lumma | 21f9dd30abf432f1b4f255159d5a1931041c932e6765ac3857c3a51ecad23804

Analysis

max time kernel
115s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe
Size

209KB
MD5

7ed3fbe353dd839ffdec24d0b1abdcf4
SHA1

415e5a993e2b166ca21d93a00dfc6878fa003fc6
SHA256

6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089
SHA512

62b5db023f79cf284f15beddaad88923be5eae5502040c477e6fe6c4ad233b63459f977d77939f65da55c0b21b1946c44467191b3f2977fd34ae4fe4a20c95bb
SSDEEP

3072:a0CXmGkUsi+9Fd54S8W63HnJIMF3UuSdPgti:a0Cexi+LqHJPF3Uu+g

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4856-133-0x0000000002D50000-0x0000000002D59000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
49	1112	rundll32.exe
54	1112	rundll32.exe
65	1112	rundll32.exe
69	1112	rundll32.exe
74	1112	rundll32.exe
86	1112	rundll32.exe
94	1112	rundll32.exe
104	1112	rundll32.exe

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

DF0A.exe636.exe

pid process

4132 DF0A.exe
3576 636.exe

pid	process
4132	DF0A.exe
3576	636.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Accessibility\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Accessibility.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Accessibility\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1112 rundll32.exe
3864 svchost.exe
4516 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1112	rundll32.exe
3864	svchost.exe
4516	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1112 set thread context of 4064	1112	rundll32.exe	rundll32.exe
PID 1112 set thread context of 4300	1112	rundll32.exe	rundll32.exe
PID 1112 set thread context of 4572	1112	rundll32.exe	rundll32.exe

Drops file in Program Files directory 13 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Close.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Eula.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Accessibility.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Accessibility.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2668 4132 WerFault.exe DF0A.exe
3688 3576 WerFault.exe 636.exe

pid	pid_target	process	target process
2668	4132	WerFault.exe	DF0A.exe
3688	3576	WerFault.exe	636.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 39 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056da62100054656d7000003a0009000400efbe0c5519993056dd622e00000000000000000000000000000000000000000000000000560f8000540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

780

pid	process
780

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe

pid	process
4856	6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe
4856	6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780
780

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

780
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe

pid process

4856 6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe

pid	process
780

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeDebugPrivilege	1112	rundll32.exe
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780
Token: SeShutdownPrivilege	780
Token: SeCreatePagefilePrivilege	780

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4064 rundll32.exe
780
780
780
780
1112 rundll32.exe
780
780
780
780
4300 rundll32.exe
1112 rundll32.exe
4572 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

780
780

pid	process
4064	rundll32.exe
780
780
780
780
1112	rundll32.exe
780
780
780
780
4300	rundll32.exe
1112	rundll32.exe
4572	rundll32.exe

pid	process
780
780

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

DF0A.exesvchost.exerundll32.exe

description	pid	process	target process
PID 780 wrote to memory of 4132	780		DF0A.exe
PID 780 wrote to memory of 4132	780		DF0A.exe
PID 780 wrote to memory of 4132	780		DF0A.exe
PID 4132 wrote to memory of 1112	4132	DF0A.exe	rundll32.exe
PID 4132 wrote to memory of 1112	4132	DF0A.exe	rundll32.exe
PID 4132 wrote to memory of 1112	4132	DF0A.exe	rundll32.exe
PID 3864 wrote to memory of 4516	3864	svchost.exe	rundll32.exe
PID 3864 wrote to memory of 4516	3864	svchost.exe	rundll32.exe
PID 3864 wrote to memory of 4516	3864	svchost.exe	rundll32.exe
PID 1112 wrote to memory of 4064	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 4064	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 4064	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 1060	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 1060	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 1060	1112	rundll32.exe	schtasks.exe
PID 780 wrote to memory of 3576	780		636.exe
PID 780 wrote to memory of 3576	780		636.exe
PID 780 wrote to memory of 3576	780		636.exe
PID 1112 wrote to memory of 3552	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 3552	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 3552	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 4300	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 4300	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 4300	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 1480	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 1480	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 1480	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 4572	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 4572	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 4572	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 112	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 112	1112	rundll32.exe	schtasks.exe
PID 1112 wrote to memory of 112	1112	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe
"C:\Users\Admin\AppData\Local\Temp\6d3075ce0ca67b14fe556455ccec4815eed14ede3e39bcba434f8c6b3a5b2089.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4856

C:\Users\Admin\AppData\Local\Temp\DF0A.exe
C:\Users\Admin\AppData\Local\Temp\DF0A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1112

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4064

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1060

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3552

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1480

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
- Suspicious use of FindShellTrayWindow
PID:4572

