50f072fd1dbe44db6c18f524a42723bacd5f5e1e046d36ac2a5be6629e00a153

Analysis

max time kernel
88s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50f072fd1dbe44db6c18f524a42723bacd5f5e1e046d36ac2a5be6629e00a153.exe
Size

4.9MB
MD5

99f182634276ea2930bd52c5de269623
SHA1

e7183bec5f94403c75daf0175c2dc4faeffa30ce
SHA256

50f072fd1dbe44db6c18f524a42723bacd5f5e1e046d36ac2a5be6629e00a153
SHA512

a71bae98dee78ff1d44369d82c4bc53d046f669386d7ea65b60b3b928d1b28f92124e475d2ae6fc8ddddab4a751c4c6b3c33da4803b41c32d02f1411919c45db
SSDEEP

98304:s2T+CtWrLdY/urUVVj52hpvJ2XH83W5EhzzmzcNnq5OPPRb+W8g91otVxe2Nb6:PURjnJacvjqKJKpI2Nb

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
25	1292	rundll32.exe
44	1292	rundll32.exe
62	1292	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\chrome_elf\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\chrome_elf.dllက"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\chrome_elf\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\chrome_elf.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\chrome_elf\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1292	rundll32.exe
1292	rundll32.exe
4816	svchost.exe
4816	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 1464	1292	rundll32.exe	94
PID 1292 set thread context of 2780	1292	rundll32.exe	100
PID 1292 set thread context of 3964	1292	rundll32.exe	105
PID 1292 set thread context of 1168	1292	rundll32.exe	108
PID 1292 set thread context of 1820	1292	rundll32.exe	113
PID 1292 set thread context of 3452	1292	rundll32.exe	118
PID 1292 set thread context of 4192	1292	rundll32.exe	121

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\reviews_sent.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AcroSup64.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DarkTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Accessibility.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\reader_sl.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\aic_file_icons_retina_thumb.png	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\export.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4432	1932	WerFault.exe	81
1116	4816	WerFault.exe	93

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	rundll32.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1464	rundll32.exe
1292	rundll32.exe
2780	rundll32.exe
1292	rundll32.exe
3964	rundll32.exe
1168	rundll32.exe
1292	rundll32.exe
1820	rundll32.exe
1292	rundll32.exe
3452	rundll32.exe
1292	rundll32.exe
4192	rundll32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1292	1932	50f072fd1dbe44db6c18f524a42723bacd5f5e1e046d36ac2a5be6629e00a153.exe	82
PID 1932 wrote to memory of 1292	1932	50f072fd1dbe44db6c18f524a42723bacd5f5e1e046d36ac2a5be6629e00a153.exe	82
PID 1932 wrote to memory of 1292	1932	50f072fd1dbe44db6c18f524a42723bacd5f5e1e046d36ac2a5be6629e00a153.exe	82
PID 1292 wrote to memory of 1464	1292	rundll32.exe	94
PID 1292 wrote to memory of 1464	1292	rundll32.exe	94
PID 1292 wrote to memory of 1464	1292	rundll32.exe	94
PID 1292 wrote to memory of 616	1292	rundll32.exe	98
PID 1292 wrote to memory of 616	1292	rundll32.exe	98
PID 1292 wrote to memory of 616	1292	rundll32.exe	98
PID 1292 wrote to memory of 2780	1292	rundll32.exe	100
PID 1292 wrote to memory of 2780	1292	rundll32.exe	100
PID 1292 wrote to memory of 2780	1292	rundll32.exe	100
PID 1292 wrote to memory of 3200	1292	rundll32.exe	101
PID 1292 wrote to memory of 3200	1292	rundll32.exe	101
PID 1292 wrote to memory of 3200	1292	rundll32.exe	101
PID 1292 wrote to memory of 3440	1292	rundll32.exe	103
PID 1292 wrote to memory of 3440	1292	rundll32.exe	103
PID 1292 wrote to memory of 3440	1292	rundll32.exe	103
PID 1292 wrote to memory of 3964	1292	rundll32.exe	105
PID 1292 wrote to memory of 3964	1292	rundll32.exe	105
PID 1292 wrote to memory of 3964	1292	rundll32.exe	105
PID 1292 wrote to memory of 448	1292	rundll32.exe	106
PID 1292 wrote to memory of 448	1292	rundll32.exe	106
PID 1292 wrote to memory of 448	1292	rundll32.exe	106
PID 1292 wrote to memory of 1168	1292	rundll32.exe	108
PID 1292 wrote to memory of 1168	1292	rundll32.exe	108
PID 1292 wrote to memory of 1168	1292	rundll32.exe	108
PID 1292 wrote to memory of 1300	1292	rundll32.exe	109
PID 1292 wrote to memory of 1300	1292	rundll32.exe	109
PID 1292 wrote to memory of 1300	1292	rundll32.exe	109
PID 1292 wrote to memory of 2372	1292	rundll32.exe	111
PID 1292 wrote to memory of 2372	1292	rundll32.exe	111
PID 1292 wrote to memory of 2372	1292	rundll32.exe	111
PID 1292 wrote to memory of 1820	1292	rundll32.exe	113
PID 1292 wrote to memory of 1820	1292	rundll32.exe	113
PID 1292 wrote to memory of 1820	1292	rundll32.exe	113
PID 1292 wrote to memory of 1452	1292	rundll32.exe	114
PID 1292 wrote to memory of 1452	1292	rundll32.exe	114
PID 1292 wrote to memory of 1452	1292	rundll32.exe	114
PID 1292 wrote to memory of 2552	1292	rundll32.exe	116
PID 1292 wrote to memory of 2552	1292	rundll32.exe	116
PID 1292 wrote to memory of 2552	1292	rundll32.exe	116
PID 1292 wrote to memory of 3452	1292	rundll32.exe	118
PID 1292 wrote to memory of 3452	1292	rundll32.exe	118
PID 1292 wrote to memory of 3452	1292	rundll32.exe	118
PID 1292 wrote to memory of 1004	1292	rundll32.exe	119
PID 1292 wrote to memory of 1004	1292	rundll32.exe	119
PID 1292 wrote to memory of 1004	1292	rundll32.exe	119
PID 1292 wrote to memory of 4192	1292	rundll32.exe	121
PID 1292 wrote to memory of 4192	1292	rundll32.exe	121
PID 1292 wrote to memory of 4192	1292	rundll32.exe	121
PID 1292 wrote to memory of 2100	1292	rundll32.exe	122
PID 1292 wrote to memory of 2100	1292	rundll32.exe	122
PID 1292 wrote to memory of 2100	1292	rundll32.exe	122

