danabot | 348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2022 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe
Size

244KB
MD5

65d2050d8d544b0e4d74d7778b93fbe1
SHA1

c57773edc2a761a8af4661ac9176eb901ede7f29
SHA256

348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0
SHA512

93bdce7e97342f87f729587658231ce8555c63bd9ecf17d0780704d4908c75a66b54600618ad80075123e699f940d216e58ffe0d4a93ed5c854fb770abf396bc
SSDEEP

3072:lXbkayXL6gTrQTCdX5OrBRduxtnM1cuSFYrhDJzUSGqBjbz1MTj:hbyXLYTCerBRstM13SFuDSrTj

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4844-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

86 3196 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

3F7.exe3F7.exe756F.exe

pid process

3844 3F7.exe
4924 3F7.exe
4276 756F.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

756F.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 756F.exe
Loads dropped DLL 3 IoCs

Processes:

756F.exe

pid process

4276 756F.exe
4276 756F.exe
4276 756F.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 2 IoCs

Processes:

3F7.exe3F7.exe

description pid process target process

PID 3844 set thread context of 4924 3844 3F7.exe 3F7.exe
PID 4924 set thread context of 3196 4924 3F7.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4344 4276 WerFault.exe 756F.exe

flow	pid	process
86	3196	rundll32.exe

pid	process
3844	3F7.exe
4924	3F7.exe
4276	756F.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	756F.exe

pid	process
4276	756F.exe
4276	756F.exe
4276	756F.exe

description	pid	process	target process
PID 3844 set thread context of 4924	3844	3F7.exe	3F7.exe
PID 4924 set thread context of 3196	4924	3F7.exe	rundll32.exe

pid	pid_target	process	target process
4344	4276	WerFault.exe	756F.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3F7.exerundll32.exe756F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	756F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	3F7.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	3F7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	3F7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	3F7.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	3F7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	756F.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	3F7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3F7.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1380 timeout.exe

pid	process
1380	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 21 IoCs

Processes:

3F7.exeOpenWith.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	3F7.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

968

pid	process
968

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe

pid	process
4844	348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe
4844	348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

968
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe

pid process

4844 348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe

pid	process
968

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	2576	svchost.exe
Token: SeShutdownPrivilege	2576	svchost.exe
Token: SeCreatePagefilePrivilege	2576	svchost.exe
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3196 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

2064 OpenWith.exe
968
968

pid	process
3196	rundll32.exe

pid	process
2064	OpenWith.exe
968
968

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

3F7.exe3F7.exe756F.execmd.exe

description	pid	process	target process
PID 968 wrote to memory of 3844	968		3F7.exe
PID 968 wrote to memory of 3844	968		3F7.exe
PID 968 wrote to memory of 3844	968		3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 3844 wrote to memory of 4924	3844	3F7.exe	3F7.exe
PID 4924 wrote to memory of 2616	4924	3F7.exe	agentactivationruntimestarter.exe
PID 4924 wrote to memory of 2616	4924	3F7.exe	agentactivationruntimestarter.exe
PID 4924 wrote to memory of 2616	4924	3F7.exe	agentactivationruntimestarter.exe
PID 968 wrote to memory of 4276	968		756F.exe
PID 968 wrote to memory of 4276	968		756F.exe
PID 968 wrote to memory of 4276	968		756F.exe
PID 4276 wrote to memory of 1336	4276	756F.exe	cmd.exe
PID 4276 wrote to memory of 1336	4276	756F.exe	cmd.exe
PID 4276 wrote to memory of 1336	4276	756F.exe	cmd.exe
PID 1336 wrote to memory of 1380	1336	cmd.exe	timeout.exe
PID 1336 wrote to memory of 1380	1336	cmd.exe	timeout.exe
PID 1336 wrote to memory of 1380	1336	cmd.exe	timeout.exe
PID 4924 wrote to memory of 3196	4924	3F7.exe	rundll32.exe
PID 4924 wrote to memory of 3196	4924	3F7.exe	rundll32.exe
PID 4924 wrote to memory of 3196	4924	3F7.exe	rundll32.exe
PID 4924 wrote to memory of 3196	4924	3F7.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe
"C:\Users\Admin\AppData\Local\Temp\348c4aa8a126f566216e99b7601aa78d8659a98f8664356ae3230da1c4b7aab0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4844

C:\Users\Admin\AppData\Local\Temp\3F7.exe
C:\Users\Admin\AppData\Local\Temp\3F7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\3F7.exe
C:\Users\Admin\AppData\Local\Temp\3F7.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
3⤵
PID:2616

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x4a0
1⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\756F.exe
C:\Users\Admin\AppData\Local\Temp\756F.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\756F.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1980
2⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4276 -ip 4276
1⤵
PID:4256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d502779-c529-4ae0-a0cb-e70926e21349.tmp
Filesize
22KB

MD5
99e972f6d63ded5a9f3d6a06ff481bec

SHA1
b3c98ed6975c649454bce3d88806ad1883e22327

SHA256
d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

SHA512
ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F7.exe
Filesize
8.4MB

MD5
3281a9332d11287529ddbac19387f603

SHA1
6554cbd72d5b8bd516f61a23b660973a459ce99a

SHA256
f535fcf255b18e63f0191b3d9d396bb7fc7e42c7d770263863b9b8de7062e296

SHA512
f1822a94db5cd93d1d1a53c126c5cea45fbf2cc7f0a9629291ed6a4c13f0d1cb4d1b642de137e9aad17709faf83025014b553ca3a707f0f9ccbb734305d349e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F7.exe
Filesize
8.4MB

