danabot | 8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2022 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe
Size

221KB
MD5

6cc80c2c232d734531c5454c176616fd
SHA1

d42ac5b93f9f2d894f1ef575feeb8e508b096a48
SHA256

8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c
SHA512

7931ec08b85b473093c06628b37acb088250213d790849cf8bc31a7ea609984752b94db0b31bfcb980d8f834f3a85fd6acd2163940f1c63fae2f0cd672ec5525
SSDEEP

3072:Xun75dF6TJt/6mfLA5wK6N5xkhdRXMtlFjQq42nkdrC8jgVSMLHvBw:Xu7ZzmfL3K4khdmX1Qq4Th50V/zv

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1872-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

154 2204 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

EEBA.exeA048.exe

pid process

3088 EEBA.exe
1912 A048.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

A048.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation A048.exe
Loads dropped DLL 3 IoCs

Processes:

A048.exe

pid process

1912 A048.exe
1912 A048.exe
1912 A048.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

EEBA.exe

description pid process target process

PID 3088 set thread context of 2204 3088 EEBA.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
154	2204	rundll32.exe

pid	process
3088	EEBA.exe
1912	A048.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	A048.exe

pid	process
1912	A048.exe
1912	A048.exe
1912	A048.exe

description	pid	process	target process
PID 3088 set thread context of 2204	3088	EEBA.exe	rundll32.exe

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1924	1912	WerFault.exe	A048.exe
760	3088	WerFault.exe	EEBA.exe
1056	3088	WerFault.exe	EEBA.exe
972	3088	WerFault.exe	EEBA.exe
2740	3088	WerFault.exe	EEBA.exe
3412	3088	WerFault.exe	EEBA.exe
800	3088	WerFault.exe	EEBA.exe
2472	3088	WerFault.exe	EEBA.exe
1848	3088	WerFault.exe	EEBA.exe
3316	3088	WerFault.exe	EEBA.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Checks processor information in registry 2 TTPs 49 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EEBA.exerundll32.exeA048.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	EEBA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	EEBA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	EEBA.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	A048.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	A048.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	EEBA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	EEBA.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EEBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	EEBA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4252 timeout.exe

pid	process
4252	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 22 IoCs

Processes:

EEBA.exerundll32.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	EEBA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2640

pid	process
2640

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe

pid	process
1872	8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe
1872	8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2640
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe

pid process

1872 8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe

pid	process
2640

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1852	svchost.exe
Token: SeShutdownPrivilege	1852	svchost.exe
Token: SeCreatePagefilePrivilege	1852	svchost.exe
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640
Token: SeShutdownPrivilege	2640
Token: SeCreatePagefilePrivilege	2640

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rundll32.exe

pid process

2640
2640
2204 rundll32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2640
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

2732 OpenWith.exe
2640
2640

pid	process
2640
2640
2204	rundll32.exe

pid	process
2640

pid	process
2732	OpenWith.exe
2640
2640

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EEBA.exeA048.execmd.exe

description	pid	process	target process
PID 2640 wrote to memory of 3088	2640		EEBA.exe
PID 2640 wrote to memory of 3088	2640		EEBA.exe
PID 2640 wrote to memory of 3088	2640		EEBA.exe
PID 3088 wrote to memory of 5068	3088	EEBA.exe	agentactivationruntimestarter.exe
PID 3088 wrote to memory of 5068	3088	EEBA.exe	agentactivationruntimestarter.exe
PID 3088 wrote to memory of 5068	3088	EEBA.exe	agentactivationruntimestarter.exe
PID 2640 wrote to memory of 1912	2640		A048.exe
PID 2640 wrote to memory of 1912	2640		A048.exe
PID 2640 wrote to memory of 1912	2640		A048.exe
PID 1912 wrote to memory of 4444	1912	A048.exe	cmd.exe
PID 1912 wrote to memory of 4444	1912	A048.exe	cmd.exe
PID 1912 wrote to memory of 4444	1912	A048.exe	cmd.exe
PID 4444 wrote to memory of 4252	4444	cmd.exe	timeout.exe
PID 4444 wrote to memory of 4252	4444	cmd.exe	timeout.exe
PID 4444 wrote to memory of 4252	4444	cmd.exe	timeout.exe
PID 3088 wrote to memory of 2204	3088	EEBA.exe	rundll32.exe
PID 3088 wrote to memory of 2204	3088	EEBA.exe	rundll32.exe
PID 3088 wrote to memory of 2204	3088	EEBA.exe	rundll32.exe
PID 3088 wrote to memory of 2204	3088	EEBA.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe
"C:\Users\Admin\AppData\Local\Temp\8674ab2824698c6ec8fb7b53bb9417204fbfe8a6d4b2085cc1cb9d22c112474c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1872

