lumma | 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb

Analysis

max time kernel
84s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

258KB
MD5

9edbea943982f7a94e9fbbeaad334299
SHA1

e671870f03ba365635b07b27f508c96c66de3bc4
SHA256

7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb
SHA512

3314db9ebdc307e8c5a987d1b2e619ed404a4d59f1e7ffdc97b64c51616782fd3e14b9f74d1154ffd244d6b2c50d1d225a4b0d7be3e998eb4a3bbfd4ef13c687
SSDEEP

6144:77PXfWLqmrvtrVxmhIsLkliDTrrj9U4zqQna:77P+2m7tfmqqkliDTrrxFP

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-134-0x0000000002180000-0x0000000002189000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

51 2996 rundll32.exe
52 2996 rundll32.exe
59 2996 rundll32.exe
68 2996 rundll32.exe
70 2996 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

51AA.exe6717.exe

pid process

4384 51AA.exe
3104 6717.exe

flow	pid	process
51	2996	rundll32.exe
52	2996	rundll32.exe
59	2996	rundll32.exe
68	2996	rundll32.exe
70	2996	rundll32.exe

pid	process
4384	51AA.exe
3104	6717.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TrackedSend.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\TrackedSend..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TrackedSend.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2996 rundll32.exe
4692 svchost.exe
4192 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2996	rundll32.exe
4692	svchost.exe
4192	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2996 set thread context of 4972	2996	rundll32.exe	rundll32.exe
PID 2996 set thread context of 1344	2996	rundll32.exe	rundll32.exe

Drops file in Program Files directory 33 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\init.js	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\submission_history.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\COPYING.LGPLv2.1.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend..dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ExtendScript.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Updater.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\StandardBusiness.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3996 4384 WerFault.exe 51AA.exe
3692 3104 WerFault.exe 6717.exe

pid	pid_target	process	target process
3996	4384	WerFault.exe	51AA.exe
3692	3104	WerFault.exe	6717.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 39 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000030566438100054656d7000003a0009000400efbe21550a58305665382e0000000000000000000000000000000000000000000000000099584d00540065006d007000000014000000
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2640

pid	process
2640

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4976	file.exe
4976	file.exe
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2640
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

4976 file.exe

pid	process
2640

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeDebugPrivilege	2996	rundll32.exe
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4972 rundll32.exe
2640
2640
2640
2640
2640
2640
2640
2640
2996 rundll32.exe
1344 rundll32.exe
2996 rundll32.exe
2996 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2640
2640

pid	process
4972	rundll32.exe
2640
2640
2640
2640
2640
2640
2640
2640
2996	rundll32.exe
1344	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe

pid	process
2640
2640

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

51AA.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2640 wrote to memory of 4384	2640		51AA.exe
PID 2640 wrote to memory of 4384	2640		51AA.exe
PID 2640 wrote to memory of 4384	2640		51AA.exe
PID 2640 wrote to memory of 3104	2640		6717.exe
PID 2640 wrote to memory of 3104	2640		6717.exe
PID 2640 wrote to memory of 3104	2640		6717.exe
PID 4384 wrote to memory of 2996	4384	51AA.exe	rundll32.exe
PID 4384 wrote to memory of 2996	4384	51AA.exe	rundll32.exe
PID 4384 wrote to memory of 2996	4384	51AA.exe	rundll32.exe
PID 2996 wrote to memory of 4972	2996	rundll32.exe	rundll32.exe
PID 2996 wrote to memory of 4972	2996	rundll32.exe	rundll32.exe
PID 2996 wrote to memory of 4972	2996	rundll32.exe	rundll32.exe
PID 4692 wrote to memory of 4192	4692	svchost.exe	rundll32.exe
PID 4692 wrote to memory of 4192	4692	svchost.exe	rundll32.exe
PID 4692 wrote to memory of 4192	4692	svchost.exe	rundll32.exe
PID 2996 wrote to memory of 4288	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4288	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4288	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 3664	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 3664	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 3664	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 1344	2996	rundll32.exe	rundll32.exe
PID 2996 wrote to memory of 1344	2996	rundll32.exe	rundll32.exe
PID 2996 wrote to memory of 1344	2996	rundll32.exe	rundll32.exe
PID 2996 wrote to memory of 4064	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4064	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4064	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4128	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4128	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4128	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4708	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4708	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 4708	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 1360	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 1360	2996	rundll32.exe	schtasks.exe
PID 2996 wrote to memory of 1360	2996	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4976

