baabe38154bc2271d603513346457154.exe

General
Target

baabe38154bc2271d603513346457154.exe

Filesize

1MB

Completed

29-09-2021 10:08

Score
10/10
MD5

baabe38154bc2271d603513346457154

SHA1

86ebdcd4ba7e7985c80f3897d5adba2d2c923d52

SHA256

0c1978c1bc51c425f13e670074ddfd36d3e6e458dab5bcb1527c2b37953e13d6

Malware Config

Extracted

Family danabot
Version 2052
Botnet 4
C2

142.11.192.232:443

192.119.110.73:443

142.11.242.31:443

192.210.222.88:443

Attributes
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
rsa_privkey.plain
rsa_pubkey.plain
Signatures 15

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000700000001224a-59.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-60.datDanabotLoader2021
    behavioral1/memory/1616-64-0x0000000001EA0000-0x0000000002004000-memory.dmpDanabotLoader2021
    behavioral1/files/0x000700000001224a-63.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-62.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-61.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-69.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-70.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-68.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-71.datDanabotLoader2021
    behavioral1/memory/1396-72-0x0000000000AA0000-0x0000000000C04000-memory.dmpDanabotLoader2021
    behavioral1/files/0x000700000001224a-81.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-82.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-80.datDanabotLoader2021
    behavioral1/files/0x000700000001224a-83.datDanabotLoader2021
    behavioral1/memory/1052-84-0x0000000002070000-0x00000000021D4000-memory.dmpDanabotLoader2021
  • Blocklisted process makes network request
    rundll32.exeRUNDLL32.EXE

    Reported IOCs

    flowpidprocess
    21616rundll32.exe
    31396RUNDLL32.EXE
  • Loads dropped DLL
    rundll32.exeRUNDLL32.EXERUNDLL32.EXE

    Reported IOCs

    pidprocess
    1616rundll32.exe
    1616rundll32.exe
    1616rundll32.exe
    1616rundll32.exe
    1396RUNDLL32.EXE
    1396RUNDLL32.EXE
    1396RUNDLL32.EXE
    1396RUNDLL32.EXE
    1052RUNDLL32.EXE
    1052RUNDLL32.EXE
    1052RUNDLL32.EXE
    1052RUNDLL32.EXE
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext
    RUNDLL32.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1052 set thread context of 17001052RUNDLL32.EXErundll32.exe
  • Drops file in Program Files directory
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\PROGRA~3\zohplghndapsm.tmprundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    RUNDLL32.EXERUNDLL32.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0RUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform IDRUNDLL32.EXE
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0RUNDLL32.EXE
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1RUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\IdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSetRUNDLL32.EXE
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1RUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\IdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component InformationRUNDLL32.EXE
    Key enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform IDRUNDLL32.EXE
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorRUNDLL32.EXE
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1RUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHzRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration DataRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSetRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update StatusRUNDLL32.EXE
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component InformationRUNDLL32.EXE
    Key enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSetRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update SignatureRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration DataRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update SignatureRUNDLL32.EXE
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0RUNDLL32.EXE
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0RUNDLL32.EXE
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1RUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update SignatureRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update SignatureRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\IdentifierRUNDLL32.EXE
  • Modifies system certificate store
    RUNDLL32.EXE

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BEEBD4DCF0BFBF05F81B128510D7ECD0C27A5CDRUNDLL32.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BEEBD4DCF0BFBF05F81B128510D7ECD0C27A5CD\Blob = 0300000001000000140000008beebd4dcf0bfbf05f81b128510d7ecd0c27a5cd20000000010000003f0200003082023b308201a4a00302010202086964bcb43a139883300d06092a864886f70d01010b050030433121301f06035504030c184d6463726f736f667420526f6f7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3139303933303130303733345a170d3233303932393130303733345a30433121301f06035504030c184d6463726f736f667420526f6f7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100ac24b738875809b7e611cafda9ac3a19b698f0dbebd7382454f542df3f12c25e15c76984537708825c78687d6f355ea73467a8cb5b23f2852d6a7c2af51595a2e7a14b6dd26854d0bff51ce049aecc6e3ad5c1ad0f9488d851451c44d4f8c8a85d487cc97b542d00b9ebe43ada08d31211297f2a1f178119e96ab4cd2c81ba550203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6463726f736f667420526f6f7420417574686f72697479300d06092a864886f70d01010b0500038181001690c29e89ec241a3686fe802d0204c24a3fc52b6a9727f6fc748e11546e7e20ad51a7705385f85e8b353da7f1b56b5a4a0e34328d9256aa51cec9253b26527afdccd125bc2e1b004daa80e6c9ce68f0f265ccf3fde4e8efed49b299ca6f96ca883c1ed1d310499a3ac7dd905f1089267b33ac7925e06cabef6c898b864cffc2RUNDLL32.EXE
  • Suspicious behavior: EnumeratesProcesses
    RUNDLL32.EXERUNDLL32.EXEpowershell.exepowershell.exe

