27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2

Analysis

max time kernel
84s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe
Size

4.8MB
MD5

6d7cf4d53df7fe8d601362305e67b2a3
SHA1

54868a950d0d9aa5ebfd615e476608b69f3562f4
SHA256

27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2
SHA512

4658a9a986f440ee64527d45c09e39509418f2243608e04135e0a7a3a5bf205017cf30fe2a28415ad46d48cffb46cee4693882aa70f41680cf2f4280dc42eb1f
SSDEEP

98304:KDbq/2B/zpkCX8VXWFNcwZlP8YEA0h0lZCr7IcOyXw5yVnRVMNKGf8J:yNBpcVoZBDEA0hYCrUDUuKG

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

17 5052 rundll32.exe
40 5052 rundll32.exe
76 5052 rundll32.exe
95 5052 rundll32.exe

flow	pid	process
17	5052	rundll32.exe
40	5052	rundll32.exe
76	5052	rundll32.exe
95	5052	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Search\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\Search.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Search\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exesvchost.exe

pid process

5052 rundll32.exe
5052 rundll32.exe
4244 svchost.exe
4244 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5052 set thread context of 1708	5052	rundll32.exe	rundll32.exe
PID 5052 set thread context of 2052	5052	rundll32.exe	rundll32.exe

Drops file in Program Files directory 45 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bl.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Search.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\icucnv40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Words.pdf	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\forms_distributed.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cryptocme.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ended_review_or_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Comments.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\end_review.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\review_email.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\forms_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\license.html	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\rename.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\weblink.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\arh.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AXSLE.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\main-cef-mac.css	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1656	4896	WerFault.exe	27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe
2204	4244	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 14 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

rundll32.exe

pid	process
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 5052 rundll32.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1708 rundll32.exe
5052 rundll32.exe
2052 rundll32.exe
5052 rundll32.exe
5052 rundll32.exe
5052 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	5052	rundll32.exe

pid	process
1708	rundll32.exe
5052	rundll32.exe
2052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exerundll32.exe

description	pid	process	target process
PID 4896 wrote to memory of 5052	4896	27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe	rundll32.exe
PID 4896 wrote to memory of 5052	4896	27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe	rundll32.exe
PID 4896 wrote to memory of 5052	4896	27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe	rundll32.exe
PID 5052 wrote to memory of 1708	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 1708	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 1708	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 3500	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 3500	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 3500	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4332	5052	rundll32.exe	Conhost.exe
PID 5052 wrote to memory of 4332	5052	rundll32.exe	Conhost.exe
PID 5052 wrote to memory of 4332	5052	rundll32.exe	Conhost.exe
PID 5052 wrote to memory of 2052	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 2052	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 2052	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 2648	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 2648	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 2648	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 2140	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 2140	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 2140	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4344	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4344	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4344	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 404	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 404	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 404	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4736	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4736	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4736	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4988	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4988	5052	rundll32.exe	schtasks.exe
PID 5052 wrote to memory of 4988	5052	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe
"C:\Users\Admin\AppData\Local\Temp\27c9af66abec4f162bc79ab37e5c913f23265b5c8af15c6670cf8ef3fdac6bb2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5052

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1708

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3500

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4332

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2052

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2648

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4332

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:404

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4736

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4988

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4968

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4584

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3288

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2800

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4312

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1444

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4944

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2696

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2856

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4780

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4832

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3468

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5076

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4876

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 512
2⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4896 -ip 4896
1⤵
PID:4408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 940
2⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4244 -ip 4244
1⤵
PID:2140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Search.dll
Filesize
5.3MB

MD5
258487b25bf2885ae299cdef8a2a3055

SHA1
513da32eaf287fc2d653da9a6d54031c7f34f753

SHA256
f9182052a3d0737e758974f182efa5a1de69a8aec2dbfa7e27db93ba7c85bca4

SHA512
615f4e8c768913bd277b63a062e4d70ac4975e59773314d63a38011f0960fea40b5b8186432d1488666bedca66f494c6c99235bb90ddd2c4cc88e8d9c0fdfc7c

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Search.dll
Filesize
5.3MB

MD5
258487b25bf2885ae299cdef8a2a3055

SHA1
513da32eaf287fc2d653da9a6d54031c7f34f753

SHA256
f9182052a3d0737e758974f182efa5a1de69a8aec2dbfa7e27db93ba7c85bca4

SHA512
615f4e8c768913bd277b63a062e4d70ac4975e59773314d63a38011f0960fea40b5b8186432d1488666bedca66f494c6c99235bb90ddd2c4cc88e8d9c0fdfc7c