C:\Users\Admin\AppData\Local\Temp\EEBA.exe
C:\Users\Admin\AppData\Local\Temp\EEBA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 592
2⤵
- Program crash
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1048
2⤵
- Program crash
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1112
2⤵
- Program crash
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1128
2⤵
- Program crash
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1112
2⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1048
2⤵
- Program crash
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1176
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1036
2⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1428
2⤵
- Program crash
PID:3316

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d0 0x24c
1⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\A048.exe
C:\Users\Admin\AppData\Local\Temp\A048.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A048.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1900
2⤵
- Program crash
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1912 -ip 1912
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3088 -ip 3088
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3088 -ip 3088
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3088 -ip 3088
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3088 -ip 3088
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3088 -ip 3088
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3088 -ip 3088
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3088 -ip 3088
1⤵
PID:1928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3088 -ip 3088
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3088 -ip 3088
1⤵
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
c30eb15cad930d6640e6406a12dab374

SHA1
ba4a95590a038b8fc2d537295963573dc22f6b69

SHA256
d954492f6980ae52b400c562009e3521945caa56823c88fd5c3e93caddf652f0

SHA512
7d2ef3301e0a3eaaa3a9c531a63eb7d778b6306f9750292fe5f5f971824c2352afc0748718e29fd64a4ae06c4282941e6095ef7a6ab80b030c984382cd00e615

Download Submit
C:\Users\Admin\AppData\Local\Temp\A048.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\A048.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEBA.exe
Filesize
8.4MB

MD5
3f40a1b989e5b21174db74bcd4d4d521

SHA1
273037036ed190ce7a4bc6ae3b25267b605a7d77

SHA256
f3ded89452a1b289872100dd365a3fa0d6d8a5998d8f1ca89a47a5ee740ca82c

SHA512
786ac1bf4687cc4733281d83844d524f702e067e273f1243b4120684a22e4e395673c03782dbc6b2fbf21d6827c5bacac7fee3b57e1ccb47666b06545a95282a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEBA.exe
Filesize
8.4MB

MD5
3f40a1b989e5b21174db74bcd4d4d521

SHA1
273037036ed190ce7a4bc6ae3b25267b605a7d77

SHA256
f3ded89452a1b289872100dd365a3fa0d6d8a5998d8f1ca89a47a5ee740ca82c

SHA512
786ac1bf4687cc4733281d83844d524f702e067e273f1243b4120684a22e4e395673c03782dbc6b2fbf21d6827c5bacac7fee3b57e1ccb47666b06545a95282a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
Filesize
3KB

MD5
c46f084c955c9413f1f375707a49141d

SHA1
591830d0afefb8c15c06527d072a1fb8902395e6

SHA256
7bc05c175a0201ec193933f45c3a16ae8f4b9d959ef9f8253ebd6d0d7579d569

SHA512
94915075cdbf3b7cb87b19466a4543f5a3191ca123da8a0ba14ca1ab610ce025ab18af671c7e62eeb5bcc7e76ba9e84444f2d8904961af430556a1ed2e83f4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
697B

MD5
bdcd60d0f8f1a5c5541b99599702de47

SHA1
e18d6ad9df2a91c55f90c725fb0a5885cef369bc

SHA256
c4975a51f52c7e43048be7ca33fca70869ad84845a489967ab7c93d4be28cf3c

SHA512
c98abf7754f78d171e18e5ca3ba8fb25f4793b02bc1f3f43ecf626c1c4f80f28f9ebec95b2ff4548235db7dbe4f15338623b3259ca73feade3bca6ff76bf3e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuDE7F.tmp
Filesize
644B

MD5
440d93e4ba797998522eb17c17e218db

SHA1
e216f4b84053bc5b65d36280a522e2bacea14a49

SHA256
dbb9a230d5d123c53ab3a362c4ee25cb180b01172e4207e5eb0a4734d3c4e91a

SHA512
00d28d059f2a078759f8d5a69ffcb5c02709f32f8cd52a64d7104bc63eca139c5d4570425bfedd5afb298c018a16d300b5d5983d76ef749aeb66d99d9bf4a7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuDEBE.tmp
Filesize
2KB

