lumma | 9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5

Analysis

max time kernel
118s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe
Size

206KB
MD5

27563a743a23dadb84bb9b8eca509df7
SHA1

38914555fc792f4e97f72ec7ad3420ca27b47d8d
SHA256

9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5
SHA512

a2ba7353061b8a97a80addc1d96952e0b168f32eb765444e0cfaa1f18fbcf27359df91438c9dbbc922f97c79a7b679091c6afc887b2d423738360f50b1f6f094
SSDEEP

3072:nXwM1MIy56tTQzB5XABqfz0seijbK+wpi1ARRxxwHRiQapb:XUIy56WzrXz8qK3kRKp

Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-133-0x00000000048D0000-0x00000000048D9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

30 4016 rundll32.exe
31 4016 rundll32.exe
34 4016 rundll32.exe
50 4016 rundll32.exe
54 4016 rundll32.exe
74 4016 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

CC9C.exerjvfvac6F45.exe

pid process

1020 CC9C.exe
4908 rjvfvac
4696 6F45.exe

flow	pid	process
30	4016	rundll32.exe
31	4016	rundll32.exe
34	4016	rundll32.exe
50	4016	rundll32.exe
54	4016	rundll32.exe
74	4016	rundll32.exe

pid	process
1020	CC9C.exe
4908	rjvfvac
4696	6F45.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_agreement_filetype\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\s_agreement_filetype.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_agreement_filetype\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4016 rundll32.exe
4812 svchost.exe
4336 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4016	rundll32.exe
4812	svchost.exe
4336	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4016 set thread context of 2132 4016 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4016 set thread context of 2132	4016	rundll32.exe	rundll32.exe

Drops file in Program Files directory 23 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AppCenter_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_email.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4844 1020 WerFault.exe CC9C.exe
2776 4696 WerFault.exe 6F45.exe

pid	pid_target	process	target process
4844	1020	WerFault.exe	CC9C.exe
2776	4696	WerFault.exe	6F45.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exerjvfvac

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rjvfvac
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rjvfvac
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rjvfvac
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f56824a100054656d7000003a0009000400efbe6b55586c2f56864a2e000000000000000000000000000000000000000000000000004e2fc400540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1068

pid	process
1068

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe

pid	process
2200	9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe
2200	9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1068
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exerjvfvac

pid process

2200 9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe
4908 rjvfvac

pid	process
1068

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeDebugPrivilege	4016	rundll32.exe
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068
Token: SeCreatePagefilePrivilege	1068
Token: SeShutdownPrivilege	1068

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

rundll32.exerundll32.exe

pid	process
2132	rundll32.exe
1068
1068
1068
1068
4016	rundll32.exe
1068
1068
1068
1068
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

1068
1068

pid	process
1068
1068

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

CC9C.exesvchost.exerundll32.exe

description	pid	process	target process
PID 1068 wrote to memory of 1020	1068		CC9C.exe
PID 1068 wrote to memory of 1020	1068		CC9C.exe
PID 1068 wrote to memory of 1020	1068		CC9C.exe
PID 1020 wrote to memory of 4016	1020	CC9C.exe	rundll32.exe
PID 1020 wrote to memory of 4016	1020	CC9C.exe	rundll32.exe
PID 1020 wrote to memory of 4016	1020	CC9C.exe	rundll32.exe
PID 4812 wrote to memory of 4336	4812	svchost.exe	rundll32.exe
PID 4812 wrote to memory of 4336	4812	svchost.exe	rundll32.exe
PID 4812 wrote to memory of 4336	4812	svchost.exe	rundll32.exe
PID 1068 wrote to memory of 4696	1068		6F45.exe
PID 1068 wrote to memory of 4696	1068		6F45.exe
PID 1068 wrote to memory of 4696	1068		6F45.exe
PID 4016 wrote to memory of 2132	4016	rundll32.exe	rundll32.exe
PID 4016 wrote to memory of 2132	4016	rundll32.exe	rundll32.exe
PID 4016 wrote to memory of 2132	4016	rundll32.exe	rundll32.exe
PID 4016 wrote to memory of 3488	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 3488	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 3488	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 5012	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 5012	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 5012	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4592	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4592	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4592	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 3076	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 3076	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 3076	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4780	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4780	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4780	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4604	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4604	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4604	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2036	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2036	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2036	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2168	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2168	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2168	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 1788	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 1788	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 1788	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2588	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2588	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 2588	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4484	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4484	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4484	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 3920	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 3920	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 3920	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4140	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4140	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4140	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4480	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4480	4016	rundll32.exe	schtasks.exe
PID 4016 wrote to memory of 4480	4016	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe
"C:\Users\Admin\AppData\Local\Temp\9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2200