C:\Users\Admin\AppData\Local\Temp\51AA.exe
C:\Users\Admin\AppData\Local\Temp\51AA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2996

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4972

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4288

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3664

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18677
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1344

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4064

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4128

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4708

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1036

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3828

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4848

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:424

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2688

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2704

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4836

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4948

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3216

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4976

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3936

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3980

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4888

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1880

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1232

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3828

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 532
2⤵
- Program crash
PID:3996

C:\Users\Admin\AppData\Local\Temp\6717.exe
C:\Users\Admin\AppData\Local\Temp\6717.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1352
2⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4384 -ip 4384
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3104 -ip 3104
1⤵
PID:2824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\trackedsend..dll",gU4zM0Iz
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend..dll
Filesize
774KB

MD5
2b567c62a7308e4f45a6ccad5837ea60

SHA1
c8a2b333f93bf9118c2743c8db104ee2ff05e224

SHA256
b472e3d0c5f32d0dc28fd7ea9a08e0fab4de4a92cea6d5b2aaf0b9f028726bed

SHA512
4468e9bbd86fa2360ae1dfba9520652357d5f3ae720d229395dfe2634be8c22e35fde03285b7937d7c578e1420d33ebb517b4a8c0d235b4801593d00a30997cc

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend..dll
Filesize
774KB

MD5
2b567c62a7308e4f45a6ccad5837ea60

SHA1
c8a2b333f93bf9118c2743c8db104ee2ff05e224

SHA256
b472e3d0c5f32d0dc28fd7ea9a08e0fab4de4a92cea6d5b2aaf0b9f028726bed

SHA512
4468e9bbd86fa2360ae1dfba9520652357d5f3ae720d229395dfe2634be8c22e35fde03285b7937d7c578e1420d33ebb517b4a8c0d235b4801593d00a30997cc

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\6f0ee53c300e9acf16f91c5a0f78ea21_4cfb5922-b036-4c14-9ed1-03c0dad19fbd
Filesize
1KB

MD5
ce9ae4a8f766920fdf288499bb16211c

SHA1
625d89fe8d03755bf941a21e71e4944d0a2e45b9

SHA256
f3358e4453dc9084230cacacc73299bdbfefc10f6867cd82be14f52730917c0e

SHA512
c6eb7646c13a1a27bad7c83399e0c716c03e6a41993cddf6e49b9a636d424810dba349333826eccc548352d5f2d2a7d020155da6ced40e0a46f4203d070dcb98

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.office32ww.msi.16.x-none.xml
Filesize
331KB

MD5
b5cf5d15a8e6c6f2eb99a5645a2c2336

SHA1
7efe1b634ce1253a6761eb0c54f79dd42b79325f

SHA256
f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c

SHA512
83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\CiPT0000.002
Filesize
64KB

MD5
9fb48482cf535e1ce23cbfa8d0c6c078

SHA1
942e26a921b9bc03c8f78574b72a7a684bb268f9

SHA256
eb0d8cfa71bf388bf4a5c0e6df5e8054b578cbc9548c07235238188786635dff

SHA512
bdf522140adae8a297c4c17c84e20860d54ed0899b7d34497c5c06afaa335ff4f382f75f6e265b0e8fdce4a4646056e77fe47dc710c0ef74d5831012997a13b7

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\EventStore.db
Filesize
48KB

MD5
33d2376c73080475e1175bd957bd1477

SHA1
aa3b3060f5d71c4348b977df9536a664b602425c

SHA256
a3a0164bdc97019eaa36234e26a4096136e4838728fe7e1c6d7fc4d2f6f81b79

SHA512
28747342f8aac2a3467261af0bf10d58c7866d9812f9a139d0411c5fe7317ddd30a25fdb6db0a14f90b3cfd14ef46d209f9d7bc0ffaf2ca09514fe1af3c87756