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch
Filesize
262B

MD5
0c19329f1a0959d6e069dd77dc32e7fc

SHA1
8216c5d18000ff6c11f0b562a85d650b3e07da7c

SHA256
ca469f2580e20b3d1077355a1e0e673be724ac15ab15e859b7bc3bcf60854120

SHA512
fbbe1626c32f7b77c77fa1e0e5f0c22562d3bdc15a4290cf300625efa782c31d9ac461ea2b6552dbc42f16137bfc226d98ee2f002a353245eae6afca873e912d

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\C2RManifest.Proof.Culture.msi.16.es-es.xml
Filesize
23KB

MD5
156b3ab70b2cce134d493104d047e6fa

SHA1
9907a741812bef8c5b55d0e73c9ac5c0d973c4be

SHA256
5fba15e64d0ff7075951a8e6bf758d81d4c14fa98e6b8604d5bbc43317da8c01

SHA512
f3b2157c6aaf1b9e450872057fd5ddaad36bd30be98a48c28c0617c7a638a378dc38cbdbfb9f4b66858b32dfa3e79d577f99fd488b73b6000d1d8887640e7cbd

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
1f8001c5a3ab09524c8185d2657e471c

SHA1
2297cd6ba695d3fa72f2a70a7db95f2e241116ab

SHA256
c8c2ac11232a448dd5d78c34752f56b8f5b8e18fe79b3176fdd88759d5b703d5

SHA512
d038b9b97a96b267684ba1a7d2458ddf63d3fd3ea8c58a213b5085196da9c7001fe1dbadfc75d2364befc09c9618c133b331ed487fcb043b6a923f3951be0b37

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
13KB

MD5
c7405e2e68aec89e44862595ccc0d186

SHA1
2cc8d73f93dd875134917795633bb606911f1069

SHA256
9a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37

SHA512
0cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
820B

MD5
a8664f5906d9060a0a87bc01e35179bb

SHA1
1bbbc9f10431d2941805907a8a6d4009f4e2938c

SHA256
a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309

SHA512
389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Urpdpfsaas.tmp
Filesize
3.5MB

MD5
cd35e466184e88cb3795834fb35572f9

SHA1
53fab0a36760e9309f7c3f6b2d5b9a7d31e459c3

SHA256
fa7a760a69b543e6adeaf5c5f189b72200a1d4a7db58258053c7ba8aa9c9e70d

SHA512
7336fa2550ee32179052a91c72b1899912edb1237e377463bb457dcc5248b5c50ed7f685e1744d72e7c33f3816af157ab7c2224bcdfa3fa21c32cd808fddf413

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\background.png
Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\resource.xml
Filesize
1KB

MD5
66963736ebb1e54dc596701206eaed3f

SHA1
18bc8dfc779d407398af193f3d265ff93f253bc2

SHA256
fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b

SHA512
96aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aytswiyaeftpe
Filesize
46KB

MD5
b13fcb3223116f6eec60be9143cae98b

SHA1
9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88

SHA256
961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b

SHA512
89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll
Filesize
5.3MB

MD5
2ce492ba05cf3da559b66af7d253548d

SHA1
02cb0be04cb0a7a6e61d5781c7fbd1d26adeadfc

SHA256
c33c9a667f7168e88511a06a2cbccda9f8aff9fd6c72849fefcfd1c5c033492e

SHA512
0a6af6423feaaff6bfecc0395d284b3991bd494693243abd48802a6b3ea978c55cd782939b7ed2768019c9bb8af7a12a69b75766c73846aafd9e16e11043ddd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll
Filesize
5.3MB

MD5
2ce492ba05cf3da559b66af7d253548d

SHA1
02cb0be04cb0a7a6e61d5781c7fbd1d26adeadfc

SHA256
c33c9a667f7168e88511a06a2cbccda9f8aff9fd6c72849fefcfd1c5c033492e

SHA512
0a6af6423feaaff6bfecc0395d284b3991bd494693243abd48802a6b3ea978c55cd782939b7ed2768019c9bb8af7a12a69b75766c73846aafd9e16e11043ddd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll
Filesize
5.3MB