C:\Users\Admin\AppData\Local\Temp\CC9C.exe
C:\Users\Admin\AppData\Local\Temp\CC9C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4016

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3488

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5012

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4592

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3076

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4780

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4604

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2036

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2168

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1788

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2588

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4484

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3920

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4140

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4480

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4064

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4916

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3716

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3504

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2076

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2620

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2248

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 528
2⤵
- Program crash
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1020 -ip 1020
1⤵
PID:3652

C:\Users\Admin\AppData\Roaming\rjvfvac
C:\Users\Admin\AppData\Roaming\rjvfvac
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\s_agreement_filetype.dll",Rgo8RVZESUFE
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4336

C:\Users\Admin\AppData\Local\Temp\6F45.exe
C:\Users\Admin\AppData\Local\Temp\6F45.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1368
2⤵
- Program crash
PID:2776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4696 -ip 4696
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.dll

Filesize
774KB

MD5
53da1eb61f128f7f71497f06d9c593b2

SHA1
e5cb75b1a459f7dccaf7d1ead630bcfd46b15ef4

SHA256
3adcc8a383ddc16c7a907c40d2a62d851d2f8fd1e0d4fec3ba56da5d04d273a3

SHA512
c524005408e049f8320a0da3248d9f148e051e67489f966cc2f008b674f3eb757d447a7adfc1696e662a8c5e28637db2f8de5b4008eca7ef5097cdee9f2e895b

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.dll

Filesize
774KB

MD5
53da1eb61f128f7f71497f06d9c593b2

SHA1
e5cb75b1a459f7dccaf7d1ead630bcfd46b15ef4

SHA256
3adcc8a383ddc16c7a907c40d2a62d851d2f8fd1e0d4fec3ba56da5d04d273a3

SHA512
c524005408e049f8320a0da3248d9f148e051e67489f966cc2f008b674f3eb757d447a7adfc1696e662a8c5e28637db2f8de5b4008eca7ef5097cdee9f2e895b

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml

Filesize
109KB

MD5
1ff29aea22999055b5c3dda5785a807c

SHA1
cd93580b22754e44c6fda2b1127bf6539deea0c6

SHA256
a738adb72546d0ea134a20abe3adbeb8bc6c7b90d04cc72d2f217c154c83ce11

SHA512
ab28afe92584956fd6656d05a9e910bf45312b2f7b23e97ab92e4a95ae014300c16a509c1e81dc18c7e180cf9c6a74a2146cf0b53083a4d9c99c0eb97b0323c5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml

Filesize
14KB

MD5
cc78ff3a9bbf1967185797f3eac2090a

SHA1
80204fdfac8110dddc7e5c59ada69feef33a0614

SHA256
7afbc0905a69b223e8098f1a9b34fcf454ba79535873933df9c12dc8660174c3

SHA512
5ecf695a9be7c5521d1429fe696cb7d1d4d361b43f819b77e76828d5314e444ad61bd3c66f1cd7b7fea9c6138808a1194bc556cd5195658132121444d5a3636d

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.CredDialogHost_10.0.19041.1023_neutral__cw5n1h2txyewy.xml