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:112

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1068

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:3204

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2340

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:3624

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4428

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:3556

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4084

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4196

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:432

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3208

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:4388

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4232

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18671
3⤵
PID:3576

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4132

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 536
2⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4132 -ip 4132
1⤵
PID:316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\accessibility.dll",TBg0RENVNg==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4516

C:\Users\Admin\AppData\Local\Temp\636.exe
C:\Users\Admin\AppData\Local\Temp\636.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1336
2⤵
- Program crash
PID:3688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3576 -ip 3576
1⤵
PID:3768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Accessibility.dll
Filesize
774KB

MD5
95edd103516254236a4bcec97c06fc51

SHA1
5eb27ec7d6bf0a159e2f2c495ce253183a822066

SHA256
e8e6d4bd32f1c55837e1b8b2d90776756efb939f07ed7bef259cdf3e60b86eb3

SHA512
98898cf9cfb8670e3a3642c122b3db419ca01dff1b71cd035ab973cfdff968d9ce85f6e92c822fb613fd4a4ffcb4a3bf558ac973580928c52c544572e6f06f53

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Accessibility.dll
Filesize
774KB

MD5
95edd103516254236a4bcec97c06fc51

SHA1
5eb27ec7d6bf0a159e2f2c495ce253183a822066

SHA256
e8e6d4bd32f1c55837e1b8b2d90776756efb939f07ed7bef259cdf3e60b86eb3

SHA512
98898cf9cfb8670e3a3642c122b3db419ca01dff1b71cd035ab973cfdff968d9ce85f6e92c822fb613fd4a4ffcb4a3bf558ac973580928c52c544572e6f06f53

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
913B

MD5
1600f66ce0d9c342eb6a49155a2f8c14

SHA1
e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07

SHA256
8dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27

SHA512
ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
827B

MD5
cf7d0dd53bde6261338a343a4a92c3f5

SHA1
f5326546a46c8a7d2400d743fca320a166331757

SHA256
df0af4b8242dcab107aab8d00add27b9797c00002669ff953667869abb6c77c6

SHA512
9cf52da12c7e703fefff7a5295b7475d95a568d050b210a7b53470dad257793257a4242c89fb00fa22c7319c8be96144b193ec1e51c4d3a751af6765a6935148

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
855B

MD5
7ec956334fec33862a86ae1d3db724f5

SHA1
009ef40b310d0068ec42c3ec85a424a147e9e712

SHA256
c861b14bdbc003a3029af12487b4b01b9e3ece914afc6029b4cf59eb3156e3d7

SHA512
ba478d4138c56b6a5e89a0daa58234a2c872e39684c946711b0fc972e63a91ab97bbb5e8300e03094e8fc243f8bf39e1931162bf95762142998428faf69c2af9

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
eb22fa9581acf1599a4084ba8a5a2062

SHA1
253eebbae038cf53a7bf1d7117c77472a4b1b173

SHA256
944f3583b2719f0ec899503b5871d683b9653e06b9117c41db9a3443144321bb

SHA512
ff6e36538f53b7b4b71618f6b656f249d6fb876cf056c18375fc89f19bb0b9a662679bbef40227a68431fa533b8bbb6b3f4dbdcd1c7a3b73c6d3c3207c77cc37

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\resource.xml
Filesize
1KB

MD5
9e3d2d6830eba41e31e8558da30ddccd

SHA1
f5fbe0dfef87a30a9898cd6e1e7691c7dd9a9b99

SHA256
50ce5d2f9497955246143e7bb7d7584f221c15574a910c7cc11af87537711d25

SHA512
d1f3774e8c2bdfb6acbb8b9429f59fce5048b5adc4ddc7ecacf7bf52862715db35aee04884a24a8e329e8d10aa5fd06cac5360aad9dd296582453fadadf4d7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\636.exe
Filesize
251KB

MD5
fe7dd689396bf62715c45735c2761eca

SHA1
2d7e535ddafa3eb554f87314c8a3634d819dc778

SHA256
fec1f657f269aa04c8cac90b500c8a2c95faef8db1e20b504617f7dccad5eb1b

SHA512
4cd59f82e826efe24c19a8f1d009ac021ad8f2b75006a1babb22141bcd5f76cdec0960680868e11604ee5a896c2494cbcde72349901916888f4d09cf68ccac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\636.exe
Filesize
251KB

MD5
fe7dd689396bf62715c45735c2761eca

SHA1
2d7e535ddafa3eb554f87314c8a3634d819dc778

SHA256
fec1f657f269aa04c8cac90b500c8a2c95faef8db1e20b504617f7dccad5eb1b

SHA512
4cd59f82e826efe24c19a8f1d009ac021ad8f2b75006a1babb22141bcd5f76cdec0960680868e11604ee5a896c2494cbcde72349901916888f4d09cf68ccac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF0A.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF0A.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\accessibility.dll
Filesize
774KB