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\50f072fd1dbe44db6c18f524a42723bacd5f5e1e046d36ac2a5be6629e00a153.exe
"C:\Users\Admin\AppData\Local\Temp\50f072fd1dbe44db6c18f524a42723bacd5f5e1e046d36ac2a5be6629e00a153.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll,start
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1292
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:616
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2780
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3440
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:448
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2372
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2552
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3452
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1004
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2100
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3176
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2108
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:984
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:5108
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:400
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:980
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:2896
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3440
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2308
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1972
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14040
    3⤵
    PID:2776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 512
  2⤵
  - Program crash
  PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1932 -ip 1932
1⤵
PID:4488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 944
  2⤵
  - Program crash
  PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4816 -ip 4816
1⤵
PID:4340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chrome_elf.dll

Filesize
5.3MB

MD5
8fc28143710057264d4b9bc38c1c2b9f

SHA1
d2fcd0bb4810e3027607f6b24016443a34569c64

SHA256
9714feed693fa37ad9bb39605448c86a9880862c4ded83c9ea95ff1a8c95fb86

SHA512
d82cc98d5c6938268d1ae863bbeb96b11f654bfe112d3755fab1ef6ce8bf69548f7c8503309ecaa55b6b4590924fafa6b12587fec9e1183e90667cecaab7fa3b

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chrome_elf.dll

Filesize
5.3MB

MD5
8fc28143710057264d4b9bc38c1c2b9f

SHA1
d2fcd0bb4810e3027607f6b24016443a34569c64

SHA256
9714feed693fa37ad9bb39605448c86a9880862c4ded83c9ea95ff1a8c95fb86

SHA512
d82cc98d5c6938268d1ae863bbeb96b11f654bfe112d3755fab1ef6ce8bf69548f7c8503309ecaa55b6b4590924fafa6b12587fec9e1183e90667cecaab7fa3b

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml

Filesize
15KB

MD5
c79d743dc754585c49ffc41a15c33c71

SHA1
15df899dde702aa45be8f2fdc936cc03cf3d3016

SHA256
5aa9e0d9f982ffa00c39ee9070a398e64f33959181ebfe9d2ee497f59ea10c12

SHA512
5ba9c252c91bce7d9e6dbdc64c513e4aa6a9938502ff4c08dcf47025e03625d933aedbc0ca55ad6145fc6f86a00740edfcf48c58902a843c75e98cdf1af487a6