Filesize
1KB

MD5
8c59faf203fc8a2a460920be06eb2b4e

SHA1
833cf94c8a893ed6199812f4ca6f177af7dc43c1

SHA256
b7e5f69aa3d04494c0a0d3a09b70d48b38b5264f74c04a49e5886bb6cc78889a

SHA512
5fa0271ecb6995cac9c003e6d3313c6fa5f89a360711ff4b80292379f58c33d8802413c8c63d1312913934a7144f0a2cfffddeab05d69afd4a1d810c5003bc5f

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
820B

MD5
09eb72768015735e81d549d7a5087631

SHA1
0dc0de9d9f1f94a73b760e13dbfb033d58b2962c

SHA256
803200facef08eb731bceb63813c1c873628a271ada9661dda6bb4b638ccb5f8

SHA512
240680b7e01215938623781f3431fb5ae8a2630590285a824f7e41e63e8e06f6fa79e641f4ace6d9dcb96f0c3fe3e928f5ac0eb2992158bda8cb83e95c7e916a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013Win32.xml

Filesize
66KB

MD5
d6269a771887562b5461c9a99bcfeacd

SHA1
d4f5647c655af50453e2097eb3e8552318f139a1

SHA256
58e3a955ba9293be903e880620c559bcd4f5b8069c3c23a3f06a9c549ed621d1

SHA512
18b23fea2436cd1c6ac8dd159660f386694abe0d6c2e5bca15e11bbf9da06a620bc4c759af1b5646bed8086576369b051bec0f41837127738bebce9f13b9dc30

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\NetworkPrinters.xml

Filesize
2KB

MD5
774c9f44e6ff0b1798e092ed1df9a1fc

SHA1
a40a3292a55cb4f6f101a04f247f83196bf54716

SHA256
ef22a638f62476efac099497b1251bef64f115fa4752ad20467614571cf5ae5f

SHA512
529e66cd53361e631b7bfabff0063ac37a39e7adb0f2890db461a55de6430059015d6f6ca1cf447da759edd463b32c2007e6411d6d84a999a7d998f574fe2748

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
7a64b7899c7bb74ac2324b0bfc679468

SHA1
d02f40f23c8afa4b28db21558354e81a63f6d440

SHA256
97f4aef7299f54d1f1937521559d95f1f3668f9183a9a5dd594993d8982be28e

SHA512
0c99b64ebb06c629e3c9e5ccdf24143f0814d84c90cf4912522fdd82ec45e23103e7d2a630cdb432a074be080a88b5d0ba2b75a59fd03fee5fda47b1b96e24a9

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\background.png

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\print_property.ico

Filesize
58KB

MD5
30d7062e069bc0a9b34f4034090c1aae

SHA1
e5fcedd8e4cc0463c0bc6912b1791f2876e28a61

SHA256
24e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000

SHA512
85dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F45.exe

Filesize
245KB

MD5
4341e22f2a2b9cd03f1f269badc736bc

SHA1
12f2739b29db54de44adfef697b26cc00b3b352d

SHA256
59a17f7f20936d429ceb4729499ffc12fc2b9373a20ec277e396d7699fc6ebe0

SHA512
316803a0adac5d7ec7be0b4523f80f86eced66587ddcf50a4368d1d4b31bdda7e49f482f2dc8e36a3fbe1f6ab79ed20bd5cc18a262854b8e8a257f19a21b33ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F45.exe

Filesize
245KB

MD5
4341e22f2a2b9cd03f1f269badc736bc

SHA1
12f2739b29db54de44adfef697b26cc00b3b352d

SHA256
59a17f7f20936d429ceb4729499ffc12fc2b9373a20ec277e396d7699fc6ebe0

SHA512
316803a0adac5d7ec7be0b4523f80f86eced66587ddcf50a4368d1d4b31bdda7e49f482f2dc8e36a3fbe1f6ab79ed20bd5cc18a262854b8e8a257f19a21b33ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC9C.exe

