lumma | b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e

Analysis

max time kernel
124s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

232KB
MD5

0f64159886f0ee668ffb0b74b8e2d4eb
SHA1

552b74d82f4a269c7bb1db3a95aeda90fb9347b5
SHA256

b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e
SHA512

78c10a98892db0ab4271af24f9c8a803160803475e0822315ef2f67b3cecc8d963dddf2a6c043a60948c86266d7438eebe31f80e32725b585ad3052c5d556f04
SSDEEP

3072:oXMCl1RZ72LBQwv2fOQD/coEcX/S/+7QxZjOCtsqe2Jfu8s5XDKyQ/uyhOC94c:6MU1RMLG82fOUhX/T7cJfu84DHXyUC

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3828-133-0x0000000002170000-0x0000000002179000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

66 2484 rundll32.exe
67 2484 rundll32.exe
91 2484 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

6B1E.exeD012.exeejaugwg

pid process

3680 6B1E.exe
1472 D012.exe
1500 ejaugwg

flow	pid	process
66	2484	rundll32.exe
67	2484	rundll32.exe
91	2484	rundll32.exe

pid	process
3680	6B1E.exe
1472	D012.exe
1500	ejaugwg

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tr\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\tr.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tr\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2484 rundll32.exe
4180 svchost.exe
1728 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2484	rundll32.exe
4180	svchost.exe
1728	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2484 set thread context of 3820	2484	rundll32.exe	rundll32.exe
PID 2484 set thread context of 4036	2484	rundll32.exe	rundll32.exe

Drops file in Program Files directory 39 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icucnv40.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\snapshot_blob.bin	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_received.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Redact_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInTray.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_pdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tr.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-hover.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

460 3680 WerFault.exe 6B1E.exe
4536 1472 WerFault.exe D012.exe

pid	pid_target	process	target process
460	3680	WerFault.exe	6B1E.exe
4536	1472	WerFault.exe	D012.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeejaugwg

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejaugwg
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejaugwg
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejaugwg

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 39 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003056395e100054656d7000003a0009000400efbe0c55ec983056395e2e0000000000000000000000000000000000000000000000000071762a00540065006d007000000014000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2712

pid	process
2712

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
3828	file.exe
3828	file.exe
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2712
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

3828 file.exe

pid	process
2712

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeDebugPrivilege	2484	rundll32.exe
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3820 rundll32.exe
2712
2712
2712
2712
2712
2712
2712
2712
2484 rundll32.exe
4036 rundll32.exe
2484 rundll32.exe
2484 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2712
2712

pid	process
3820	rundll32.exe
2712
2712
2712
2712
2712
2712
2712
2712
2484	rundll32.exe
4036	rundll32.exe
2484	rundll32.exe
2484	rundll32.exe

pid	process
2712
2712

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6B1E.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2712 wrote to memory of 3680	2712		6B1E.exe
PID 2712 wrote to memory of 3680	2712		6B1E.exe
PID 2712 wrote to memory of 3680	2712		6B1E.exe
PID 3680 wrote to memory of 2484	3680	6B1E.exe	rundll32.exe
PID 3680 wrote to memory of 2484	3680	6B1E.exe	rundll32.exe
PID 3680 wrote to memory of 2484	3680	6B1E.exe	rundll32.exe
PID 2712 wrote to memory of 1472	2712		D012.exe
PID 2712 wrote to memory of 1472	2712		D012.exe
PID 2712 wrote to memory of 1472	2712		D012.exe
PID 4180 wrote to memory of 1728	4180	svchost.exe	rundll32.exe
PID 4180 wrote to memory of 1728	4180	svchost.exe	rundll32.exe
PID 4180 wrote to memory of 1728	4180	svchost.exe	rundll32.exe
PID 2484 wrote to memory of 3820	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 3820	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 3820	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 4600	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4600	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4600	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4036	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 4036	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 4036	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 4272	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4272	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4272	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4608	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4608	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4608	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 2060	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 2060	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 2060	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4300	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4300	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 4300	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 1104	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 1104	2484	rundll32.exe	schtasks.exe
PID 2484 wrote to memory of 1104	2484	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3828