MD5
2ce492ba05cf3da559b66af7d253548d

SHA1
02cb0be04cb0a7a6e61d5781c7fbd1d26adeadfc

SHA256
c33c9a667f7168e88511a06a2cbccda9f8aff9fd6c72849fefcfd1c5c033492e

SHA512
0a6af6423feaaff6bfecc0395d284b3991bd494693243abd48802a6b3ea978c55cd782939b7ed2768019c9bb8af7a12a69b75766c73846aafd9e16e11043ddd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eafqwqoiwqqswuf
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Efduroudsheuydo.tmp
Filesize
3.5MB

MD5
cd35e466184e88cb3795834fb35572f9

SHA1
53fab0a36760e9309f7c3f6b2d5b9a7d31e459c3

SHA256
fa7a760a69b543e6adeaf5c5f189b72200a1d4a7db58258053c7ba8aa9c9e70d

SHA512
7336fa2550ee32179052a91c72b1899912edb1237e377463bb457dcc5248b5c50ed7f685e1744d72e7c33f3816af157ab7c2224bcdfa3fa21c32cd808fddf413

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
Filesize
25KB

MD5
5ff530a14c6d0151cfeeb22de29da349

SHA1
b51d60488ddf57ca3a256b699373a4044f3d10d4

SHA256
e18fe90d31699cba0949191fb15b2ec7e287a9ab2a98c31bb6d01b0161e0fb13

SHA512
f0cf7096a12ea63d3fc4d69508448ace84a98957fc4a9177ddf31d36e74c4c611156d3cfa13ba91299081dc4f2b3113d5ffbf95db28913218794d6904313ab40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oieahedqsruu
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROBKQPFG-20230220-1902.log
Filesize
56KB

MD5
a828223d1f16939ea173da749f4d20ac

SHA1
33d797ed5621fb647ec867b5ead7e725ecd31df3

SHA256
46447d3548b290d7ec8d3efff84a195ce9f85e31be90eefa93ca057ce9651a8e

SHA512
c289a113015d7bb786cf6edb9c6aa7eee81b8512ae6c82d363fe2cc1e631eef626d7cc36d0115817b7c547c8c469faaa960c7253c543a6703ec2b049e8dec069

Download Submit
C:\Users\Admin\AppData\Local\Temp\Redeeyihtedepoh
Filesize
96KB

MD5
0bd7048b89df665f465414c2d18b5654

SHA1
5fc660a8ccd406062db0edad7f7661372a120a21

SHA256
40c6dc144615020bc6f4023a59ff4c2ab21ae00d27e1a37835bd1db1cd1d91c2

SHA512
99a5a53b00c1a00fcd0e58cc0a214aebcdba4933bf4c4edf0dd4e31517b48e6708c65a3943c837e8a728acca94329720f293ae4f792ce090ce4a7f724f2ddc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4028.log
Filesize
470B

MD5
b59c7586d27af51f3b9ff591fbe1674e

SHA1
1f315af1d63ff9ed82f42f466e80ca15b7884b10

SHA256
f51ac064bc24fea5d00bfc97ffe17cbccce9f361d63595393cf27548be06c365

SHA512
d7aec6abc6a62981301222426b045f3a6b116f0029361291aca9aa6fde20cf7208ca046db4e024b5a5d5676bb1455679cb93f2efa3cde7dc3596f258cd34e56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
a29e15d1244006e6bae4e6685b5c0f78

SHA1
0b5b63e8ecbe65b640c4a630f050fa4dc8275947

SHA256
62c92a84de3fcc725d5914e763c5b2568a466eed21c72bc3858803ed27eabbc8

SHA512
83b3bc53c3cb951ba7bdb54dea1ce639cf08d2e0ce562e1f64d117dc314c675239083f54889efa9a584a0954d0e425bc14f2c0232c848db61054390f71e14b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
59013fd9bf0cf779fa53e2bcb2176af3

SHA1
2a01e4e77b651ada4943179df629f88e70ac807f

SHA256
fa4db33fe626aada7c0aa9230b27d2d345ab656f5b96bb3cda58ab74f3d5bfd1

SHA512
38ad2154c8033f546f7ca5e2adc81af8232c2b4cde794e410be48b6c599ab71bafbf70584f13957e02189b3670cd049813f8dd651b9844156eb346a96a2c6904

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct2A5D.tmp
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
697B

MD5
e5cca803cf51902eb907a5546cd500d0

SHA1
74d4e3d8df223b8ac1a2fc52bb0a03a80bf606fb

SHA256
5e190c91bdb1270bc0f5616165ef033a8cc7c1df134607106129e964354224e0

SHA512
ef396788663e1ea59d11d05e64bbfac07838c2ce6c3460edb9f3887f8e8497580a01873994c70d1769afafc81fc9de1ba2c2e81527a9ffcc2509dbb7ff9a2a06