Filesize
1.0MB

MD5
cdaa1a093ef0360df6c70af0baeeefbd

SHA1
b4417c52eaeccd47805d2d36c4ac6ed91d5fd582

SHA256
d31d4c78c9d18ec58bff005ffb8dc8314369116628168fe886c9568ec1e2086e

SHA512
0c9e82bdec30dc0a0e043e8109d715ee095335ade3a0a83011a430c50be0363780f3bc6feefbf71532655b1d550e4ecd7e7d5d68d5d3e77f232baaec6dabc5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC9C.exe

Filesize
1.0MB

MD5
cdaa1a093ef0360df6c70af0baeeefbd

SHA1
b4417c52eaeccd47805d2d36c4ac6ed91d5fd582

SHA256
d31d4c78c9d18ec58bff005ffb8dc8314369116628168fe886c9568ec1e2086e

SHA512
0c9e82bdec30dc0a0e043e8109d715ee095335ade3a0a83011a430c50be0363780f3bc6feefbf71532655b1d550e4ecd7e7d5d68d5d3e77f232baaec6dabc5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Roaming\rjvfvac

Filesize
206KB

MD5
27563a743a23dadb84bb9b8eca509df7

SHA1
38914555fc792f4e97f72ec7ad3420ca27b47d8d

SHA256
9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5

SHA512
a2ba7353061b8a97a80addc1d96952e0b168f32eb765444e0cfaa1f18fbcf27359df91438c9dbbc922f97c79a7b679091c6afc887b2d423738360f50b1f6f094

Download Submit
C:\Users\Admin\AppData\Roaming\rjvfvac

Filesize
206KB

MD5
27563a743a23dadb84bb9b8eca509df7

SHA1
38914555fc792f4e97f72ec7ad3420ca27b47d8d

SHA256
9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5

SHA512
a2ba7353061b8a97a80addc1d96952e0b168f32eb765444e0cfaa1f18fbcf27359df91438c9dbbc922f97c79a7b679091c6afc887b2d423738360f50b1f6f094

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\s_agreement_filetype.dll

Filesize
774KB

MD5
53da1eb61f128f7f71497f06d9c593b2

SHA1
e5cb75b1a459f7dccaf7d1ead630bcfd46b15ef4

SHA256
3adcc8a383ddc16c7a907c40d2a62d851d2f8fd1e0d4fec3ba56da5d04d273a3

SHA512
c524005408e049f8320a0da3248d9f148e051e67489f966cc2f008b674f3eb757d447a7adfc1696e662a8c5e28637db2f8de5b4008eca7ef5097cdee9f2e895b

Download Submit
memory/1020-144-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/1020-136-0x0000000000000000-mapping.dmp

Download
memory/1020-142-0x0000000004A06000-0x0000000004AEF000-memory.dmp

Filesize
932KB

Download
memory/1020-143-0x0000000004AF0000-0x0000000004C1E000-memory.dmp

Filesize
1.2MB

Download
memory/1788-198-0x0000000000000000-mapping.dmp

Download
memory/2036-196-0x0000000000000000-mapping.dmp

Download
memory/2076-209-0x0000000000000000-mapping.dmp

Download
memory/2132-183-0x00000202F3980000-0x00000202F3C35000-memory.dmp

Filesize
2.7MB

Download
memory/2132-180-0x00000202F3800000-0x00000202F3940000-memory.dmp

Filesize
1.2MB

Download
memory/2132-179-0x00007FF628526890-mapping.dmp

Download
memory/2132-181-0x00000202F3800000-0x00000202F3940000-memory.dmp

Filesize
1.2MB

Download
memory/2132-182-0x0000000000520000-0x00000000007C4000-memory.dmp

Filesize
2.6MB

Download
memory/2168-197-0x0000000000000000-mapping.dmp

Download
memory/2200-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2200-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/2200-132-0x0000000002D18000-0x0000000002D29000-memory.dmp