MD5
07723a7359877d2df844532c3c189c93

SHA1
e6adbcb645f72648b9f4a0a98578b80a07e99638

SHA256
fdbbd3cc63411c7cfdd0d442e22223d90ae7793e7f66c59a8d2d21f2a879ad82

SHA512
2e2d30bb714f85ca27507bf905ba1a1b156dddf1a5b3564e0d5cedcb50e28b59102465a151315ae7fe8703ebd8b1f90fda84af75aac7e9de480eb180c3acf695

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuDFFB.tmp
Filesize
902B

MD5
ad6e9425a77058edc3c4c84b80faf3d3

SHA1
24afb807c1460dbae1cb5657944dcf92947dbb4c

SHA256
ec3e473c424348d5844272048ad07749a767e18cf57c80514242e7ac1b91488c

SHA512
72ff6b8e4a58877590d9e15af1f5e56c8daaa462f04c6458b669433852723bd4d907b26c8b2ad783e398dfde9361fbe8fc42b39648ec2debfd865d2c556d93eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuE04A.tmp
Filesize
2KB

MD5
07723a7359877d2df844532c3c189c93

SHA1
e6adbcb645f72648b9f4a0a98578b80a07e99638

SHA256
fdbbd3cc63411c7cfdd0d442e22223d90ae7793e7f66c59a8d2d21f2a879ad82

SHA512
2e2d30bb714f85ca27507bf905ba1a1b156dddf1a5b3564e0d5cedcb50e28b59102465a151315ae7fe8703ebd8b1f90fda84af75aac7e9de480eb180c3acf695

Download Submit
memory/1872-134-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/1872-132-0x00000000008E2000-0x00000000008F3000-memory.dmp

Filesize
68KB

Download
memory/1872-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1872-135-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/1912-144-0x0000000000000000-mapping.dmp

Download
memory/1912-149-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/1912-148-0x0000000000790000-0x00000000007D9000-memory.dmp

Filesize
292KB

Download
memory/1912-147-0x00000000007F3000-0x000000000081F000-memory.dmp

Filesize
176KB

Download
memory/1912-155-0x00000000007F3000-0x000000000081F000-memory.dmp

Filesize
176KB

Download
memory/1912-156-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/2204-175-0x0000000003300000-0x0000000003DB2000-memory.dmp

Filesize
10.7MB

Download
memory/2204-170-0x0000000000000000-mapping.dmp

Download
memory/2204-187-0x0000000003300000-0x0000000003DB2000-memory.dmp

Filesize
10.7MB

Download
memory/2204-172-0x0000000000E40000-0x00000000017D2000-memory.dmp

Filesize
9.6MB

Download
memory/2204-174-0x0000000003FB0000-0x00000000040F0000-memory.dmp

Filesize
1.2MB

Download
memory/2204-173-0x0000000003FB0000-0x00000000040F0000-memory.dmp

Filesize
1.2MB

Download
memory/2204-171-0x0000000003300000-0x0000000003DB2000-memory.dmp

Filesize
10.7MB

Download
memory/3088-166-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3088-160-0x0000000004C40000-0x00000000056F2000-memory.dmp

Filesize
10.7MB

Download
memory/3088-168-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3088-169-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3088-167-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3088-165-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3088-163-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3088-164-0x0000000004C40000-0x00000000056F2000-memory.dmp

Filesize
10.7MB

Download
memory/3088-162-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3088-161-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3088-157-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/3088-158-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/3088-159-0x0000000004C40000-0x00000000056F2000-memory.dmp

Filesize
10.7MB

Download
memory/3088-136-0x0000000000000000-mapping.dmp

Download
memory/3088-143-0x0000000003300000-0x0000000003CD6000-memory.dmp

Filesize
9.8MB

Download
memory/3088-142-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/3088-141-0x0000000003300000-0x0000000003CD6000-memory.dmp

Filesize
9.8MB

Download
memory/3088-185-0x0000000004C40000-0x00000000056F2000-memory.dmp

Filesize
10.7MB

Download
memory/3088-139-0x0000000001224000-0x0000000001A5F000-memory.dmp

Filesize
8.2MB

Download
memory/3088-183-0x0000000001224000-0x0000000001A5F000-memory.dmp

Filesize
8.2MB

Download
memory/3088-184-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4252-154-0x0000000000000000-mapping.dmp

Download
memory/4444-153-0x0000000000000000-mapping.dmp

Download
memory/5068-140-0x0000000000000000-mapping.dmp

Download