MD5
95edd103516254236a4bcec97c06fc51

SHA1
5eb27ec7d6bf0a159e2f2c495ce253183a822066

SHA256
e8e6d4bd32f1c55837e1b8b2d90776756efb939f07ed7bef259cdf3e60b86eb3

SHA512
98898cf9cfb8670e3a3642c122b3db419ca01dff1b71cd035ab973cfdff968d9ce85f6e92c822fb613fd4a4ffcb4a3bf558ac973580928c52c544572e6f06f53

Download Submit
memory/112-198-0x0000000000000000-mapping.dmp

Download
memory/432-243-0x00000164F7140000-0x00000164F73F5000-memory.dmp

Filesize
2.7MB

Download
memory/432-242-0x00000164F8BA0000-0x00000164F8CE0000-memory.dmp

Filesize
1.2MB

Download
memory/432-241-0x00000164F8BA0000-0x00000164F8CE0000-memory.dmp

Filesize
1.2MB

Download
memory/432-240-0x00007FF66EEB6890-mapping.dmp

Download
memory/432-245-0x00000164F7140000-0x00000164F73F5000-memory.dmp

Filesize
2.7MB

Download
memory/824-214-0x0000000000000000-mapping.dmp

Download
memory/1060-171-0x0000000000000000-mapping.dmp

Download
memory/1068-203-0x0000000000000000-mapping.dmp

Download
memory/1112-239-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-218-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-247-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-151-0x0000000005730000-0x0000000006285000-memory.dmp

Filesize
11.3MB

Download
memory/1112-147-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-146-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-161-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-163-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-164-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-165-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-145-0x0000000005730000-0x0000000006285000-memory.dmp

Filesize
11.3MB

Download
memory/1112-248-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-249-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-207-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-238-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-250-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-237-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-236-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-139-0x0000000000000000-mapping.dmp

Download
memory/1112-257-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-206-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-177-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-178-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-179-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-180-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-205-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-204-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-260-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-259-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-215-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-258-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-228-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-227-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-226-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-225-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-191-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-192-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-193-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-194-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-217-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1112-216-0x0000000004E10000-0x0000000004F50000-memory.dmp

Filesize
1.2MB

Download
memory/1480-186-0x0000000000000000-mapping.dmp

Download
memory/2340-212-0x0000000000000000-mapping.dmp

Download
memory/3204-210-0x0000014517EE0000-0x0000014518020000-memory.dmp

Filesize
1.2MB

Download
memory/3204-213-0x0000014516480000-0x0000014516735000-memory.dmp

Filesize
2.7MB

Download
memory/3204-209-0x0000014517EE0000-0x0000014518020000-memory.dmp

Filesize
1.2MB

Download
memory/3204-208-0x00007FF66EEB6890-mapping.dmp

Download
memory/3204-211-0x0000014516480000-0x0000014516735000-memory.dmp

Filesize
2.7MB

Download
memory/3208-246-0x0000000000000000-mapping.dmp

Download
memory/3552-176-0x0000000000000000-mapping.dmp

Download
memory/3556-230-0x000001FD04580000-0x000001FD046C0000-memory.dmp

Filesize
1.2MB

Download
memory/3556-234-0x000001FD02B20000-0x000001FD02DD5000-memory.dmp

Filesize
2.7MB

Download
memory/3556-232-0x000001FD02B20000-0x000001FD02DD5000-memory.dmp

Filesize
2.7MB

Download
memory/3556-231-0x000001FD04580000-0x000001FD046C0000-memory.dmp

Filesize
1.2MB

Download
memory/3556-229-0x00007FF66EEB6890-mapping.dmp

Download
memory/3576-201-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3576-189-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/3576-267-0x000002420D3D0000-0x000002420D685000-memory.dmp

Filesize
2.7MB

Download
memory/3576-200-0x000000000052D000-0x0000000000547000-memory.dmp

Filesize
104KB

Download
memory/3576-265-0x000002420D3D0000-0x000002420D685000-memory.dmp

Filesize
2.7MB

Download
memory/3576-263-0x000002420EE30000-0x000002420EF70000-memory.dmp

Filesize
1.2MB

Download
memory/3576-262-0x000002420EE30000-0x000002420EF70000-memory.dmp

Filesize
1.2MB

Download
memory/3576-261-0x00007FF66EEB6890-mapping.dmp

Download
memory/3576-173-0x0000000000000000-mapping.dmp

Download
memory/3576-188-0x000000000052D000-0x0000000000547000-memory.dmp

Filesize
104KB

Download
memory/3576-190-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3624-221-0x000001DD28520000-0x000001DD28660000-memory.dmp