Filesize
68KB

Download
memory/2200-133-0x00000000048D0000-0x00000000048D9000-memory.dmp

Filesize
36KB

Download
memory/2248-212-0x0000000000000000-mapping.dmp

Download
memory/2588-199-0x0000000000000000-mapping.dmp

Download
memory/2620-211-0x0000000000000000-mapping.dmp

Download
memory/2884-210-0x0000000000000000-mapping.dmp

Download
memory/3076-193-0x0000000000000000-mapping.dmp

Download
memory/3100-205-0x0000000000000000-mapping.dmp

Download
memory/3488-184-0x0000000000000000-mapping.dmp

Download
memory/3504-208-0x0000000000000000-mapping.dmp

Download
memory/3716-207-0x0000000000000000-mapping.dmp

Download
memory/3920-201-0x0000000000000000-mapping.dmp

Download
memory/4016-175-0x0000000006090000-0x00000000061D0000-memory.dmp

Filesize
1.2MB

Download
memory/4016-177-0x0000000006090000-0x00000000061D0000-memory.dmp

Filesize
1.2MB

Download
memory/4016-176-0x0000000007BA0000-0x0000000007CE0000-memory.dmp

Filesize
1.2MB

Download
memory/4016-139-0x0000000000000000-mapping.dmp

Download
memory/4016-154-0x0000000006090000-0x00000000061D0000-memory.dmp

Filesize
1.2MB

Download
memory/4016-178-0x0000000006090000-0x00000000061D0000-memory.dmp

Filesize
1.2MB

Download
memory/4016-153-0x0000000006090000-0x00000000061D0000-memory.dmp

Filesize
1.2MB

Download
memory/4016-152-0x0000000005470000-0x0000000005FC5000-memory.dmp

Filesize
11.3MB

Download
memory/4016-151-0x0000000005470000-0x0000000005FC5000-memory.dmp

Filesize
11.3MB

Download
memory/4016-150-0x0000000005470000-0x0000000005FC5000-memory.dmp

Filesize
11.3MB

Download
memory/4064-204-0x0000000000000000-mapping.dmp

Download
memory/4140-202-0x0000000000000000-mapping.dmp

Download
memory/4336-171-0x0000000004CD0000-0x0000000005825000-memory.dmp

Filesize
11.3MB

Download
memory/4336-191-0x0000000004CD0000-0x0000000005825000-memory.dmp

Filesize
11.3MB

Download
memory/4336-167-0x0000000000000000-mapping.dmp

Download
memory/4336-169-0x0000000004CD0000-0x0000000005825000-memory.dmp

Filesize
11.3MB

Download
memory/4480-203-0x0000000000000000-mapping.dmp

Download
memory/4484-200-0x0000000000000000-mapping.dmp

Download
memory/4516-213-0x0000000000000000-mapping.dmp

Download
memory/4592-192-0x0000000000000000-mapping.dmp

Download
memory/4604-195-0x0000000000000000-mapping.dmp

Download
memory/4696-189-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4696-185-0x0000000002CB9000-0x0000000002CD3000-memory.dmp

Filesize
104KB

Download
memory/4696-187-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/4696-172-0x0000000000000000-mapping.dmp

Download
memory/4696-186-0x0000000002C40000-0x0000000002C6A000-memory.dmp

Filesize
168KB

Download
memory/4780-194-0x0000000000000000-mapping.dmp

Download
memory/4812-158-0x0000000003A90000-0x00000000045E5000-memory.dmp

Filesize
11.3MB

Download
memory/4812-170-0x0000000003A90000-0x00000000045E5000-memory.dmp

Filesize
11.3MB

Download
memory/4812-190-0x0000000003A90000-0x00000000045E5000-memory.dmp

Filesize
11.3MB

Download
memory/4908-149-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/4908-148-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/4908-147-0x0000000002BC8000-0x0000000002BD8000-memory.dmp

Filesize
64KB

Download
memory/4916-206-0x0000000000000000-mapping.dmp

Download
memory/5012-188-0x0000000000000000-mapping.dmp

Download