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\CiPT0000.001

Filesize
64KB

MD5
f0de5ba46a52197abf9c1b5a79c327f4

SHA1
58a800569afb4883d959649a1ae539e308b2b815

SHA256
abf4d63faf2b5048bafcc66af496cc5503c71e2a0e1b459d2127d5da3343e2c6

SHA512
09c2494a38ce38474a6ab812c408f80b5de58be1d212696e7c0f92012fa0ea1f597e714c368f1885971a682e075f9a46a84509fbb49a45befb9cdef99a385766

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_2_20_18_44_24.etl

Filesize
256KB

MD5
51aebda79a0aa331c27aa960aa392189

SHA1
8b0043f00884ec22b8cd3380185dccfc49c466c2

SHA256
b79b3ae737726da5d76049fc692199d12d797e481b940ae8cf8e303367386268

SHA512
11fbd30d316d4e5ae836c12f8a60c386dd00baee542ce9888ed74e2bd1de94cbf4d48bf072b4f1583af5cc045e538225e4496a3a49edaef02d86e98c4096086c

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
26KB

MD5
3973cc0067bf4b33098b7bf2d68db787

SHA1
88ddb50df1c24a7f658ba2050f94dea1e13ca8d4

SHA256
70d4896e97e5a6e63d081deb667a746d8153c30ef2556c15fac003e4ac3ea4e9

SHA512
87b72becab432f15accf9433b024b53efff165a9478937a4efd5ecf6841503b4c64eedbaae87ecba44f7803331950cd36f9e54c97c4ebf05d7a76062814bd080

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\MicrosoftEdgeUpdate.log

Filesize
103KB

MD5
72d84f05aa9ee174eb568fa1c7f702d6

SHA1
3d3092116cbb06ef9e6cfdf33b8dc1ed464ebf54

SHA256
3d6b92a5f20cf8400912f584b219b498f39ca904305ca5a519be0107ba2cc472

SHA512
027e7616aee99f5c702cfb8de6c552609a4de2220678d537566178f41e598397966691525785e0de49226bb335ec3123c192ced84e4ea0eabb8b981f6ab24047

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\MicrosoftLync2013Win32.xml

Filesize
2KB

MD5
fa5b7d129ddfd18b73d3a4a0b0fb4c87

SHA1
b5e32bd5772cfb50174451d4818670d32088ff85

SHA256
4452719f5b16e474e6ae407fb56f7e68f0308920938d749a4d46cded948c116d

SHA512
99fd882c7f9a333143367e09590b9c71c9aa3957205a2dd26097ae88a54265d7272968ec99c755ef6d7741ff8e690b53492321b42129c990c870beb6322eb034

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\RegisterInboxTemplates.ps1

Filesize
611B

MD5
05f7a98933d942ced40039a39cdb3fda

SHA1
c7d59ec61f4e454b0c8e38d921fb5e7f127ee46d

SHA256
a9b8f3753fb1adf3fdd9558cd49e0be28d0fd781eb192ff9e8b0cc736ee173eb

SHA512
dc01d47114be1fece3b4a87498194ae8c102d863f384e4b45009d5ddc8e1bfe77ecab99bf8ea76c53177a847b312f5a743ac9f06eb4a3619b91ec2adf19d4f34

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\SmsInterceptStore.db

Filesize
192KB

MD5
ba0cf990fb7abd9ef871311d33d5ce17

SHA1
973ba00361fe646679f62b3ce975d6d910133f6b

SHA256
5a9758146644ce493c9374d3f7bc6db894dd0db85bc76fe5d477683cf5e36b54

SHA512
72bf042271719300aeec25fd20c1173bfa40db64fd4cf95b0a617ae95aa8a45c32cf8468dc61625426b7aa8d00a8d34dd6f9f4e40991d09d0a81114b324f6b5f

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\SmsInterceptStore.jfm

Filesize
16KB

MD5
f535f1c2c04909cc6786960b188123ee

SHA1
5d8834a7b0e8c9e24e108f99b0512d21dd8be949

SHA256
c4df0c4e70dc7b9273f94c61e1e7164d1b6b754723013370aa98b34a075f6c85

SHA512
2e2e2643d6c8c1db7072fc5838acdd467727dea9392c62cec67fbc029c506769307d3688b867101df8f4d64e46b01bba6bc336832e46f0f4c22e787b1f95cff0

