Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 06:35
Static task
static1
Behavioral task
behavioral1
Sample
7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe
Resource
win10v2004-20220812-en
General
-
Target
7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe
-
Size
258KB
-
MD5
9edbea943982f7a94e9fbbeaad334299
-
SHA1
e671870f03ba365635b07b27f508c96c66de3bc4
-
SHA256
7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb
-
SHA512
3314db9ebdc307e8c5a987d1b2e619ed404a4d59f1e7ffdc97b64c51616782fd3e14b9f74d1154ffd244d6b2c50d1d225a4b0d7be3e998eb4a3bbfd4ef13c687
-
SSDEEP
6144:77PXfWLqmrvtrVxmhIsLkliDTrrj9U4zqQna:77P+2m7tfmqqkliDTrrxFP
Malware Config
Extracted
lumma
77.73.134.68
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4268-133-0x00000000005E0000-0x00000000005E9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 37 4800 rundll32.exe 46 4800 rundll32.exe 60 4800 rundll32.exe 68 4800 rundll32.exe 69 4800 rundll32.exe 79 4800 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
EF27.exe588C.exepid process 4952 EF27.exe 912 588C.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\logsession\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\logsession.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\logsession\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 4800 rundll32.exe 4972 svchost.exe 544 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4800 set thread context of 4448 4800 rundll32.exe rundll32.exe -
Drops file in Program Files directory 41 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\arh.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\64BitMAPIBroker.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_pdf.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\dd_arrow_small.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_sent.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PDFPrevHndlr.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AcroLayoutRecognizer.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\form_responses.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\WindowsMedia.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1156 4952 WerFault.exe EF27.exe 3208 912 WerFault.exe 588C.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exerundll32.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies registry class 30 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056953c100054656d7000003a0009000400efbe0c55ec9830569a3c2e00000000000000000000000000000000000000000000000000edb4e700540065006d007000000014000000 Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 676 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exepid process 4268 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe 4268 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 676 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exepid process 4268 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeDebugPrivilege 4800 rundll32.exe Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
rundll32.exerundll32.exepid process 4448 rundll32.exe 676 676 676 676 676 676 676 676 4800 rundll32.exe 4800 rundll32.exe 4800 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 676 676 -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
EF27.exesvchost.exerundll32.exedescription pid process target process PID 676 wrote to memory of 4952 676 EF27.exe PID 676 wrote to memory of 4952 676 EF27.exe PID 676 wrote to memory of 4952 676 EF27.exe PID 4952 wrote to memory of 4800 4952 EF27.exe rundll32.exe PID 4952 wrote to memory of 4800 4952 EF27.exe rundll32.exe PID 4952 wrote to memory of 4800 4952 EF27.exe rundll32.exe PID 4972 wrote to memory of 544 4972 svchost.exe rundll32.exe PID 4972 wrote to memory of 544 4972 svchost.exe rundll32.exe PID 4972 wrote to memory of 544 4972 svchost.exe rundll32.exe PID 4800 wrote to memory of 4448 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 4448 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 4448 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 2248 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 2248 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 2248 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 1536 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 1536 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 1536 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 3932 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 3932 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 3932 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 4328 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 4328 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 4328 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 3336 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 3336 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 3336 4800 rundll32.exe schtasks.exe PID 676 wrote to memory of 912 676 588C.exe PID 676 wrote to memory of 912 676 588C.exe PID 676 wrote to memory of 912 676 588C.exe PID 4800 wrote to memory of 1852 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 1852 4800 rundll32.exe schtasks.exe PID 4800 wrote to memory of 1852 4800 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe"C:\Users\Admin\AppData\Local\Temp\7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4268
