danabot | 7f18e1325f88bd8421a03d3d88ad25e2c9e6ff80e39e97efaa7f4d372b3be4dd

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2022 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a1d1773c7de792aae9696f63404a27.exe
Size

231KB
MD5

a1a1d1773c7de792aae9696f63404a27
SHA1

28f056b835854053b12cb4084d5d87648cf32936
SHA256

7f18e1325f88bd8421a03d3d88ad25e2c9e6ff80e39e97efaa7f4d372b3be4dd
SHA512

2fe412ed8a29c0d1b2131db6d3123b041745b116070c350b4a5c4936d659cea0dd7a10d77890bc4e199e59795cf833297e6492561cc400ad19f8573c66279bd9
SSDEEP

6144:DHNL9Kxc5Eg1QUz1Nx0AA3dai/RHTRu9l:DtZKxzg1D5NxIBBul

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/456-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

85 4980 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

EC78.exeEC78.exe7495.exe

pid process

2280 EC78.exe
4256 EC78.exe
4752 7495.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

7495.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 7495.exe
Loads dropped DLL 3 IoCs

Processes:

7495.exe

pid process

4752 7495.exe
4752 7495.exe
4752 7495.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
85	4980	rundll32.exe

pid	process
2280	EC78.exe
4256	EC78.exe
4752	7495.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7495.exe

pid	process
4752	7495.exe
4752	7495.exe
4752	7495.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

EC78.exeEC78.exe

description	pid	process	target process
PID 2280 set thread context of 4256	2280	EC78.exe	EC78.exe
PID 4256 set thread context of 4980	4256	EC78.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1660 4752 WerFault.exe 7495.exe

pid	pid_target	process	target process
1660	4752	WerFault.exe	7495.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exea1a1d1773c7de792aae9696f63404a27.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a1a1d1773c7de792aae9696f63404a27.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a1a1d1773c7de792aae9696f63404a27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a1a1d1773c7de792aae9696f63404a27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe

Checks processor information in registry 2 TTPs 47 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EC78.exerundll32.exe7495.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	EC78.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	EC78.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EC78.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	EC78.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	EC78.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EC78.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7495.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7495.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	EC78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2788 timeout.exe

pid	process
2788	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 21 IoCs

Processes:

EC78.exerundll32.exeOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	EC78.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1396

pid	process
1396

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a1a1d1773c7de792aae9696f63404a27.exe

pid	process
456	a1a1d1773c7de792aae9696f63404a27.exe
456	a1a1d1773c7de792aae9696f63404a27.exe
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1396
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a1a1d1773c7de792aae9696f63404a27.exe

pid process

456 a1a1d1773c7de792aae9696f63404a27.exe

pid	process
1396

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	2180	svchost.exe
Token: SeShutdownPrivilege	2180	svchost.exe
Token: SeCreatePagefilePrivilege	2180	svchost.exe
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4980 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

3196 OpenWith.exe
1396
1396

pid	process
4980	rundll32.exe

pid	process
3196	OpenWith.exe
1396
1396

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

EC78.exeEC78.exe7495.execmd.exe

description	pid	process	target process
PID 1396 wrote to memory of 2280	1396		EC78.exe
PID 1396 wrote to memory of 2280	1396		EC78.exe
PID 1396 wrote to memory of 2280	1396		EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 2280 wrote to memory of 4256	2280	EC78.exe	EC78.exe
PID 4256 wrote to memory of 216	4256	EC78.exe	agentactivationruntimestarter.exe
PID 4256 wrote to memory of 216	4256	EC78.exe	agentactivationruntimestarter.exe
PID 4256 wrote to memory of 216	4256	EC78.exe	agentactivationruntimestarter.exe
PID 1396 wrote to memory of 4752	1396		7495.exe
PID 1396 wrote to memory of 4752	1396		7495.exe
PID 1396 wrote to memory of 4752	1396		7495.exe
PID 4752 wrote to memory of 1884	4752	7495.exe	cmd.exe
PID 4752 wrote to memory of 1884	4752	7495.exe	cmd.exe
PID 4752 wrote to memory of 1884	4752	7495.exe	cmd.exe
PID 1884 wrote to memory of 2788	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 2788	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 2788	1884	cmd.exe	timeout.exe
PID 4256 wrote to memory of 4980	4256	EC78.exe	rundll32.exe
PID 4256 wrote to memory of 4980	4256	EC78.exe	rundll32.exe
PID 4256 wrote to memory of 4980	4256	EC78.exe	rundll32.exe
PID 4256 wrote to memory of 4980	4256	EC78.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a1a1d1773c7de792aae9696f63404a27.exe
"C:\Users\Admin\AppData\Local\Temp\a1a1d1773c7de792aae9696f63404a27.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:456