C:\Users\Admin\AppData\Local\Temp\6B1E.exe
C:\Users\Admin\AppData\Local\Temp\6B1E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2484

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3820

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4600

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18636
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4036

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4272

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4608

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1104

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2608

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3244

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2660

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2348

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1216

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 540
2⤵
- Program crash
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3680 -ip 3680
1⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\D012.exe
C:\Users\Admin\AppData\Local\Temp\D012.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1376
2⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\tr.dll",mkFZ
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1472 -ip 1472
1⤵
PID:4072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4012

C:\Users\Admin\AppData\Roaming\ejaugwg
C:\Users\Admin\AppData\Roaming\ejaugwg
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\tr.dll
Filesize
774KB

MD5
3032a21ad8007b387d65628e5ca044e7

SHA1
aa284882d5812f0f2345fe597b7ea5b8ffd48fc6

SHA256
20554e874c04cebecfaacd2539be391b0c29f6a27ee5bf8bf2d88a406e3c7f1c

SHA512
9445cb0f8b432856214e25b3573ca36de2199a01f04b0b53948d2fbfc0cdcadb10dbd92858359ec9ad973654a1c9e497247049f1f5b86f67e110325dd15a7235

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\tr.dll
Filesize
774KB

MD5
3032a21ad8007b387d65628e5ca044e7

SHA1
aa284882d5812f0f2345fe597b7ea5b8ffd48fc6

SHA256
20554e874c04cebecfaacd2539be391b0c29f6a27ee5bf8bf2d88a406e3c7f1c

SHA512
9445cb0f8b432856214e25b3573ca36de2199a01f04b0b53948d2fbfc0cdcadb10dbd92858359ec9ad973654a1c9e497247049f1f5b86f67e110325dd15a7235

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\CiPT0000.001
Filesize
64KB

MD5
08c1446a011937f5608e5f2448443304

SHA1
53e7291e9b33e46a17d9514a6005302e79a36407

SHA256
c10595f1ade2f1adced14a578b437e6958adf631c01a4c167b14b6904eaf2680

SHA512
a7a339940faba59e5a07b715ae39df9de39a4e69913d8d347cd696709a3191483537d1c011a1bea2d5faa222bf768e33dbde5791d04458b7e14a3db494eb6b07

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
829B

MD5
87abe99363b16041e32b8a146eb53617

SHA1
b1f3f3c3939f2331dee213e480f4a4d0c753f72a

SHA256
7c8df7b34fca6387a15cbc0d6f591624a5a28bf513f71eb1077d55f1b448d856

SHA512
091ffae18e7cf41237b1039964cb4c3116275edfa34b198bbb9a0b258a99bf3b62b420fb22d747788a889f2306c30f0dc00566c432d4b2bb2e410a9e7dc69e44

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013Win32.xml
Filesize
66KB

MD5
d6269a771887562b5461c9a99bcfeacd

SHA1
d4f5647c655af50453e2097eb3e8552318f139a1

SHA256
58e3a955ba9293be903e880620c559bcd4f5b8069c3c23a3f06a9c549ed621d1

SHA512
18b23fea2436cd1c6ac8dd159660f386694abe0d6c2e5bca15e11bbf9da06a620bc4c759af1b5646bed8086576369b051bec0f41837127738bebce9f13b9dc30

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp
Filesize
3.5MB

MD5
3b7853644f1050b7b3b037a8a6bcf7f2

SHA1
78282f74149d9e81dfc6a5cc6b92296eb94a08a8

SHA256
b1c5ccdb7b0bbbc5107df81cd05e2dfaf99b2cca856c191f08fd25666a446d67

SHA512
7c5bc2be3202de3055984ddb50bf1e292d58a8c3fa527e4ce2b03d0b492078af082796c3da7945f89fe256ea919738d9ecc4ecf1aa91a50cd02446f63a372fad

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\background.png
Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\guest.png
Filesize
5KB

MD5
d7ee4543371744836d520e0ce24a9ee6

SHA1
a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0

SHA256
98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9

SHA512
e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\scan_settings.ico
Filesize
62KB