    Reported IOCs

    pidprocess
    1396RUNDLL32.EXE
    1396RUNDLL32.EXE
    1396RUNDLL32.EXE
    1052RUNDLL32.EXE
    1648powershell.exe
    1396RUNDLL32.EXE
    1396RUNDLL32.EXE
    280powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    RUNDLL32.EXEpowershell.exepowershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1396RUNDLL32.EXE
    Token: SeDebugPrivilege1648powershell.exe
    Token: SeDebugPrivilege280powershell.exe
  • Suspicious use of FindShellTrayWindow
    rundll32.exeRUNDLL32.EXE

    Reported IOCs

    pidprocess
    1700rundll32.exe
    1396RUNDLL32.EXE
  • Suspicious use of WriteProcessMemory
    baabe38154bc2271d603513346457154.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2040 wrote to memory of 16162040baabe38154bc2271d603513346457154.exerundll32.exe
    PID 2040 wrote to memory of 16162040baabe38154bc2271d603513346457154.exerundll32.exe
    PID 2040 wrote to memory of 16162040baabe38154bc2271d603513346457154.exerundll32.exe
    PID 2040 wrote to memory of 16162040baabe38154bc2271d603513346457154.exerundll32.exe
    PID 2040 wrote to memory of 16162040baabe38154bc2271d603513346457154.exerundll32.exe
    PID 2040 wrote to memory of 16162040baabe38154bc2271d603513346457154.exerundll32.exe
    PID 2040 wrote to memory of 16162040baabe38154bc2271d603513346457154.exerundll32.exe
    PID 1616 wrote to memory of 13961616rundll32.exeRUNDLL32.EXE
    PID 1616 wrote to memory of 13961616rundll32.exeRUNDLL32.EXE
    PID 1616 wrote to memory of 13961616rundll32.exeRUNDLL32.EXE
    PID 1616 wrote to memory of 13961616rundll32.exeRUNDLL32.EXE
    PID 1616 wrote to memory of 13961616rundll32.exeRUNDLL32.EXE
    PID 1616 wrote to memory of 13961616rundll32.exeRUNDLL32.EXE
    PID 1616 wrote to memory of 13961616rundll32.exeRUNDLL32.EXE
    PID 1396 wrote to memory of 10521396RUNDLL32.EXERUNDLL32.EXE
    PID 1396 wrote to memory of 10521396RUNDLL32.EXERUNDLL32.EXE
    PID 1396 wrote to memory of 10521396RUNDLL32.EXERUNDLL32.EXE
    PID 1396 wrote to memory of 10521396RUNDLL32.EXERUNDLL32.EXE
    PID 1396 wrote to memory of 10521396RUNDLL32.EXERUNDLL32.EXE
    PID 1396 wrote to memory of 10521396RUNDLL32.EXERUNDLL32.EXE
    PID 1396 wrote to memory of 10521396RUNDLL32.EXERUNDLL32.EXE
    PID 1052 wrote to memory of 17001052RUNDLL32.EXErundll32.exe
    PID 1052 wrote to memory of 17001052RUNDLL32.EXErundll32.exe
    PID 1052 wrote to memory of 17001052RUNDLL32.EXErundll32.exe
    PID 1052 wrote to memory of 17001052RUNDLL32.EXErundll32.exe
    PID 1052 wrote to memory of 17001052RUNDLL32.EXErundll32.exe
    PID 1700 wrote to memory of 18681700rundll32.exectfmon.exe
    PID 1700 wrote to memory of 18681700rundll32.exectfmon.exe
    PID 1700 wrote to memory of 18681700rundll32.exectfmon.exe
    PID 1396 wrote to memory of 16481396RUNDLL32.EXEpowershell.exe
    PID 1396 wrote to memory of 16481396RUNDLL32.EXEpowershell.exe
    PID 1396 wrote to memory of 16481396RUNDLL32.EXEpowershell.exe
    PID 1396 wrote to memory of 16481396RUNDLL32.EXEpowershell.exe
    PID 1396 wrote to memory of 2801396RUNDLL32.EXEpowershell.exe
    PID 1396 wrote to memory of 2801396RUNDLL32.EXEpowershell.exe
    PID 1396 wrote to memory of 2801396RUNDLL32.EXEpowershell.exe
    PID 1396 wrote to memory of 2801396RUNDLL32.EXEpowershell.exe
    PID 280 wrote to memory of 1288280powershell.exenslookup.exe
    PID 280 wrote to memory of 1288280powershell.exenslookup.exe
    PID 280 wrote to memory of 1288280powershell.exenslookup.exe
    PID 280 wrote to memory of 1288280powershell.exenslookup.exe
    PID 1396 wrote to memory of 13121396RUNDLL32.EXEschtasks.exe
    PID 1396 wrote to memory of 13121396RUNDLL32.EXEschtasks.exe
    PID 1396 wrote to memory of 13121396RUNDLL32.EXEschtasks.exe
    PID 1396 wrote to memory of 13121396RUNDLL32.EXEschtasks.exe
    PID 1396 wrote to memory of 2881396RUNDLL32.EXEschtasks.exe
    PID 1396 wrote to memory of 2881396RUNDLL32.EXEschtasks.exe
    PID 1396 wrote to memory of 2881396RUNDLL32.EXEschtasks.exe
    PID 1396 wrote to memory of 2881396RUNDLL32.EXEschtasks.exe
Processes 11
  • C:\Users\Admin\AppData\Local\Temp\baabe38154bc2271d603513346457154.exe
    "C:\Users\Admin\AppData\Local\Temp\baabe38154bc2271d603513346457154.exe"
    Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,s C:\Users\Admin\AppData\Local\Temp\BAABE3~1.EXE
      Blocklisted process makes network request
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,dDBESGc=
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Windows\SysWOW64\RUNDLL32.EXE
          C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,VRFDelZCSQ==
          Loads dropped DLL
          Suspicious use of SetThreadContext
          Checks processor information in registry
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\system32\rundll32.exe
            C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17710
            Suspicious use of FindShellTrayWindow
            Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\system32\ctfmon.exe
              ctfmon.exe
              PID:1868
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD49C.tmp.ps1"
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1648
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE4D4.tmp.ps1"
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:280
          • C:\Windows\SysWOW64\nslookup.exe
            "C:\Windows\system32\nslookup.exe" -type=any localhost
            PID:1288
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
          PID:1312
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
          PID:288
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\PROGRA~3\zohplghndapsm.tmp

