lumma | 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb

Analysis

max time kernel
123s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe
Size

258KB
MD5

9edbea943982f7a94e9fbbeaad334299
SHA1

e671870f03ba365635b07b27f508c96c66de3bc4
SHA256

7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb
SHA512

3314db9ebdc307e8c5a987d1b2e619ed404a4d59f1e7ffdc97b64c51616782fd3e14b9f74d1154ffd244d6b2c50d1d225a4b0d7be3e998eb4a3bbfd4ef13c687
SSDEEP

6144:77PXfWLqmrvtrVxmhIsLkliDTrrj9U4zqQna:77P+2m7tfmqqkliDTrrxFP

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4268-133-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

37 4800 rundll32.exe
46 4800 rundll32.exe
60 4800 rundll32.exe
68 4800 rundll32.exe
69 4800 rundll32.exe
79 4800 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

EF27.exe588C.exe

pid process

4952 EF27.exe
912 588C.exe

flow	pid	process
37	4800	rundll32.exe
46	4800	rundll32.exe
60	4800	rundll32.exe
68	4800	rundll32.exe
69	4800	rundll32.exe
79	4800	rundll32.exe

pid	process
4952	EF27.exe
912	588C.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\logsession\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\logsession.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\logsession\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4800 rundll32.exe
4972 svchost.exe
544 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4800	rundll32.exe
4972	svchost.exe
544	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4800 set thread context of 4448 4800 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4800 set thread context of 4448	4800	rundll32.exe	rundll32.exe

Drops file in Program Files directory 41 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\arh.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\64BitMAPIBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_pdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\dd_arrow_small.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_sent.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroLayoutRecognizer.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\form_responses.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1156 4952 WerFault.exe EF27.exe
3208 912 WerFault.exe 588C.exe

pid	pid_target	process	target process
1156	4952	WerFault.exe	EF27.exe
3208	912	WerFault.exe	588C.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056953c100054656d7000003a0009000400efbe0c55ec9830569a3c2e00000000000000000000000000000000000000000000000000edb4e700540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

676

pid	process
676

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe

pid	process
4268	7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe
4268	7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

676
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe

pid process

4268 7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe

pid	process
676

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeDebugPrivilege	4800	rundll32.exe
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4448 rundll32.exe
676
676
676
676
676
676
676
676
4800 rundll32.exe
4800 rundll32.exe
4800 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

676
676

pid	process
4448	rundll32.exe
676
676
676
676
676
676
676
676
4800	rundll32.exe
4800	rundll32.exe
4800	rundll32.exe

pid	process
676
676

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

EF27.exesvchost.exerundll32.exe

description	pid	process	target process
PID 676 wrote to memory of 4952	676		EF27.exe
PID 676 wrote to memory of 4952	676		EF27.exe
PID 676 wrote to memory of 4952	676		EF27.exe
PID 4952 wrote to memory of 4800	4952	EF27.exe	rundll32.exe
PID 4952 wrote to memory of 4800	4952	EF27.exe	rundll32.exe
PID 4952 wrote to memory of 4800	4952	EF27.exe	rundll32.exe
PID 4972 wrote to memory of 544	4972	svchost.exe	rundll32.exe
PID 4972 wrote to memory of 544	4972	svchost.exe	rundll32.exe
PID 4972 wrote to memory of 544	4972	svchost.exe	rundll32.exe
PID 4800 wrote to memory of 4448	4800	rundll32.exe	rundll32.exe
PID 4800 wrote to memory of 4448	4800	rundll32.exe	rundll32.exe
PID 4800 wrote to memory of 4448	4800	rundll32.exe	rundll32.exe
PID 4800 wrote to memory of 2248	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 2248	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 2248	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 1536	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 1536	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 1536	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 3932	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 3932	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 3932	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 4328	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 4328	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 4328	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 3336	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 3336	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 3336	4800	rundll32.exe	schtasks.exe
PID 676 wrote to memory of 912	676		588C.exe
PID 676 wrote to memory of 912	676		588C.exe
PID 676 wrote to memory of 912	676		588C.exe
PID 4800 wrote to memory of 1852	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 1852	4800	rundll32.exe	schtasks.exe
PID 4800 wrote to memory of 1852	4800	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe
"C:\Users\Admin\AppData\Local\Temp\7e6e883a0e31b907f50dee651a4a9c54516496c85bf86d2b328e033331661bdb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4268