C:\Users\Admin\AppData\Local\Temp\EC78.exe
C:\Users\Admin\AppData\Local\Temp\EC78.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\EC78.exe
C:\Users\Admin\AppData\Local\Temp\EC78.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
3⤵
PID:216

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x50c
1⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\7495.exe
C:\Users\Admin\AppData\Local\Temp\7495.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7495.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1944
2⤵
- Program crash
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4752 -ip 4752
1⤵
PID:3760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7495.exe
Filesize
318KB

MD5
e58c70e8e2cde5c7aee3975db0a2e559

SHA1
4c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe

SHA256
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf

SHA512
b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7495.exe
Filesize
318KB

MD5
e58c70e8e2cde5c7aee3975db0a2e559

SHA1
4c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe

SHA256
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf

SHA512
b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
Filesize
1KB

MD5
f100bb8b2cb884eaeb980fec005fda2a

SHA1
35b381fb5f67e27d337a9be9a9a80f99a62ade7b

SHA256
ab5bbad92eb5b118a83152c34f7d011cd7ebd55e0774e7649b5bd6084c6bb807

SHA512
f199706af09ab1ec2fd2e1a23055f1d898271bb27ef067b992dece2677e74854023188a7c7c2f8836e7f64854b0bc6b190684b300f0da973d8bd96c3497346b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC78.exe
Filesize
8.4MB

MD5
3281a9332d11287529ddbac19387f603

SHA1
6554cbd72d5b8bd516f61a23b660973a459ce99a

SHA256
f535fcf255b18e63f0191b3d9d396bb7fc7e42c7d770263863b9b8de7062e296

SHA512
f1822a94db5cd93d1d1a53c126c5cea45fbf2cc7f0a9629291ed6a4c13f0d1cb4d1b642de137e9aad17709faf83025014b553ca3a707f0f9ccbb734305d349e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC78.exe
Filesize
8.4MB

MD5
3281a9332d11287529ddbac19387f603

SHA1
6554cbd72d5b8bd516f61a23b660973a459ce99a

SHA256
f535fcf255b18e63f0191b3d9d396bb7fc7e42c7d770263863b9b8de7062e296

SHA512
f1822a94db5cd93d1d1a53c126c5cea45fbf2cc7f0a9629291ed6a4c13f0d1cb4d1b642de137e9aad17709faf83025014b553ca3a707f0f9ccbb734305d349e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC78.exe
Filesize
8.4MB

MD5
3281a9332d11287529ddbac19387f603

SHA1
6554cbd72d5b8bd516f61a23b660973a459ce99a

SHA256
f535fcf255b18e63f0191b3d9d396bb7fc7e42c7d770263863b9b8de7062e296

SHA512
f1822a94db5cd93d1d1a53c126c5cea45fbf2cc7f0a9629291ed6a4c13f0d1cb4d1b642de137e9aad17709faf83025014b553ca3a707f0f9ccbb734305d349e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMKNGOMU-20220812-1924.log
Filesize
56KB

MD5
942061e415bb8ead9b5a5218d5c14343

SHA1
6017ef310882921100fa81965ff75e420200507d

SHA256
1226acee43898580e53859127ed657800319973cb60df51155e5c8a7ce45e895

SHA512
b0a93f95992a6389ba9913d8ca29aaba421f25aea2463244468f3279185f88dddd3db4ecc9d58e4c73ac9901465548df24150978f3bc8a943376a176f605cddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMKNGOMU-20220812-1924a.log
Filesize
181KB

MD5
aa50dd7e6959589fc3fea20fe137bc6f

SHA1
6db450ce52e3163161e1b90af4074a9d3bf47447

SHA256
ec82e4d884101d5d621ce4ff44a53f2114f73498bb0628479f67c37ec19124e8

SHA512
1e40a678922d3119ea6328b90e0a19d0f56a8498aca0aaeb5773336d292002352f7efdce467c09fc29acfc91bbc5bb6de3ba11d1ba2e1d46c1d0159f7ad17eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-1700.log
Filesize
470B

MD5
afbde07b463b84a12621ff8a45aaae1b

SHA1
1f78c7b3bae0de87727605cb0764d13ac58abc5d

SHA256
9c5a7d9152e24a699bb5d058d978b5eec9aa309d8a73f4dc74fa18cb5900ef13

SHA512
019e7ab616dd89b1764cddfe89d2cd3414195615e62c2dca200980fac31ce13b5bf33f0b5801c2f2eb27c16f849306a7d9bf2dbbd224ee6beb80f41fd8d0e70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI50E6.txt
Filesize
414KB

MD5
e6c01c79db3f332fe871fa31fde76177

SHA1
aebe59988fce2cdc4e95ea5937365421538c9a05

SHA256
2ef99443f8f086c52cb2c4b525a767fd0ad0de8b4996bd6c9161bf8073a884fb

SHA512
6cec8a23a7468d42deed895e4f1277fd7d33430dc122fbe020ee865a319c14a73d29ab1f6c9af40127f19c683ff7dfa36689b43b309b3b6aa0d76fee68ed5fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI50B8.txt
Filesize
11KB