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe.xml
Filesize
17KB

MD5
88edd5a41ab82f584c96038657f61fa0

SHA1
7196dd2233a620172932cbe75afc1eae004de540

SHA256
fc79e5ee3a80f00498b8be20796daacc279aee43b522cf3a968266c629e27ff5

SHA512
d75a11ab48d11114c753a1cb7c1cb3ef19e5b5e90818d6842278d28d72d85582aabfbcf324af94abc1fe47ed7b1d7cfd9660852dc59f9026f812a662adfbee4d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013BackupWin64.xml
Filesize
12KB

MD5
d24bea7d3b999f28e375d1d061a03d97

SHA1
95b207708762aa4752c77728128cbe3033646204

SHA256
57184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2

SHA512
3d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOutlook2013CAWin32.xml
Filesize
1KB

MD5
42acdf1f7faad8e138134083a57424bd

SHA1
f6b05b2eba7723ed2b61c698377053b05ee8eeb5

SHA256
91bcc8d78d76422bf8a162c10d96ce91435470d8601290ddcbe3216c3bb7009c

SHA512
ca976b96bb036d2a72a61f5d0da83de6e4deb694353ca57e3016124db4a041c3ba7391bb1f508e3fa010b0f412df2b71b3acbaa5ad99c189beace9fcc5193abb

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft_Office_Office Feature Updates Logon.xml
Filesize
3KB

MD5
9663230fbff7b7ea27acf7cb5b2eb224

SHA1
c9061dc5a74944235155461a761456af38ec7de5

SHA256
189d7c143926ab4402258ecf47d9b4a6a2b55aa7564b853ddd81bbfcd2113bdb

SHA512
b96f74946a99d9cca64f7727dd0664fafd16a6a1242af773b36c5f531c071dbf1b91ff873962be2cd160bdcc128b3aaa5715a38f997e5cfa1b78863ab146493d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SystemIndex.1.Crwl
Filesize
1KB

MD5
a6c1043c3fa0c52648d52c2f7fc68d20

SHA1
1dcb91d73fe567eb3ddfb0c821e4d208f0d8a587

SHA256
5b378e85a5fff9ab2c62747a0ec157b16200ed1ffcafe6d09072e2823569da1c

SHA512
a4fd2d2f8d59b52dd684d7e289d0a4042808335a4b663ba107e0394df93484d14e61abfd5b177ba45df4c9fff98c2717748fdc0e98ad450d6316e0c890f7a2ea

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
61e7df4ab76b9c117e0297369880bae6

SHA1
eb90ed18180ab275f5b0f42ed8e7206143de4acb

SHA256
bba1992012d2f704575247e6ea2dbb0fb379fe72e08ebe14493d0d68d424dcb3

SHA512
972d034faa541ccb0aaa17baed460b3962f79af95d7212fd5ee834ad72668669c810e60c9943bdfe76f57766d8058f7c9a09538b88d7af922e6d90368fe41295

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edb.jcp
Filesize
8KB

MD5
47f72135861cdde114ff79287e6006b6

SHA1
22b81b4310df90e5e32f1016bb574f49d21da132

SHA256
5c181fcf614064eb54823e6e4c43eee7412e6bd3d7901b4f816c39be45dcd12e

SHA512
d900e3d9e9f0cfdc47a5ba534642938e96d666f1f5cbb93ec20e3f7a2ec96780fc919566bc61501d2c665212b7118d264342d124e6665e98b09ddccc733983e1

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\edbres00002.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\stream.x64.en-us.man.dat
Filesize
622KB

MD5
18b7413b8d54bceff3c29565622d6e63

SHA1
cbf2e4bf2c3f65035d4060a9dcaefdc710f4e04e

SHA256
d21c0fb073320a1a17e0c9a7dc5a0346af74b6e002be4ae1a626e6f3ec0efa85

SHA512
ef0e765d41ce07b17289cbae6afe3ec90b53fc0b5f3491113988d443c00fe0dd189cd74013d3c9b36b56375958d5730afb257b99e5612cee4b3e106a1c45fd3c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json
Filesize
121B

