize
8KB
MD547f72135861cdde114ff79287e6006b6
SHA122b81b4310df90e5e32f1016bb574f49d21da132
SHA2565c181fcf614064eb54823e6e4c43eee7412e6bd3d7901b4f816c39be45dcd12e
SHA512d900e3d9e9f0cfdc47a5ba534642938e96d666f1f5cbb93ec20e3f7a2ec96780fc919566bc61501d2c665212b7118d264342d124e6665e98b09ddccc733983e1
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edbres00002.jrsFilesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\stream.x64.en-us.man.datFilesize
622KB
MD518b7413b8d54bceff3c29565622d6e63
SHA1cbf2e4bf2c3f65035d4060a9dcaefdc710f4e04e
SHA256d21c0fb073320a1a17e0c9a7dc5a0346af74b6e002be4ae1a626e6f3ec0efa85
SHA512ef0e765d41ce07b17289cbae6afe3ec90b53fc0b5f3491113988d443c00fe0dd189cd74013d3c9b36b56375958d5730afb257b99e5612cee4b3e106a1c45fd3c
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.jsonFilesize
121B
MD5656d587b76da4f43efb839ef9a83026e
SHA1daf648eb7f98cfcec644be29d92c1990c1e56b2c
SHA256e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d
SHA51219251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7
-
C:\Users\Admin\AppData\Local\Temp\51AA.exeFilesize
1.1MB
MD517f4caa00baa4a343b7037f575363737
SHA1af29ee05e88a3967d639b4c0e5e1ddabf32d555a
SHA2566bdc0c711117eb2484229026a82977f4a3d48e7a5ec167f3486aea5f50512462
SHA51211b0f2d11bc1f65071f0f5e2a61c01cbea448d7077764ea10ce320be98652428f1418bc3a427897dfb80e82596077cee7fa561d59a4736a1d15b0978ef9087ed
-
C:\Users\Admin\AppData\Local\Temp\51AA.exeFilesize
1.1MB
MD517f4caa00baa4a343b7037f575363737
SHA1af29ee05e88a3967d639b4c0e5e1ddabf32d555a
SHA2566bdc0c711117eb2484229026a82977f4a3d48e7a5ec167f3486aea5f50512462
SHA51211b0f2d11bc1f65071f0f5e2a61c01cbea448d7077764ea10ce320be98652428f1418bc3a427897dfb80e82596077cee7fa561d59a4736a1d15b0978ef9087ed
-
C:\Users\Admin\AppData\Local\Temp\6717.exeFilesize
276KB
MD5ec5a9982316bd834d0b86f26e1c7b8f0
SHA13e21f03d7f7b156c637bfa215074938cc5721390
SHA25674bb3105998c9b5ebced3ff42889fce1c437d37f76da8ba1980762e6d88f0186
SHA512dd19a7e65888aa58af67300ca52d86d8adfb0876733f222f3b98d20d282225896f0499ea14e2966e08ac9d0963619627dcd3e0872d954c8bb70c3ad3420664ef
-
C:\Users\Admin\AppData\Local\Temp\6717.exeFilesize
276KB
MD5ec5a9982316bd834d0b86f26e1c7b8f0
SHA13e21f03d7f7b156c637bfa215074938cc5721390
SHA25674bb3105998c9b5ebced3ff42889fce1c437d37f76da8ba1980762e6d88f0186
SHA512dd19a7e65888aa58af67300ca52d86d8adfb0876733f222f3b98d20d282225896f0499ea14e2966e08ac9d0963619627dcd3e0872d954c8bb70c3ad3420664ef
-
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmpFilesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmpFilesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
\??\c:\program files (x86)\windowspowershell\modules\trackedsend..dllFilesize
774KB
MD52b567c62a7308e4f45a6ccad5837ea60
SHA1c8a2b333f93bf9118c2743c8db104ee2ff05e224
SHA256b472e3d0c5f32d0dc28fd7ea9a08e0fab4de4a92cea6d5b2aaf0b9f028726bed
SHA5124468e9bbd86fa2360ae1dfba9520652357d5f3ae720d229395dfe2634be8c22e35fde03285b7937d7c578e1420d33ebb517b4a8c0d235b4801593d00a30997cc
-
memory/424-209-0x0000000000000000-mapping.dmp
-
memory/1036-205-0x0000000000000000-mapping.dmp
-
memory/1232-224-0x0000000000000000-mapping.dmp
-
memory/1300-220-0x0000000000000000-mapping.dmp
-
memory/1344-197-0x000001BBF1B70000-0x000001BBF1CB0000-memory.dmpFilesize
1.2MB
-
memory/1344-196-0x00007FF698756890-mapping.dmp
-
memory/1344-199-0x000001BBF0110000-0x000001BBF03C5000-memory.dmpFilesize
2.7MB
-
memory/1344-198-0x000001BBF1B70000-0x000001BBF1CB0000-memory.dmpFilesize
1.2MB
-
memory/1360-204-0x0000000000000000-mapping.dmp
-
memory/1572-219-0x0000000000000000-mapping.dmp
-
memory/1880-223-0x0000000000000000-mapping.dmp
-
memory/1960-207-0x0000000000000000-mapping.dmp
-