MD5
8f6abfe0c274c41c3ad3c1becf2317f5

SHA1
6dc69b46e569ca11e3ec081293df69a6d115674c

SHA256
d660f44fb7efbfdcec4cba821fea1be0977e3f66cc709b313edf9ead575994a5

SHA512
ed474a6d52df65b5bf7a1bd81d54458a1258571f16b28ce043189815bf6dc57c49cb31c6f48fed9791de6b69f93331282a0c6e76e54d488ddad7e30d2333a1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B1E.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B1E.exe
Filesize
1.1MB

MD5
d631960cf949a89bbfb090d01a7059c2

SHA1
2ad73edbd36975a6c15a9c21468b31bb6e89cc4f

SHA256
551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff

SHA512
5bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\D012.exe
Filesize
251KB

MD5
fe7dd689396bf62715c45735c2761eca

SHA1
2d7e535ddafa3eb554f87314c8a3634d819dc778

SHA256
fec1f657f269aa04c8cac90b500c8a2c95faef8db1e20b504617f7dccad5eb1b

SHA512
4cd59f82e826efe24c19a8f1d009ac021ad8f2b75006a1babb22141bcd5f76cdec0960680868e11604ee5a896c2494cbcde72349901916888f4d09cf68ccac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\D012.exe
Filesize
251KB

MD5
fe7dd689396bf62715c45735c2761eca

SHA1
2d7e535ddafa3eb554f87314c8a3634d819dc778

SHA256
fec1f657f269aa04c8cac90b500c8a2c95faef8db1e20b504617f7dccad5eb1b

SHA512
4cd59f82e826efe24c19a8f1d009ac021ad8f2b75006a1babb22141bcd5f76cdec0960680868e11604ee5a896c2494cbcde72349901916888f4d09cf68ccac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Roaming\ejaugwg
Filesize
232KB

MD5
0f64159886f0ee668ffb0b74b8e2d4eb

SHA1
552b74d82f4a269c7bb1db3a95aeda90fb9347b5

SHA256
b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e

SHA512
78c10a98892db0ab4271af24f9c8a803160803475e0822315ef2f67b3cecc8d963dddf2a6c043a60948c86266d7438eebe31f80e32725b585ad3052c5d556f04

Download Submit
C:\Users\Admin\AppData\Roaming\ejaugwg
Filesize
232KB

MD5
0f64159886f0ee668ffb0b74b8e2d4eb

SHA1
552b74d82f4a269c7bb1db3a95aeda90fb9347b5

SHA256
b534c8bb2281a1ab00dc19b98647a7dbc216eb1f1703eebb3cd469c8af20b74e

SHA512
78c10a98892db0ab4271af24f9c8a803160803475e0822315ef2f67b3cecc8d963dddf2a6c043a60948c86266d7438eebe31f80e32725b585ad3052c5d556f04

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\tr.dll
Filesize
774KB

MD5
3032a21ad8007b387d65628e5ca044e7

SHA1
aa284882d5812f0f2345fe597b7ea5b8ffd48fc6

SHA256
20554e874c04cebecfaacd2539be391b0c29f6a27ee5bf8bf2d88a406e3c7f1c

SHA512
9445cb0f8b432856214e25b3573ca36de2199a01f04b0b53948d2fbfc0cdcadb10dbd92858359ec9ad973654a1c9e497247049f1f5b86f67e110325dd15a7235

Download Submit
memory/1104-200-0x0000000000000000-mapping.dmp

Download
memory/1216-210-0x0000000000000000-mapping.dmp

Download
memory/1340-211-0x0000000000000000-mapping.dmp

Download
memory/1472-177-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1472-153-0x00000000007BD000-0x00000000007D7000-memory.dmp

Filesize
104KB

Download
memory/1472-154-0x0000000002050000-0x000000000207A000-memory.dmp

Filesize
168KB

Download
memory/1472-155-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1472-147-0x0000000000000000-mapping.dmp