-
C:\Users\Admin\AppData\Local\Temp\EF27.exeC:\Users\Admin\AppData\Local\Temp\EF27.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4800 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 186363⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4448 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2248
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1536
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3932
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4328
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3336
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1852
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3424
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2548
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4764
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4772
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2888
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3324
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:436
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:528
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1584
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 5602⤵
- Program crash
PID:1156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4952 -ip 49521⤵PID:4820
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\logsession.dll",VUkMMnFYWlA=2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:544
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\588C.exeC:\Users\Admin\AppData\Local\Temp\588C.exe1⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 13362⤵
- Program crash
PID:3208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 9121⤵PID:2472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dllFilesize
774KB
MD5c859371e43b171e58827b8735ddc2051
SHA102111009442ac9d2e41e1149af6b8e7a657e961b
SHA25684e62625a0b5a78af8aa2b1d3ed735bb7cf49882214ef411f8b30bb90caaf4b4
SHA512ee40a5604fb312db2d239b2758b85d13e49d8750928b1f2a021d805593fbdf76dacc8d4341f5cd7c53439b3765c6bfd79cfd04a462beca2dcb57cb3f0f0f7259
-
C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dllFilesize
774KB
MD5c859371e43b171e58827b8735ddc2051
SHA102111009442ac9d2e41e1149af6b8e7a657e961b
SHA25684e62625a0b5a78af8aa2b1d3ed735bb7cf49882214ef411f8b30bb90caaf4b4
SHA512ee40a5604fb312db2d239b2758b85d13e49d8750928b1f2a021d805593fbdf76dacc8d4341f5cd7c53439b3765c6bfd79cfd04a462beca2dcb57cb3f0f0f7259
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\AirSpace.Etw.manFilesize
412KB
MD539e5270caae15015c8203fec413669c7
SHA1f44f5617f2bc496fb497a1e8ad13997ccecf0f6d
SHA2562e6cbfc09039d76897eaf701179ba2011d2ea134ca8b6c6e9792a0843006a5f1
SHA5129bdab6d4cea87cd1172a77554c0059dbd5f7f29ca754e4ed21aa99bc4b16f40fc28e32c81f0ab3ea49158c12cc6c5318a81bd942b916c0b1241b2c6818b2657a
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.officemuiset.msi.16.en-us.xmlFilesize
1KB
MD5576aefa0d5cef530c59ff90625d60e25
SHA119be51d3942120e5474e0711592718da525eaa20
SHA256f5b39bd24efbf27831061a34d1a78cea8f0073bfccade786129495f17cf2f112
SHA5120d342bb21bb9651c0c36831718d9009af790bf808a9f38ec1788a06428d08d1299f4e215bd08e4912acc25d0f41ae95f3118019aa2811e89f35453b0ef8b32bf
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xmlFilesize
2KB
MD5db0acdbf49f80d3f3b0fb65a71b39341
SHA112c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae
SHA256f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f
SHA5123d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
16KB
MD54194b927b32c56bb3a5ed72c164c917e
SHA1ec60c6bb8b2d0181408c65b3456b7b3b92cca134
SHA25686d065b6d87309122e9fce9b960f5d56a45dfcdd83122a4225ed9fd3136320d8
SHA512c94baa6f849bb048e572667e19268754efc58bce6673373db9817c729b36acbfd0bb30975a441f2a5cd16e00be97db412dd82f1669c1701004a1e27307f75c1d
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xmlFilesize
5KB
MD51944801cae061223e36fcce6aed6bfba
SHA1b465c53f3e6ae74fac368f36cbfc5842ce085e14
SHA256b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959
SHA51282b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe.xmlFilesize
1KB
MD5d8c0aaaa1d4b2386b683f9f0e0150986
SHA198aa9efe9aa9e7c9b1c27eb70e1a704a5fc1315d
SHA25647740c23beeeeccfc9a10b8ffc82c745385403faef48c5f4b9fb7c092f9e6083
SHA51241c3f40a8ee3f353634fba846938a7aec4bb5b8f6b98f3f108c22c1278b4df4d97b1cf43a096f896b4130249040f5d6931cf1275876ec1ec0fc6a1e1cb99d56c
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmpFilesize
3.5MB
MD5e59d2ba83ca6b9e34839eae119976fa2
SHA1b367f10fa5e69295e1792f0f05f551cfc393113f
SHA256fec0e40fa0f4810f73283da0806ac370c5b3d7df929289340e675b2c9b301923
SHA512c4eaf939fb7fd337e4f281dfc7eca82344f3719dad7d307aaf48cd6ba2109cdc5e5a60b47b1f7320c79dd570f126de2a8dc43e81f2a45f872e43bc4c472402f9
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\guest.pngFilesize
5KB
MD5d7ee4543371744836d520e0ce24a9ee6
SHA1a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA25698817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808
-
C:\Users\Admin\AppData\Local\Temp\588C.exeFilesize
276KB
MD5930f2ceba3c8821110756aa19b395676