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Urpdpfsaas.tmp

Filesize
3.5MB

MD5
27d5a2009fc4b7764d24d52b6364a071

SHA1
1c8056535e2fbf891d4a4398a46e5a19d6ae5ce1

SHA256
77892d6479e518de9f35ba0c20289e6b31316929a5478e8cd418370feb89b736

SHA512
9af3404c716611a9ab1580d5be5caf778919242af2c3c803b020c7dc1170aeb46b20bc0963b47bc48a50675a32b19fda4ca92aff26058535b1f7ac2cff7fbdad

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\print_pref.ico

Filesize
56KB

MD5
a52a082f2b18811deaf3138d27c57af8

SHA1
317bf685e50de705818bff26f032e7f593830509

SHA256
6b4b668a30271d7853257b5752dc429b39c7b264e77ff3533196e6fd03fbeb88

SHA512
0d6f4bbb993b4e9a0069ddd0503ceb45d8a1cc6f6453cc2faf91cb137fa49e15eeaa3d77cb9954cc07701153932da51977d467c54b1e0fcfe74b6670cac47d99

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\wmp.ico

Filesize
110KB

MD5
589ff0b7d4d0d3fced65c3eae6559657

SHA1
4be3e4221a429b347888bbe3635e377271974c7f

SHA256
0e96c027d23a57e95103d1b64e4c5b8a153402f05b756dfcb737459476aaae35

SHA512
4a12bac3f61964d6c5608bbb9067d7673cd5e5a22463f6d16f402954045692f43ef1ea32d405f452d415c859c30b217e9d250a1c5c85cfd629bd393824b6523b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll

Filesize
5.3MB

MD5
535c37d130cfa7aca131164b1796e721

SHA1
c23cc87579c2052f0831c569a5c25175e650af44

SHA256
6bc34a89619448292488e5b777379171c1829b86a9d73b085c3f9869401816af

SHA512
eac8e3bafca6426024ed604b9e366933b9df6a5168a4a822b8d7108138e4894077c954ce767fbde37ecd36a13fc3f9132af5db1942bf36675875bd49a6d8c2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll

Filesize
5.3MB

MD5
535c37d130cfa7aca131164b1796e721

SHA1
c23cc87579c2052f0831c569a5c25175e650af44

SHA256
6bc34a89619448292488e5b777379171c1829b86a9d73b085c3f9869401816af

SHA512
eac8e3bafca6426024ed604b9e366933b9df6a5168a4a822b8d7108138e4894077c954ce767fbde37ecd36a13fc3f9132af5db1942bf36675875bd49a6d8c2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll

Filesize
5.3MB

MD5
535c37d130cfa7aca131164b1796e721

SHA1
c23cc87579c2052f0831c569a5c25175e650af44

SHA256
6bc34a89619448292488e5b777379171c1829b86a9d73b085c3f9869401816af

SHA512
eac8e3bafca6426024ed604b9e366933b9df6a5168a4a822b8d7108138e4894077c954ce767fbde37ecd36a13fc3f9132af5db1942bf36675875bd49a6d8c2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Efduroudsheuydo.tmp

Filesize
3.5MB

MD5
27d5a2009fc4b7764d24d52b6364a071

SHA1
1c8056535e2fbf891d4a4398a46e5a19d6ae5ce1

SHA256
77892d6479e518de9f35ba0c20289e6b31316929a5478e8cd418370feb89b736

SHA512
9af3404c716611a9ab1580d5be5caf778919242af2c3c803b020c7dc1170aeb46b20bc0963b47bc48a50675a32b19fda4ca92aff26058535b1f7ac2cff7fbdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qeihwurpqdhwsi

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stddtrryr

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trtddopdeiho

Filesize
46KB

MD5
b13fcb3223116f6eec60be9143cae98b

SHA1
9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88

SHA256
961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b

SHA512
89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI5A1B.txt

Filesize
415KB

MD5
5a8cb2013b137b3b60b1fe6abb8d3236

SHA1
4183921e345b9f003587f40c831618ca6a917a16

SHA256
25f24490a216834d33ce66fc38a62cfa339d19523542d7468aff256f05b72076

SHA512
2a22a7ff877ffcd8fcd2339411ecb6a35b5e339ec806ec374d53a380e22491d7c82396d2495cbf5861d49716b51315eff06f6447e4f761a4b45187bb0f36753b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct1C67.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
697B