memory/2344-214-0x0000000000000000-mapping.dmp
-
memory/2688-210-0x0000000000000000-mapping.dmp
-
memory/2704-211-0x0000000000000000-mapping.dmp
-
memory/2996-156-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-154-0x0000000005570000-0x00000000060C5000-memory.dmpFilesize
11.3MB
-
memory/2996-153-0x0000000005570000-0x00000000060C5000-memory.dmpFilesize
11.3MB
-
memory/2996-195-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-194-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-164-0x0000000005570000-0x00000000060C5000-memory.dmpFilesize
11.3MB
-
memory/2996-193-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-192-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-158-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-159-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-160-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-143-0x0000000000000000-mapping.dmp
-
memory/2996-157-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/2996-155-0x0000000006260000-0x00000000063A0000-memory.dmpFilesize
1.2MB
-
memory/3104-150-0x00000000006A0000-0x00000000006CA000-memory.dmpFilesize
168KB
-
memory/3104-151-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3104-140-0x0000000000000000-mapping.dmp
-
memory/3104-152-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3104-149-0x000000000074D000-0x0000000000767000-memory.dmpFilesize
104KB
-
memory/3164-216-0x0000000000000000-mapping.dmp
-
memory/3216-215-0x0000000000000000-mapping.dmp
-
memory/3664-191-0x0000000000000000-mapping.dmp
-
memory/3692-226-0x0000000000000000-mapping.dmp
-
memory/3828-206-0x0000000000000000-mapping.dmp
-
memory/3828-225-0x0000000000000000-mapping.dmp
-
memory/3936-218-0x0000000000000000-mapping.dmp
-
memory/3980-221-0x0000000000000000-mapping.dmp
-
memory/4064-200-0x0000000000000000-mapping.dmp
-
memory/4128-202-0x0000000000000000-mapping.dmp
-
memory/4192-184-0x0000000000000000-mapping.dmp
-
memory/4192-188-0x0000000004FE0000-0x0000000005B35000-memory.dmpFilesize
11.3MB
-
memory/4192-187-0x0000000004FE0000-0x0000000005B35000-memory.dmpFilesize
11.3MB
-
memory/4288-189-0x0000000000000000-mapping.dmp
-
memory/4384-146-0x0000000002263000-0x000000000234C000-memory.dmpFilesize
932KB
-
memory/4384-147-0x0000000002350000-0x000000000247E000-memory.dmpFilesize
1.2MB
-
memory/4384-148-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/4384-137-0x0000000000000000-mapping.dmp
-
memory/4692-201-0x0000000004060000-0x0000000004BB5000-memory.dmpFilesize
11.3MB
-
memory/4692-170-0x0000000004060000-0x0000000004BB5000-memory.dmpFilesize
11.3MB
-
memory/4692-186-0x0000000004060000-0x0000000004BB5000-memory.dmpFilesize
11.3MB
-
memory/4708-203-0x0000000000000000-mapping.dmp
-
memory/4836-212-0x0000000000000000-mapping.dmp
-
memory/4848-208-0x0000000000000000-mapping.dmp
-
memory/4888-222-0x0000000000000000-mapping.dmp
-
memory/4948-213-0x0000000000000000-mapping.dmp
-
memory/4972-161-0x00007FF698756890-mapping.dmp
-
memory/4972-169-0x00000000003F0000-0x0000000000694000-memory.dmpFilesize
2.6MB
-
memory/4972-162-0x00000257CF690000-0x00000257CF7D0000-memory.dmpFilesize
1.2MB
-
memory/4972-190-0x00000257CF810000-0x00000257CFAC5000-memory.dmpFilesize
2.7MB
-
memory/4972-165-0x00000257CF810000-0x00000257CFAC5000-memory.dmpFilesize
2.7MB
-
memory/4972-163-0x00000257CF690000-0x00000257CF7D0000-memory.dmpFilesize
1.2MB
-
memory/4976-133-0x0000000000450000-0x0000000000550000-memory.dmpFilesize
1024KB
-
memory/4976-135-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4976-134-0x0000000002180000-0x0000000002189000-memory.dmpFilesize
36KB
-
memory/4976-136-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4976-217-0x0000000000000000-mapping.dmp