C:\Users\Admin\AppData\Local\Temp\EF27.exe
C:\Users\Admin\AppData\Local\Temp\EF27.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4800

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4448

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2248

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4328

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3336

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3424

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2548

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4764

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4772

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2888

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3324

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:436

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:528

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1584

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 560
2⤵
- Program crash
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4952 -ip 4952
1⤵
PID:4820

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\logsession.dll",VUkMMnFYWlA=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\588C.exe
C:\Users\Admin\AppData\Local\Temp\588C.exe
1⤵
- Executes dropped EXE
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1336
2⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 912
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll
Filesize
774KB

MD5
c859371e43b171e58827b8735ddc2051

SHA1
02111009442ac9d2e41e1149af6b8e7a657e961b

SHA256
84e62625a0b5a78af8aa2b1d3ed735bb7cf49882214ef411f8b30bb90caaf4b4

SHA512
ee40a5604fb312db2d239b2758b85d13e49d8750928b1f2a021d805593fbdf76dacc8d4341f5cd7c53439b3765c6bfd79cfd04a462beca2dcb57cb3f0f0f7259

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll
Filesize
774KB

MD5
c859371e43b171e58827b8735ddc2051

SHA1
02111009442ac9d2e41e1149af6b8e7a657e961b

SHA256
84e62625a0b5a78af8aa2b1d3ed735bb7cf49882214ef411f8b30bb90caaf4b4

SHA512
ee40a5604fb312db2d239b2758b85d13e49d8750928b1f2a021d805593fbdf76dacc8d4341f5cd7c53439b3765c6bfd79cfd04a462beca2dcb57cb3f0f0f7259

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\AirSpace.Etw.man
Filesize
412KB

MD5
39e5270caae15015c8203fec413669c7

SHA1
f44f5617f2bc496fb497a1e8ad13997ccecf0f6d

SHA256
2e6cbfc09039d76897eaf701179ba2011d2ea134ca8b6c6e9792a0843006a5f1

SHA512
9bdab6d4cea87cd1172a77554c0059dbd5f7f29ca754e4ed21aa99bc4b16f40fc28e32c81f0ab3ea49158c12cc6c5318a81bd942b916c0b1241b2c6818b2657a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.officemuiset.msi.16.en-us.xml
Filesize
1KB

MD5
576aefa0d5cef530c59ff90625d60e25

SHA1
19be51d3942120e5474e0711592718da525eaa20

SHA256
f5b39bd24efbf27831061a34d1a78cea8f0073bfccade786129495f17cf2f112

SHA512
0d342bb21bb9651c0c36831718d9009af790bf808a9f38ec1788a06428d08d1299f4e215bd08e4912acc25d0f41ae95f3118019aa2811e89f35453b0ef8b32bf

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
db0acdbf49f80d3f3b0fb65a71b39341

SHA1
12c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae

SHA256
f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f

SHA512
3d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
16KB

MD5
4194b927b32c56bb3a5ed72c164c917e

SHA1
ec60c6bb8b2d0181408c65b3456b7b3b92cca134

SHA256
86d065b6d87309122e9fce9b960f5d56a45dfcdd83122a4225ed9fd3136320d8

SHA512
c94baa6f849bb048e572667e19268754efc58bce6673373db9817c729b36acbfd0bb30975a441f2a5cd16e00be97db412dd82f1669c1701004a1e27307f75c1d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xml
Filesize
5KB

MD5
1944801cae061223e36fcce6aed6bfba

SHA1
b465c53f3e6ae74fac368f36cbfc5842ce085e14

SHA256
b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959

SHA512
82b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe.xml
Filesize
1KB