MD5
e5cca803cf51902eb907a5546cd500d0

SHA1
74d4e3d8df223b8ac1a2fc52bb0a03a80bf606fb

SHA256
5e190c91bdb1270bc0f5616165ef033a8cc7c1df134607106129e964354224e0

SHA512
ef396788663e1ea59d11d05e64bbfac07838c2ce6c3460edb9f3887f8e8497580a01873994c70d1769afafc81fc9de1ba2c2e81527a9ffcc2509dbb7ff9a2a06

Download Submit
\??\c:\program files (x86)\windows sidebar\shared gadgets\chrome_elf.dll

Filesize
5.3MB

MD5
8fc28143710057264d4b9bc38c1c2b9f

SHA1
d2fcd0bb4810e3027607f6b24016443a34569c64

SHA256
9714feed693fa37ad9bb39605448c86a9880862c4ded83c9ea95ff1a8c95fb86

SHA512
d82cc98d5c6938268d1ae863bbeb96b11f654bfe112d3755fab1ef6ce8bf69548f7c8503309ecaa55b6b4590924fafa6b12587fec9e1183e90667cecaab7fa3b

Download Submit
memory/984-699-0x0000026A11F30000-0x0000026A121D2000-memory.dmp

Filesize
2.6MB

Download
memory/984-704-0x0000026A11F30000-0x0000026A121D2000-memory.dmp

Filesize
2.6MB

Download
memory/1032-667-0x000002CA857F0000-0x000002CA85A92000-memory.dmp

Filesize
2.6MB

Download
memory/1032-643-0x000002CA857F0000-0x000002CA85A92000-memory.dmp

Filesize
2.6MB

Download
memory/1168-428-0x00000172165B0000-0x0000017216852000-memory.dmp

Filesize
2.6MB

Download
memory/1168-442-0x00000172165B0000-0x0000017216852000-memory.dmp

Filesize
2.6MB

Download
memory/1292-193-0x00000000048C0000-0x0000000004A00000-memory.dmp

Filesize
1.2MB

Download
memory/1292-167-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1292-194-0x00000000048C0000-0x0000000004A00000-memory.dmp

Filesize
1.2MB

Download
memory/1292-192-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/1292-191-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-164-0x0000000002910000-0x0000000002E74000-memory.dmp

Filesize
5.4MB

Download
memory/1292-190-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-189-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-141-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1292-188-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-187-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-185-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-184-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-183-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-181-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-180-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-179-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-178-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-143-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/1292-328-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1292-262-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-138-0x0000000002910000-0x0000000002E74000-memory.dmp

Filesize
5.4MB

Download
memory/1292-327-0x0000000005410000-0x0000000005550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-269-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-169-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-168-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-270-0x00000000048C0000-0x0000000004A00000-memory.dmp

Filesize
1.2MB

Download
memory/1292-165-0x0000000002910000-0x0000000002E74000-memory.dmp

Filesize
5.4MB

Download
memory/1292-272-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-271-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-273-0x00000000048C0000-0x0000000004A00000-memory.dmp

Filesize
1.2MB

Download
memory/1292-274-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1292-275-0x00000000048C0000-0x0000000004A00000-memory.dmp

Filesize
1.2MB

Download
memory/1292-276-0x00000000048C0000-0x0000000004A00000-memory.dmp

Filesize
1.2MB

Download
memory/1292-325-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-324-0x0000000005410000-0x0000000005550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-323-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-195-0x0000000002910000-0x0000000002E74000-memory.dmp

Filesize
5.4MB

Download
memory/1292-321-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-277-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1292-296-0x0000000002910000-0x0000000002E74000-memory.dmp