SHA1d2430e3e8dc6c193a90ef93da218c10f830e4395
SHA256d21f82a8a0b55f753ba26a19444c5364a2b21d8451fcde32f659f57476fc399d
SHA512dc6d093585e171ca366863cce09722e71e3718c8bab6d4432f92ccea6c926191bfbf5a0b7eb570189e070c4c8ca962a504e02f04661d6e3703efa642bec980d7
-
C:\Users\Admin\AppData\Local\Temp\588C.exeFilesize
276KB
MD5930f2ceba3c8821110756aa19b395676
SHA1d2430e3e8dc6c193a90ef93da218c10f830e4395
SHA256d21f82a8a0b55f753ba26a19444c5364a2b21d8451fcde32f659f57476fc399d
SHA512dc6d093585e171ca366863cce09722e71e3718c8bab6d4432f92ccea6c926191bfbf5a0b7eb570189e070c4c8ca962a504e02f04661d6e3703efa642bec980d7
-
C:\Users\Admin\AppData\Local\Temp\EF27.exeFilesize
1.1MB
MD56d723f32824837a925f039806621da44
SHA14740102a9705fb0d40c9ca8903754e44af3dbfb5
SHA256953ed537130420cecd387eb127e1e0f87ae296ee8c9d582c5dd9a6959bc5d570
SHA512f89f24ffe50d7be3718f451a04698e3ea3d04d62b69cdcd3ee4f0c77e90cce971ece7e2e72fa45ee7b8ec94fca6758de4fffc2b089d4ee8648689ee1178a5ab0
-
C:\Users\Admin\AppData\Local\Temp\EF27.exeFilesize
1.1MB
MD56d723f32824837a925f039806621da44
SHA14740102a9705fb0d40c9ca8903754e44af3dbfb5
SHA256953ed537130420cecd387eb127e1e0f87ae296ee8c9d582c5dd9a6959bc5d570
SHA512f89f24ffe50d7be3718f451a04698e3ea3d04d62b69cdcd3ee4f0c77e90cce971ece7e2e72fa45ee7b8ec94fca6758de4fffc2b089d4ee8648689ee1178a5ab0
-
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmpFilesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmpFilesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
\??\c:\program files (x86)\windowspowershell\modules\logsession.dllFilesize
774KB
MD5c859371e43b171e58827b8735ddc2051
SHA102111009442ac9d2e41e1149af6b8e7a657e961b
SHA25684e62625a0b5a78af8aa2b1d3ed735bb7cf49882214ef411f8b30bb90caaf4b4
SHA512ee40a5604fb312db2d239b2758b85d13e49d8750928b1f2a021d805593fbdf76dacc8d4341f5cd7c53439b3765c6bfd79cfd04a462beca2dcb57cb3f0f0f7259
-
memory/436-197-0x0000000000000000-mapping.dmp
-
memory/528-198-0x0000000000000000-mapping.dmp
-
memory/544-172-0x00000000048D0000-0x0000000005425000-memory.dmpFilesize
11.3MB
-
memory/544-171-0x00000000048D0000-0x0000000005425000-memory.dmpFilesize
11.3MB
-
memory/544-161-0x0000000000000000-mapping.dmp
-
memory/912-189-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/912-191-0x000000000058D000-0x00000000005A7000-memory.dmpFilesize
104KB
-
memory/912-182-0x0000000000000000-mapping.dmp
-
memory/912-192-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/912-187-0x000000000058D000-0x00000000005A7000-memory.dmpFilesize
104KB
-
memory/912-188-0x0000000001F50000-0x0000000001F7A000-memory.dmpFilesize
168KB
-
memory/1536-176-0x0000000000000000-mapping.dmp
-
memory/1584-199-0x0000000000000000-mapping.dmp
-
memory/1852-185-0x0000000000000000-mapping.dmp
-
memory/2248-175-0x0000000000000000-mapping.dmp
-
memory/2276-200-0x0000000000000000-mapping.dmp
-
memory/2548-190-0x0000000000000000-mapping.dmp
-
memory/2888-195-0x0000000000000000-mapping.dmp
-
memory/3324-196-0x0000000000000000-mapping.dmp
-
memory/3336-181-0x0000000000000000-mapping.dmp
-
memory/3424-186-0x0000000000000000-mapping.dmp
-
memory/3932-177-0x0000000000000000-mapping.dmp
-
memory/4268-135-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4268-133-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/4268-132-0x000000000062E000-0x0000000000644000-memory.dmpFilesize
88KB
-
memory/4268-134-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4328-179-0x0000000000000000-mapping.dmp
-
memory/4448-169-0x000002AD07A50000-0x000002AD07B90000-memory.dmpFilesize
1.2MB
-
memory/4448-174-0x000002AD05FD0000-0x000002AD06285000-memory.dmpFilesize
2.7MB
-
memory/4448-180-0x000002AD05FD0000-0x000002AD06285000-memory.dmpFilesize
2.7MB
-
memory/4448-173-0x0000000000D40000-0x0000000000FE4000-memory.dmpFilesize
2.6MB
-
memory/4448-170-0x000002AD07A50000-0x000002AD07B90000-memory.dmpFilesize
1.2MB
-
memory/4448-167-0x00007FF724BB6890-mapping.dmp
-
memory/4764-193-0x0000000000000000-mapping.dmp
-
memory/4772-194-0x0000000000000000-mapping.dmp
-
memory/4800-148-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/4800-147-0x0000000005440000-0x0000000005F95000-memory.dmpFilesize
11.3MB
-
memory/4800-139-0x0000000000000000-mapping.dmp
-
memory/4800-166-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/4800-165-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/4800-164-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/4800-163-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/4800-145-0x0000000005440000-0x0000000005F95000-memory.dmpFilesize
11.3MB
-
memory/4800-149-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/4800-146-0x0000000005440000-0x0000000005F95000-memory.dmpFilesize
11.3MB
-
memory/4952-144-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/4952-143-0x0000000002320000-0x000000000244E000-memory.dmpFilesize
1.2MB
-
memory/4952-142-0x000000000212F000-0x0000000002218000-memory.dmpFilesize
932KB
-
memory/4952-136-0x0000000000000000-mapping.dmp
-
memory/4972-178-0x0000000004550000-0x00000000050A5000-memory.dmpFilesize
11.3MB
-
memory/4972-153-0x0000000004550000-0x00000000050A5000-memory.dmpFilesize
11.3MB
-
memory/4972-168-0x0000000004550000-0x00000000050A5000-memory.dmpFilesize
11.3MB