Download
memory/1500-201-0x000000000071D000-0x0000000000733000-memory.dmp

Filesize
88KB

Download
memory/1500-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-207-0x0000000000000000-mapping.dmp

Download
memory/1728-176-0x0000000005040000-0x0000000005B95000-memory.dmp

Filesize
11.3MB

Download
memory/1728-197-0x0000000005040000-0x0000000005B95000-memory.dmp

Filesize
11.3MB

Download
memory/1728-166-0x0000000000000000-mapping.dmp

Download
memory/1728-178-0x0000000005040000-0x0000000005B95000-memory.dmp

Filesize
11.3MB

Download
memory/2060-198-0x0000000000000000-mapping.dmp

Download
memory/2348-209-0x0000000000000000-mapping.dmp

Download
memory/2484-171-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-139-0x0000000000000000-mapping.dmp

Download
memory/2484-146-0x0000000004A90000-0x00000000055E5000-memory.dmp

Filesize
11.3MB

Download
memory/2484-172-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-150-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-151-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-152-0x0000000004A90000-0x00000000055E5000-memory.dmp

Filesize
11.3MB

Download
memory/2484-169-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-170-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-187-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-186-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-185-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2484-183-0x0000000004240000-0x0000000004380000-memory.dmp

Filesize
1.2MB

Download
memory/2608-203-0x0000000000000000-mapping.dmp

Download
memory/2660-208-0x0000000000000000-mapping.dmp

Download
memory/3244-205-0x0000000000000000-mapping.dmp

Download
memory/3680-143-0x00000000022C0000-0x00000000023EE000-memory.dmp

Filesize
1.2MB

Download
memory/3680-142-0x000000000216B000-0x0000000002254000-memory.dmp

Filesize
932KB

Download
memory/3680-144-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3680-136-0x0000000000000000-mapping.dmp

Download
memory/3820-179-0x0000000000B30000-0x0000000000DD4000-memory.dmp

Filesize
2.6MB

Download
memory/3820-182-0x000002DB71E20000-0x000002DB720D5000-memory.dmp

Filesize
2.7MB

Download
memory/3820-180-0x000002DB71E20000-0x000002DB720D5000-memory.dmp

Filesize
2.7MB

Download
memory/3820-173-0x00007FF7C16E6890-mapping.dmp

Download
memory/3820-175-0x000002DB73880000-0x000002DB739C0000-memory.dmp

Filesize
1.2MB

Download
memory/3820-174-0x000002DB73880000-0x000002DB739C0000-memory.dmp

Filesize
1.2MB

Download
memory/3828-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-133-0x0000000002170000-0x0000000002179000-memory.dmp

Filesize
36KB

Download
memory/3828-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-132-0x000000000051D000-0x0000000000533000-memory.dmp

Filesize
88KB

Download
memory/4036-190-0x000002ABEF790000-0x000002ABEF8D0000-memory.dmp

Filesize
1.2MB

Download
memory/4036-192-0x000002ABEDD10000-0x000002ABEDFC5000-memory.dmp

Filesize
2.7MB

Download
memory/4036-191-0x000002ABEDD10000-0x000002ABEDFC5000-memory.dmp

Filesize
2.7MB

Download
memory/4036-189-0x000002ABEF790000-0x000002ABEF8D0000-memory.dmp

Filesize
1.2MB

Download
memory/4036-188-0x00007FF7C16E6890-mapping.dmp

Download
memory/4180-194-0x0000000003F20000-0x0000000004A75000-memory.dmp

Filesize
11.3MB

Download
memory/4180-159-0x0000000003F20000-0x0000000004A75000-memory.dmp

Filesize
11.3MB

Download
memory/4180-168-0x0000000003F20000-0x0000000004A75000-memory.dmp

Filesize
11.3MB

Download
memory/4272-184-0x0000000000000000-mapping.dmp

Download
memory/4300-199-0x0000000000000000-mapping.dmp

Download
memory/4600-181-0x0000000000000000-mapping.dmp

Download
memory/4608-193-0x0000000000000000-mapping.dmp

Download
memory/5028-206-0x0000000000000000-mapping.dmp

Download