MD5
d8c0aaaa1d4b2386b683f9f0e0150986

SHA1
98aa9efe9aa9e7c9b1c27eb70e1a704a5fc1315d

SHA256
47740c23beeeeccfc9a10b8ffc82c745385403faef48c5f4b9fb7c092f9e6083

SHA512
41c3f40a8ee3f353634fba846938a7aec4bb5b8f6b98f3f108c22c1278b4df4d97b1cf43a096f896b4130249040f5d6931cf1275876ec1ec0fc6a1e1cb99d56c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
e59d2ba83ca6b9e34839eae119976fa2

SHA1
b367f10fa5e69295e1792f0f05f551cfc393113f

SHA256
fec0e40fa0f4810f73283da0806ac370c5b3d7df929289340e675b2c9b301923

SHA512
c4eaf939fb7fd337e4f281dfc7eca82344f3719dad7d307aaf48cd6ba2109cdc5e5a60b47b1f7320c79dd570f126de2a8dc43e81f2a45f872e43bc4c472402f9

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\guest.png
Filesize
5KB

MD5
d7ee4543371744836d520e0ce24a9ee6

SHA1
a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0

SHA256
98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9

SHA512
e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

Download Submit
C:\Users\Admin\AppData\Local\Temp\588C.exe
Filesize
276KB

MD5
930f2ceba3c8821110756aa19b395676

SHA1
d2430e3e8dc6c193a90ef93da218c10f830e4395

SHA256
d21f82a8a0b55f753ba26a19444c5364a2b21d8451fcde32f659f57476fc399d

SHA512
dc6d093585e171ca366863cce09722e71e3718c8bab6d4432f92ccea6c926191bfbf5a0b7eb570189e070c4c8ca962a504e02f04661d6e3703efa642bec980d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\588C.exe
Filesize
276KB

MD5
930f2ceba3c8821110756aa19b395676

SHA1
d2430e3e8dc6c193a90ef93da218c10f830e4395

SHA256
d21f82a8a0b55f753ba26a19444c5364a2b21d8451fcde32f659f57476fc399d

SHA512
dc6d093585e171ca366863cce09722e71e3718c8bab6d4432f92ccea6c926191bfbf5a0b7eb570189e070c4c8ca962a504e02f04661d6e3703efa642bec980d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF27.exe
Filesize
1.1MB

MD5
6d723f32824837a925f039806621da44

SHA1
4740102a9705fb0d40c9ca8903754e44af3dbfb5

SHA256
953ed537130420cecd387eb127e1e0f87ae296ee8c9d582c5dd9a6959bc5d570

SHA512
f89f24ffe50d7be3718f451a04698e3ea3d04d62b69cdcd3ee4f0c77e90cce971ece7e2e72fa45ee7b8ec94fca6758de4fffc2b089d4ee8648689ee1178a5ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF27.exe
Filesize
1.1MB

MD5
6d723f32824837a925f039806621da44

SHA1
4740102a9705fb0d40c9ca8903754e44af3dbfb5

SHA256
953ed537130420cecd387eb127e1e0f87ae296ee8c9d582c5dd9a6959bc5d570

SHA512
f89f24ffe50d7be3718f451a04698e3ea3d04d62b69cdcd3ee4f0c77e90cce971ece7e2e72fa45ee7b8ec94fca6758de4fffc2b089d4ee8648689ee1178a5ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\logsession.dll
Filesize
774KB

MD5
c859371e43b171e58827b8735ddc2051

SHA1
02111009442ac9d2e41e1149af6b8e7a657e961b

SHA256
84e62625a0b5a78af8aa2b1d3ed735bb7cf49882214ef411f8b30bb90caaf4b4

SHA512
ee40a5604fb312db2d239b2758b85d13e49d8750928b1f2a021d805593fbdf76dacc8d4341f5cd7c53439b3765c6bfd79cfd04a462beca2dcb57cb3f0f0f7259