MD5
656d587b76da4f43efb839ef9a83026e

SHA1
daf648eb7f98cfcec644be29d92c1990c1e56b2c

SHA256
e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d

SHA512
19251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\51AA.exe
Filesize
1.1MB

MD5
17f4caa00baa4a343b7037f575363737

SHA1
af29ee05e88a3967d639b4c0e5e1ddabf32d555a

SHA256
6bdc0c711117eb2484229026a82977f4a3d48e7a5ec167f3486aea5f50512462

SHA512
11b0f2d11bc1f65071f0f5e2a61c01cbea448d7077764ea10ce320be98652428f1418bc3a427897dfb80e82596077cee7fa561d59a4736a1d15b0978ef9087ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\51AA.exe
Filesize
1.1MB

MD5
17f4caa00baa4a343b7037f575363737

SHA1
af29ee05e88a3967d639b4c0e5e1ddabf32d555a

SHA256
6bdc0c711117eb2484229026a82977f4a3d48e7a5ec167f3486aea5f50512462

SHA512
11b0f2d11bc1f65071f0f5e2a61c01cbea448d7077764ea10ce320be98652428f1418bc3a427897dfb80e82596077cee7fa561d59a4736a1d15b0978ef9087ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\6717.exe
Filesize
276KB

MD5
ec5a9982316bd834d0b86f26e1c7b8f0

SHA1
3e21f03d7f7b156c637bfa215074938cc5721390

SHA256
74bb3105998c9b5ebced3ff42889fce1c437d37f76da8ba1980762e6d88f0186

SHA512
dd19a7e65888aa58af67300ca52d86d8adfb0876733f222f3b98d20d282225896f0499ea14e2966e08ac9d0963619627dcd3e0872d954c8bb70c3ad3420664ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\6717.exe
Filesize
276KB

MD5
ec5a9982316bd834d0b86f26e1c7b8f0

SHA1
3e21f03d7f7b156c637bfa215074938cc5721390

SHA256
74bb3105998c9b5ebced3ff42889fce1c437d37f76da8ba1980762e6d88f0186

SHA512
dd19a7e65888aa58af67300ca52d86d8adfb0876733f222f3b98d20d282225896f0499ea14e2966e08ac9d0963619627dcd3e0872d954c8bb70c3ad3420664ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\trackedsend..dll
Filesize
774KB

MD5
2b567c62a7308e4f45a6ccad5837ea60

SHA1
c8a2b333f93bf9118c2743c8db104ee2ff05e224

SHA256
b472e3d0c5f32d0dc28fd7ea9a08e0fab4de4a92cea6d5b2aaf0b9f028726bed

SHA512
4468e9bbd86fa2360ae1dfba9520652357d5f3ae720d229395dfe2634be8c22e35fde03285b7937d7c578e1420d33ebb517b4a8c0d235b4801593d00a30997cc

Download Submit
memory/424-209-0x0000000000000000-mapping.dmp

Download
memory/1036-205-0x0000000000000000-mapping.dmp

Download
memory/1232-224-0x0000000000000000-mapping.dmp

Download
memory/1300-220-0x0000000000000000-mapping.dmp

Download
memory/1344-197-0x000001BBF1B70000-0x000001BBF1CB0000-memory.dmp

Filesize
1.2MB

Download
memory/1344-196-0x00007FF698756890-mapping.dmp

Download
memory/1344-199-0x000001BBF0110000-0x000001BBF03C5000-memory.dmp

Filesize
2.7MB

Download
memory/1344-198-0x000001BBF1B70000-0x000001BBF1CB0000-memory.dmp

Filesize
1.2MB

Download
memory/1360-204-0x0000000000000000-mapping.dmp

Download
memory/1572-219-0x0000000000000000-mapping.dmp

Download
memory/1880-223-0x0000000000000000-mapping.dmp

Download
memory/1960-207-0x0000000000000000-mapping.dmp

Download
memory/2344-214-0x0000000000000000-mapping.dmp

Download
memory/2688-210-0x0000000000000000-mapping.dmp

Download
memory/2704-211-0x0000000000000000-mapping.dmp

Download
memory/2996-156-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-154-0x0000000005570000-0x00000000060C5000-memory.dmp