Filesize
1.2MB

Download
memory/3624-224-0x000001DD26AC0000-0x000001DD26D75000-memory.dmp

Filesize
2.7MB

Download
memory/3624-222-0x000001DD26AC0000-0x000001DD26D75000-memory.dmp

Filesize
2.7MB

Download
memory/3624-220-0x000001DD28520000-0x000001DD28660000-memory.dmp

Filesize
1.2MB

Download
memory/3624-219-0x00007FF66EEB6890-mapping.dmp

Download
memory/3864-152-0x0000000004100000-0x0000000004C55000-memory.dmp

Filesize
11.3MB

Download
memory/3864-184-0x0000000004100000-0x0000000004C55000-memory.dmp

Filesize
11.3MB

Download
memory/3864-159-0x0000000004100000-0x0000000004C55000-memory.dmp

Filesize
11.3MB

Download
memory/4064-168-0x0000022445420000-0x0000022445560000-memory.dmp

Filesize
1.2MB

Download
memory/4064-172-0x00000224439C0000-0x0000022443C75000-memory.dmp

Filesize
2.7MB

Download
memory/4064-166-0x00007FF66EEB6890-mapping.dmp

Download
memory/4064-167-0x0000022445420000-0x0000022445560000-memory.dmp

Filesize
1.2MB

Download
memory/4064-169-0x0000000000700000-0x00000000009A4000-memory.dmp

Filesize
2.6MB

Download
memory/4064-170-0x00000224439C0000-0x0000022443C75000-memory.dmp

Filesize
2.7MB

Download
memory/4084-233-0x0000000000000000-mapping.dmp

Download
memory/4132-143-0x0000000002300000-0x000000000242E000-memory.dmp

Filesize
1.2MB

Download
memory/4132-142-0x0000000002216000-0x00000000022FF000-memory.dmp

Filesize
932KB

Download
memory/4132-264-0x0000000000000000-mapping.dmp

Download
memory/4132-136-0x0000000000000000-mapping.dmp

Download
memory/4132-144-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4196-235-0x0000000000000000-mapping.dmp

Download
memory/4232-255-0x0000000000000000-mapping.dmp

Download
memory/4300-187-0x0000018FE5800000-0x0000018FE5AB5000-memory.dmp

Filesize
2.7MB

Download
memory/4300-183-0x0000018FE70D0000-0x0000018FE7210000-memory.dmp

Filesize
1.2MB

Download
memory/4300-182-0x0000018FE70D0000-0x0000018FE7210000-memory.dmp

Filesize
1.2MB

Download
memory/4300-181-0x00007FF66EEB6890-mapping.dmp

Download
memory/4300-185-0x0000018FE5800000-0x0000018FE5AB5000-memory.dmp

Filesize
2.7MB

Download
memory/4388-253-0x0000026551990000-0x0000026551C45000-memory.dmp

Filesize
2.7MB

Download
memory/4388-251-0x00007FF66EEB6890-mapping.dmp

Download
memory/4388-252-0x00000265533F0000-0x0000026553530000-memory.dmp

Filesize
1.2MB

Download
memory/4388-254-0x00000265533F0000-0x0000026553530000-memory.dmp

Filesize
1.2MB

Download
memory/4388-256-0x0000026551990000-0x0000026551C45000-memory.dmp

Filesize
2.7MB

Download
memory/4408-266-0x0000000000000000-mapping.dmp

Download
memory/4428-223-0x0000000000000000-mapping.dmp

Download
memory/4516-162-0x0000000004670000-0x00000000051C5000-memory.dmp

Filesize
11.3MB

Download
memory/4516-160-0x0000000004670000-0x00000000051C5000-memory.dmp

Filesize
11.3MB

Download
memory/4516-157-0x0000000000000000-mapping.dmp

Download
memory/4572-202-0x000001CB5EE80000-0x000001CB5F135000-memory.dmp

Filesize
2.7MB

Download
memory/4572-195-0x00007FF66EEB6890-mapping.dmp

Download
memory/4572-196-0x000001CB608E0000-0x000001CB60A20000-memory.dmp

Filesize
1.2MB

Download
memory/4572-197-0x000001CB608E0000-0x000001CB60A20000-memory.dmp

Filesize
1.2MB

Download
memory/4572-199-0x000001CB5EE80000-0x000001CB5F135000-memory.dmp

Filesize
2.7MB

Download
memory/4856-133-0x0000000002D50000-0x0000000002D59000-memory.dmp

Filesize
36KB

Download
memory/4856-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4856-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4856-132-0x0000000002BE8000-0x0000000002BF8000-memory.dmp

Filesize
64KB

Download