Download Submit
memory/436-197-0x0000000000000000-mapping.dmp

Download
memory/528-198-0x0000000000000000-mapping.dmp

Download
memory/544-172-0x00000000048D0000-0x0000000005425000-memory.dmp

Filesize
11.3MB

Download
memory/544-171-0x00000000048D0000-0x0000000005425000-memory.dmp

Filesize
11.3MB

Download
memory/544-161-0x0000000000000000-mapping.dmp

Download
memory/912-189-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/912-191-0x000000000058D000-0x00000000005A7000-memory.dmp

Filesize
104KB

Download
memory/912-182-0x0000000000000000-mapping.dmp

Download
memory/912-192-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/912-187-0x000000000058D000-0x00000000005A7000-memory.dmp

Filesize
104KB

Download
memory/912-188-0x0000000001F50000-0x0000000001F7A000-memory.dmp

Filesize
168KB

Download
memory/1536-176-0x0000000000000000-mapping.dmp

Download
memory/1584-199-0x0000000000000000-mapping.dmp

Download
memory/1852-185-0x0000000000000000-mapping.dmp

Download
memory/2248-175-0x0000000000000000-mapping.dmp

Download
memory/2276-200-0x0000000000000000-mapping.dmp

Download
memory/2548-190-0x0000000000000000-mapping.dmp

Download
memory/2888-195-0x0000000000000000-mapping.dmp

Download
memory/3324-196-0x0000000000000000-mapping.dmp

Download
memory/3336-181-0x0000000000000000-mapping.dmp

Download
memory/3424-186-0x0000000000000000-mapping.dmp

Download
memory/3932-177-0x0000000000000000-mapping.dmp

Download
memory/4268-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4268-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4268-132-0x000000000062E000-0x0000000000644000-memory.dmp

Filesize
88KB

Download
memory/4268-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4328-179-0x0000000000000000-mapping.dmp

Download
memory/4448-169-0x000002AD07A50000-0x000002AD07B90000-memory.dmp

Filesize
1.2MB

Download
memory/4448-174-0x000002AD05FD0000-0x000002AD06285000-memory.dmp

Filesize
2.7MB

Download
memory/4448-180-0x000002AD05FD0000-0x000002AD06285000-memory.dmp

Filesize
2.7MB

Download
memory/4448-173-0x0000000000D40000-0x0000000000FE4000-memory.dmp

Filesize
2.6MB

Download
memory/4448-170-0x000002AD07A50000-0x000002AD07B90000-memory.dmp

Filesize
1.2MB

Download
memory/4448-167-0x00007FF724BB6890-mapping.dmp

Download
memory/4764-193-0x0000000000000000-mapping.dmp

Download
memory/4772-194-0x0000000000000000-mapping.dmp

Download
memory/4800-148-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/4800-147-0x0000000005440000-0x0000000005F95000-memory.dmp

Filesize
11.3MB

Download
memory/4800-139-0x0000000000000000-mapping.dmp

Download
memory/4800-166-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/4800-165-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/4800-164-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/4800-163-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/4800-145-0x0000000005440000-0x0000000005F95000-memory.dmp

Filesize
11.3MB

Download
memory/4800-149-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/4800-146-0x0000000005440000-0x0000000005F95000-memory.dmp

Filesize
11.3MB

Download
memory/4952-144-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4952-143-0x0000000002320000-0x000000000244E000-memory.dmp

Filesize
1.2MB

Download
memory/4952-142-0x000000000212F000-0x0000000002218000-memory.dmp

Filesize
932KB

Download
memory/4952-136-0x0000000000000000-mapping.dmp

Download
memory/4972-178-0x0000000004550000-0x00000000050A5000-memory.dmp

Filesize
11.3MB

Download
memory/4972-153-0x0000000004550000-0x00000000050A5000-memory.dmp

Filesize
11.3MB

Download
memory/4972-168-0x0000000004550000-0x00000000050A5000-memory.dmp

Filesize
11.3MB

Download