Filesize
5.4MB

Download
memory/1292-166-0x0000000003C70000-0x00000000047B6000-memory.dmp

Filesize
11.3MB

Download
memory/1464-284-0x0000025EA2840000-0x0000025EA2AE2000-memory.dmp

Filesize
2.6MB

Download
memory/1464-283-0x00000000003C0000-0x0000000000651000-memory.dmp

Filesize
2.6MB

Download
memory/1464-307-0x0000025EA2840000-0x0000025EA2AE2000-memory.dmp

Filesize
2.6MB

Download
memory/1464-282-0x0000025EA2840000-0x0000025EA2AE2000-memory.dmp

Filesize
2.6MB

Download
memory/1464-280-0x0000025EA4100000-0x0000025EA4240000-memory.dmp

Filesize
1.2MB

Download
memory/1464-279-0x0000025EA4100000-0x0000025EA4240000-memory.dmp

Filesize
1.2MB

Download
memory/1464-278-0x00007FFA43180000-0x00007FFA43181000-memory.dmp

Filesize
4KB

Download
memory/1820-493-0x000001F80B690000-0x000001F80B932000-memory.dmp

Filesize
2.6MB

Download
memory/1820-479-0x000001F80B690000-0x000001F80B932000-memory.dmp

Filesize
2.6MB

Download
memory/1932-139-0x00000000052A0000-0x0000000005946000-memory.dmp

Filesize
6.6MB

Download
memory/1932-142-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-140-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2096-927-0x00000243BED10000-0x00000243BEFB2000-memory.dmp

Filesize
2.6MB

Download
memory/2096-913-0x00000243BED10000-0x00000243BEFB2000-memory.dmp

Filesize
2.6MB

Download
memory/2108-697-0x0000000001260000-0x0000000001C86000-memory.dmp

Filesize
10.1MB

Download
memory/2108-700-0x0000000002050000-0x0000000002B96000-memory.dmp

Filesize
11.3MB

Download
memory/2108-698-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2776-994-0x000001F0E6FD0000-0x000001F0E7272000-memory.dmp

Filesize
2.6MB

Download
memory/2780-361-0x000002560D840000-0x000002560DAE2000-memory.dmp

Filesize
2.6MB

Download
memory/2780-336-0x000002560D840000-0x000002560DAE2000-memory.dmp

Filesize
2.6MB

Download
memory/2896-821-0x0000021E416F0000-0x0000021E41992000-memory.dmp

Filesize
2.6MB

Download
memory/2896-836-0x0000021E416F0000-0x0000021E41992000-memory.dmp

Filesize
2.6MB

Download
memory/3452-509-0x000002B7503D0000-0x000002B750672000-memory.dmp

Filesize
2.6MB

Download
memory/3452-533-0x000002B7503D0000-0x000002B750672000-memory.dmp

Filesize
2.6MB

Download
memory/3656-943-0x000001699F110000-0x000001699F3B2000-memory.dmp

Filesize
2.6MB

Download
memory/3656-978-0x000001699F110000-0x000001699F3B2000-memory.dmp

Filesize
2.6MB

Download
memory/3964-392-0x00000203EACF0000-0x00000203EAF92000-memory.dmp

Filesize
2.6MB

Download
memory/3964-387-0x00000203EACF0000-0x00000203EAF92000-memory.dmp

Filesize
2.6MB

Download
memory/4192-564-0x0000020CD4000000-0x0000020CD42A2000-memory.dmp

Filesize
2.6MB

Download
memory/4192-557-0x0000020CD4000000-0x0000020CD42A2000-memory.dmp

Filesize
2.6MB

Download
memory/4316-755-0x000001FDAA740000-0x000001FDAA9E2000-memory.dmp

Filesize
2.6MB

Download
memory/4316-740-0x000001FDAA740000-0x000001FDAA9E2000-memory.dmp

Filesize
2.6MB

Download
memory/4348-600-0x00000174725F0000-0x0000017472892000-memory.dmp

Filesize
2.6MB

Download
memory/4348-615-0x00000174725F0000-0x0000017472892000-memory.dmp

Filesize
2.6MB

Download
memory/4720-862-0x000002744FC90000-0x000002744FF32000-memory.dmp

Filesize
2.6MB

Download
memory/4720-876-0x000002744FC90000-0x000002744FF32000-memory.dmp

Filesize
2.6MB

Download
memory/4816-309-0x0000000001C00000-0x0000000002164000-memory.dmp

Filesize
5.4MB

Download
memory/4816-281-0x00000000037B0000-0x00000000042F6000-memory.dmp

Filesize
11.3MB

Download
memory/4816-264-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4816-263-0x0000000002890000-0x00000000033D6000-memory.dmp

Filesize
11.3MB

Download
memory/4816-261-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/4816-260-0x0000000002890000-0x00000000033D6000-memory.dmp

Filesize
11.3MB

Download
memory/4816-250-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/4816-249-0x0000000001C00000-0x0000000002164000-memory.dmp

Filesize
5.4MB

Download
memory/4976-781-0x0000022F5A3F0000-0x0000022F5A692000-memory.dmp

Filesize
2.6MB

Download
memory/4976-805-0x0000022F5A3F0000-0x0000022F5A692000-memory.dmp

Filesize
2.6MB

Download