Filesize
11.3MB

Download
memory/2996-153-0x0000000005570000-0x00000000060C5000-memory.dmp

Filesize
11.3MB

Download
memory/2996-195-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-194-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-164-0x0000000005570000-0x00000000060C5000-memory.dmp

Filesize
11.3MB

Download
memory/2996-193-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-192-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-158-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-159-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-160-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-143-0x0000000000000000-mapping.dmp

Download
memory/2996-157-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/2996-155-0x0000000006260000-0x00000000063A0000-memory.dmp

Filesize
1.2MB

Download
memory/3104-150-0x00000000006A0000-0x00000000006CA000-memory.dmp

Filesize
168KB

Download
memory/3104-151-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3104-140-0x0000000000000000-mapping.dmp

Download
memory/3104-152-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3104-149-0x000000000074D000-0x0000000000767000-memory.dmp

Filesize
104KB

Download
memory/3164-216-0x0000000000000000-mapping.dmp

Download
memory/3216-215-0x0000000000000000-mapping.dmp

Download
memory/3664-191-0x0000000000000000-mapping.dmp

Download
memory/3692-226-0x0000000000000000-mapping.dmp

Download
memory/3828-206-0x0000000000000000-mapping.dmp

Download
memory/3828-225-0x0000000000000000-mapping.dmp

Download
memory/3936-218-0x0000000000000000-mapping.dmp

Download
memory/3980-221-0x0000000000000000-mapping.dmp

Download
memory/4064-200-0x0000000000000000-mapping.dmp

Download
memory/4128-202-0x0000000000000000-mapping.dmp

Download
memory/4192-184-0x0000000000000000-mapping.dmp

Download
memory/4192-188-0x0000000004FE0000-0x0000000005B35000-memory.dmp

Filesize
11.3MB

Download
memory/4192-187-0x0000000004FE0000-0x0000000005B35000-memory.dmp

Filesize
11.3MB

Download
memory/4288-189-0x0000000000000000-mapping.dmp

Download
memory/4384-146-0x0000000002263000-0x000000000234C000-memory.dmp

Filesize
932KB

Download
memory/4384-147-0x0000000002350000-0x000000000247E000-memory.dmp

Filesize
1.2MB

Download
memory/4384-148-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4384-137-0x0000000000000000-mapping.dmp

Download
memory/4692-201-0x0000000004060000-0x0000000004BB5000-memory.dmp

Filesize
11.3MB

Download
memory/4692-170-0x0000000004060000-0x0000000004BB5000-memory.dmp

Filesize
11.3MB

Download
memory/4692-186-0x0000000004060000-0x0000000004BB5000-memory.dmp

Filesize
11.3MB

Download
memory/4708-203-0x0000000000000000-mapping.dmp

Download
memory/4836-212-0x0000000000000000-mapping.dmp

Download
memory/4848-208-0x0000000000000000-mapping.dmp

Download
memory/4888-222-0x0000000000000000-mapping.dmp

Download
memory/4948-213-0x0000000000000000-mapping.dmp

Download
memory/4972-161-0x00007FF698756890-mapping.dmp

Download
memory/4972-169-0x00000000003F0000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/4972-162-0x00000257CF690000-0x00000257CF7D0000-memory.dmp

Filesize
1.2MB

Download
memory/4972-190-0x00000257CF810000-0x00000257CFAC5000-memory.dmp

Filesize
2.7MB

Download
memory/4972-165-0x00000257CF810000-0x00000257CFAC5000-memory.dmp

Filesize
2.7MB

Download
memory/4972-163-0x00000257CF690000-0x00000257CF7D0000-memory.dmp

Filesize
1.2MB

Download
memory/4976-133-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/4976-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4976-134-0x0000000002180000-0x0000000002189000-memory.dmp

Filesize
36KB

Download
memory/4976-136-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4976-217-0x0000000000000000-mapping.dmp

Download