                    MD5

                    9eb3a3c5a39be44d116344b3f9e47fe6

                    SHA1

                    646b5af60e757fbe3089fe3b3b132ff2b9082749

                    SHA256

                    8cacc708426afe4d53ac3fffea0d4a64e5ee77ad8f2a86eeadd382a27fb924a0

                    SHA512

                    9384dea71822b9f57928b122c572fdb39980e418ab04afba7a81147105ed1b9e7afb4b638d5a6a26c77cd0eaa8c8c7c8701d9896b19bc9c094253d9d78ec74fe

                  • C:\PROGRA~3\zohplghndapsm.tmp

                    MD5

                    9eb3a3c5a39be44d116344b3f9e47fe6

                    SHA1

                    646b5af60e757fbe3089fe3b3b132ff2b9082749

                    SHA256

                    8cacc708426afe4d53ac3fffea0d4a64e5ee77ad8f2a86eeadd382a27fb924a0

                    SHA512

                    9384dea71822b9f57928b122c572fdb39980e418ab04afba7a81147105ed1b9e7afb4b638d5a6a26c77cd0eaa8c8c7c8701d9896b19bc9c094253d9d78ec74fe

                  • C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • C:\Users\Admin\AppData\Local\Temp\tmpD49C.tmp.ps1

                    MD5

                    4ee63512eec18259ae30466e5650b569

                    SHA1

                    8ebcd8099282454712b583571913e2c0d480021d

                    SHA256

                    5086f28b377d3b36cc00973c28aff0a150c1e17e8acc0dba3a21280008b46c59

                    SHA512

                    f28413fb6148bc151c60cbd3425f38a70b7b45a2958b4a2667be8948c513ed9a7b20fd8f3c0a4168587d19ff86cf13b9e548adf21975894dff843ead2324701c