MD5
2d3d4b9bab706bc5873482be100e0851

SHA1
47cc8742c34ac728a62d4a4705a50c661d247944

SHA256
fd5ac2a1c3c9c587a7ed459f1ee4f8074f6643bc8557d9c8bec3c1582568c405

SHA512
b423281011e69f3957cda935ae25acd69c65ddeb29bb8d10c5159c72e53e55c609071d5a0109366962b87e538e7fc10300eee6baef8dbc613d112792f190c8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html
Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct5D7C.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctA1E8.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC4C7.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
697B

MD5
97135e1ef652cacbca26f832ec7c2ee2

SHA1
b2691d8e35a78fa4bbf86a480638da8f48b169aa

SHA256
3b113453a1a98b0d6b6e07bd35eca1f0a1992f2c2d69ab22c80ae54d194bc9dd

SHA512
fd3180cac2443538ea32868fe5169148554923cae0e296a0863c46dfa5326495b8dc75a0b0fb52639149f38c01cd569b340db9956ba96159c825124cb23633a5

Download Submit
memory/216-146-0x0000000000000000-mapping.dmp

Download
memory/456-135-0x0000000000400000-0x0000000002C27000-memory.dmp

Filesize
40.2MB

Download
memory/456-134-0x0000000000400000-0x0000000002C27000-memory.dmp

Filesize
40.2MB

Download
memory/456-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/456-132-0x0000000002F82000-0x0000000002F98000-memory.dmp

Filesize
88KB

Download
memory/1884-159-0x0000000000000000-mapping.dmp

Download
memory/2280-145-0x00000000059B0000-0x0000000006386000-memory.dmp

Filesize
9.8MB

Download
memory/2280-143-0x00000000037C9000-0x0000000004005000-memory.dmp

Filesize
8.2MB

Download
memory/2280-136-0x0000000000000000-mapping.dmp

Download
memory/2788-160-0x0000000000000000-mapping.dmp

Download
memory/4256-163-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4256-162-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4256-165-0x0000000003AE0000-0x0000000004592000-memory.dmp

Filesize
10.7MB

Download
memory/4256-166-0x0000000003AE0000-0x0000000004592000-memory.dmp

Filesize
10.7MB

Download
memory/4256-167-0x0000000004890000-0x00000000049D0000-memory.dmp

Filesize
1.2MB

Download
memory/4256-168-0x0000000004890000-0x00000000049D0000-memory.dmp

Filesize
1.2MB

Download
memory/4256-169-0x0000000004890000-0x00000000049D0000-memory.dmp

Filesize
1.2MB

Download
memory/4256-171-0x0000000004890000-0x00000000049D0000-memory.dmp

Filesize
1.2MB

Download
memory/4256-170-0x0000000004890000-0x00000000049D0000-memory.dmp

Filesize
1.2MB

Download
memory/4256-172-0x0000000004890000-0x00000000049D0000-memory.dmp

Filesize
1.2MB

Download
memory/4256-173-0x0000000004890000-0x00000000049D0000-memory.dmp

Filesize
1.2MB

Download
memory/4256-194-0x0000000003AE0000-0x0000000004592000-memory.dmp

Filesize
10.7MB

Download
memory/4256-174-0x0000000004890000-0x00000000049D0000-memory.dmp

Filesize
1.2MB

Download
memory/4256-193-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4256-139-0x0000000000000000-mapping.dmp

Download
memory/4256-140-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4256-142-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4256-164-0x0000000003AE0000-0x0000000004592000-memory.dmp

Filesize
10.7MB

Download
memory/4256-144-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4256-147-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4256-148-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4752-153-0x0000000002C40000-0x0000000002D40000-memory.dmp

Filesize
1024KB

Download
memory/4752-149-0x0000000000000000-mapping.dmp

Download
memory/4752-154-0x0000000004850000-0x0000000004899000-memory.dmp

Filesize
292KB

Download
memory/4752-155-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4752-161-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4980-179-0x0000000000A00000-0x0000000001392000-memory.dmp

Filesize
9.6MB

Download
memory/4980-178-0x00000000039F0000-0x0000000003B30000-memory.dmp

Filesize
1.2MB

Download
memory/4980-177-0x00000000039F0000-0x0000000003B30000-memory.dmp

Filesize
1.2MB

Download
memory/4980-192-0x0000000002E70000-0x0000000003922000-memory.dmp

Filesize
10.7MB

Download
memory/4980-176-0x0000000002E70000-0x0000000003922000-memory.dmp

Filesize
10.7MB

Download
memory/4980-175-0x0000000000000000-mapping.dmp

Download
memory/4980-195-0x0000000002E70000-0x0000000003922000-memory.dmp

Filesize
10.7MB

Download