Download Submit
\??\c:\program files (x86)\windows sidebar\shared gadgets\search.dll
Filesize
5.3MB

MD5
258487b25bf2885ae299cdef8a2a3055

SHA1
513da32eaf287fc2d653da9a6d54031c7f34f753

SHA256
f9182052a3d0737e758974f182efa5a1de69a8aec2dbfa7e27db93ba7c85bca4

SHA512
615f4e8c768913bd277b63a062e4d70ac4975e59773314d63a38011f0960fea40b5b8186432d1488666bedca66f494c6c99235bb90ddd2c4cc88e8d9c0fdfc7c

Download Submit
memory/1708-380-0x000001B91B770000-0x000001B91BA12000-memory.dmp

Filesize
2.6MB

Download
memory/1708-364-0x000001B91D1C0000-0x000001B91D300000-memory.dmp

Filesize
1.2MB

Download
memory/1708-377-0x000001B91B770000-0x000001B91BA12000-memory.dmp

Filesize
2.6MB

Download
memory/1708-366-0x00000000003F0000-0x0000000000681000-memory.dmp

Filesize
2.6MB

Download
memory/1708-362-0x00007FFDC86F0000-0x00007FFDC86F1000-memory.dmp

Filesize
4KB

Download
memory/1708-363-0x000001B91D1C0000-0x000001B91D300000-memory.dmp

Filesize
1.2MB

Download
memory/1708-365-0x000001B91B770000-0x000001B91BA12000-memory.dmp

Filesize
2.6MB

Download
memory/2052-418-0x000001E24C200000-0x000001E24C4A2000-memory.dmp

Filesize
2.6MB

Download
memory/4244-333-0x0000000002450000-0x0000000002F96000-memory.dmp

Filesize
11.3MB

Download
memory/4244-353-0x0000000003310000-0x0000000003E56000-memory.dmp

Filesize
11.3MB

Download
memory/4244-334-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/4244-335-0x0000000002450000-0x0000000002F96000-memory.dmp

Filesize
11.3MB

Download
memory/4244-379-0x0000000001800000-0x0000000001D64000-memory.dmp

Filesize
5.4MB

Download
memory/4244-336-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/4244-315-0x0000000001800000-0x0000000001D64000-memory.dmp

Filesize
5.4MB

Download
memory/4244-316-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/4896-134-0x0000000002EC0000-0x0000000003566000-memory.dmp

Filesize
6.6MB

Download
memory/4896-144-0x0000000002EC0000-0x0000000003566000-memory.dmp

Filesize
6.6MB

Download
memory/4896-143-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4896-140-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/5052-222-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-239-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/5052-238-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/5052-237-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/5052-236-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-235-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-234-0x0000000002340000-0x00000000028A4000-memory.dmp

Filesize
5.4MB

Download
memory/5052-233-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-232-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-231-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-230-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-228-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-227-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-344-0x0000000002340000-0x00000000028A4000-memory.dmp

Filesize
5.4MB

Download
memory/5052-350-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-352-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-354-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/5052-225-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-355-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-357-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/5052-358-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/5052-359-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/5052-360-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/5052-361-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-224-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-223-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-203-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-202-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-201-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/5052-200-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-199-0x0000000002340000-0x00000000028A4000-memory.dmp

Filesize
5.4MB

Download
memory/5052-146-0x0000000002340000-0x00000000028A4000-memory.dmp

Filesize
5.4MB

Download
memory/5052-382-0x0000000002340000-0x00000000028A4000-memory.dmp

Filesize
5.4MB

Download
memory/5052-383-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-385-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-386-0x0000000004C60000-0x0000000004DA0000-memory.dmp

Filesize
1.2MB

Download
memory/5052-389-0x0000000004C60000-0x0000000004DA0000-memory.dmp

Filesize
1.2MB

Download
memory/5052-388-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-387-0x00000000035C0000-0x0000000004106000-memory.dmp

Filesize
11.3MB

Download
memory/5052-145-0x0000000002340000-0x00000000028A4000-memory.dmp

Filesize
5.4MB

Download
memory/5052-142-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/5052-141-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/5052-139-0x0000000002340000-0x00000000028A4000-memory.dmp

Filesize
5.4MB

Download