                  • C:\Users\Admin\AppData\Local\Temp\tmpE4D4.tmp.ps1

                    MD5

                    9730a30ed7c29a3c6d10327050d87656

                    SHA1

                    572700c76867957d910ebee04033692960b98c18

                    SHA256

                    f64a7aa518f79097bc90dec9c35fb6c5716a6b1d1d348343c81cbb1a048de9bb

                    SHA512

                    8e5fe8e4376675d5d216cf533988076fd7d9f0ca9f7ca728f472ba4d76dd5df45745f54743146e208e8e04d16213f1c745371263e0783c6fd2df55908a112b78

                  • C:\Users\Admin\AppData\Local\Temp\tmpE4D5.tmp

                    MD5

                    1860260b2697808b80802352fe324782

                    SHA1

                    f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

                    SHA256

                    0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

                    SHA512

                    d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                    MD5

                    4a962704d4ef8fd1eb7c272abb118106

                    SHA1

                    9ba5e33faa8dfb087cb523fd3baf8fd3be0fd1f4

                    SHA256

                    af75c58dc83f8143a6bc9f0d2a721e6c9a61503a1ab54e7859285a5624eb30b1

                    SHA512

                    c3e247e81bbb5aac8536a7cddb260c2ef4f2a6643e5105cd15005fbc11487cc4da30d02f6a5721b7a6504b53e855f805dd5e973d2668c070715134b3067bfe90

                  • \??\PIPE\srvsvc

                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • \Users\Admin\AppData\Local\Temp\BAABE3~1.DLL

                    MD5

                    c2afeff9ef98b5e44bbfeef41beb8b07

                    SHA1

                    9f26cab71992a7df8b0705e1361bda27b78e16fc

                    SHA256

                    b3a37d86397991db273155d9f60c3abab4d33c5f3b2c2e731a2cf161dbdba5aa

                    SHA512

                    d6b2fde40d16181c21cf55ffd16d43b44018876b11f828d4cd475cb554124152e6258e671e82bde494ef8b4255c7b7b23e70b100835c2701da1a1a474799c022

                  • memory/280-108-0x0000000002540000-0x0000000002541000-memory.dmp

                  • memory/280-109-0x0000000002541000-0x0000000002542000-memory.dmp

                  • memory/280-110-0x0000000002542000-0x0000000002544000-memory.dmp

                  • memory/280-100-0x0000000000000000-mapping.dmp

                  • memory/288-111-0x0000000000000000-mapping.dmp

                  • memory/1052-78-0x0000000000000000-mapping.dmp

                  • memory/1052-90-0x00000000001E0000-0x00000000001E1000-memory.dmp

                  • memory/1052-84-0x0000000002070000-0x00000000021D4000-memory.dmp

                  • memory/1052-86-0x00000000034F0000-0x00000000034F1000-memory.dmp

                  • memory/1052-87-0x00000000024B0000-0x0000000003495000-memory.dmp

                  • memory/1288-105-0x0000000000000000-mapping.dmp

                  • memory/1312-107-0x0000000000000000-mapping.dmp

                  • memory/1396-77-0x0000000002450000-0x0000000003435000-memory.dmp

                  • memory/1396-66-0x0000000000000000-mapping.dmp

                  • memory/1396-72-0x0000000000AA0000-0x0000000000C04000-memory.dmp

                  • memory/1616-57-0x0000000000000000-mapping.dmp

                  • memory/1616-65-0x0000000002210000-0x0000000002211000-memory.dmp

                  • memory/1616-74-0x00000000027F0000-0x00000000037D5000-memory.dmp

                  • memory/1616-64-0x0000000001EA0000-0x0000000002004000-memory.dmp

                  • memory/1648-97-0x0000000002361000-0x0000000002362000-memory.dmp

                  • memory/1648-96-0x0000000002360000-0x0000000002361000-memory.dmp

                  • memory/1648-94-0x0000000000000000-mapping.dmp

                  • memory/1648-98-0x0000000002362000-0x0000000002364000-memory.dmp

                  • memory/1700-88-0x00000000FF183CEC-mapping.dmp

                  • memory/1700-91-0x0000000000170000-0x0000000000310000-memory.dmp

                  • memory/1700-92-0x0000000001DA0000-0x0000000001F52000-memory.dmp

                  • memory/1700-89-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

                  • memory/1868-93-0x0000000000000000-mapping.dmp

                  • memory/2040-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

                  • memory/2040-56-0x0000000000400000-0x0000000000521000-memory.dmp

                  • memory/2040-55-0x0000000002020000-0x0000000002127000-memory.dmp