MD5
3281a9332d11287529ddbac19387f603

SHA1
6554cbd72d5b8bd516f61a23b660973a459ce99a

SHA256
f535fcf255b18e63f0191b3d9d396bb7fc7e42c7d770263863b9b8de7062e296

SHA512
f1822a94db5cd93d1d1a53c126c5cea45fbf2cc7f0a9629291ed6a4c13f0d1cb4d1b642de137e9aad17709faf83025014b553ca3a707f0f9ccbb734305d349e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F7.exe
Filesize
8.4MB

MD5
3281a9332d11287529ddbac19387f603

SHA1
6554cbd72d5b8bd516f61a23b660973a459ce99a

SHA256
f535fcf255b18e63f0191b3d9d396bb7fc7e42c7d770263863b9b8de7062e296

SHA512
f1822a94db5cd93d1d1a53c126c5cea45fbf2cc7f0a9629291ed6a4c13f0d1cb4d1b642de137e9aad17709faf83025014b553ca3a707f0f9ccbb734305d349e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp
Filesize
25KB

MD5
9f670566b87be47f09e3871cd67ed6d9

SHA1
8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

SHA256
d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

SHA512
6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\756F.exe
Filesize
318KB

MD5
e58c70e8e2cde5c7aee3975db0a2e559

SHA1
4c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe

SHA256
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf

SHA512
b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\756F.exe
Filesize
318KB

MD5
e58c70e8e2cde5c7aee3975db0a2e559

SHA1
4c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe

SHA256
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf

SHA512
b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
Filesize
1KB

MD5
07bd5d79e18651bb0758a150cca252da

SHA1
bafab651d3a8c900041b7460c4b3d0db6a362e52

SHA256
57c21ab757836c1979c5ea959cf760f7d2f88771ba6edfee4848f9f9bff6868a

SHA512
ba627fbde74d1b18fc4644df86c6a4832910464c110a8fa29fa24818b630040799113ea73dd8af24644f5de19ec49dc97bbda557e1cbce6278974f0ef4c461b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBQHURCC-20220812-1921.log
Filesize
60KB

MD5
1cf46c46969b3da7c921f538e1052d75

SHA1
55b4f1bf8834de7fcec5b964d4e207ab787d453a

SHA256
8c1d6e5d024f1fa3f60323e3d7b2d76c4090f73aab9aca557b74edf58cb68a19

SHA512
78de5976109b5351e68c28069cd543e667a6361ca9fe7e5b141b1979f94ec46e26389d2e1e871cd8259890ade477f90f29ca4a091968333bd8a4fbd8d820b2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\adc52f94-c82e-434e-9f30-9b348375f053.tmp
Filesize
23KB

MD5
2e0a52964e4f43a9830f01775bcb061b

SHA1
deedc2124380dcc834798466b7ae8ca986aba82f

SHA256
3884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b

SHA512
56c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4640.log
Filesize
470B

MD5
557f0a02b3501eb4e60e5fba315b99ee

SHA1
4f259e938512bda39d0701ee46d06823fa654e15

SHA256
13adbffe25952b222854ce31a71f71f5ffd885f91abcf912d3a9129be553a381

SHA512
def43befeed26be88a4997a649192cffabe428b58f99d0d833b74c40ab1e409bd2c42633d6f7acb83b8939413becb1e4f8d01291d4a9333c383c48a407f9e90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
0e90961b61fe2bba06fe5a0b29b9f7a3

SHA1
ea023ea3fba4e3e086e939cc2fd4e114552140a9

SHA256
edb2daddf55d78188d2e7b53da4896a8006c181cad2737ad6a2f9217adf0ce88

SHA512
9656c5517490628310e8660190a5f8131aa8e6ec1c93472f92204c352b0deada6ad1c1228771bd5579a103e238c4ad6a40c6c558607cdb613afe881159ed3c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4F1D.txt
Filesize
427KB

MD5
7cb368867b63387e87ac8c43fda56652

SHA1
8337144cc4b0ac41f1c46fb822686d6c042988b4

SHA256
e1c789a635b5037c07d3653d00e1bd4fc421a8142a9def49cd35e17bc3ba3472

SHA512
2ed4333d01fe1b377c4131c7175d3547f677aa63f515b829d271d628ddde7c6172a50b9cf4032b2549f83f5e71e7434ab55c80a2fedd2df467c8a1778c1c5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4F1D.txt
Filesize
11KB

MD5
73cf8fc42f7a737ab5796c9e02dd7bc3

SHA1
91fa4c983663d8bb8af0608d8146168738901d45

SHA256
be8cdd1dd28c10adcfeff612a41b0985342246f049091a1d9e09d9e85e6ed392

SHA512
ee6c1a6dbfcbb3583be78b2d32330b080624431d16324dc523e0438e0aadcc0f865265bb9ab4d3141130196e956a50000e7b86893e549ca11a7007e7c8c859eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html
Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct399A.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct4E2A.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC61E.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
memory/1336-159-0x0000000000000000-mapping.dmp

Download
memory/1380-160-0x0000000000000000-mapping.dmp

Download
memory/2616-147-0x0000000000000000-mapping.dmp

Download
memory/3196-180-0x0000000004270000-0x00000000043B0000-memory.dmp

Filesize
1.2MB

Download
memory/3196-181-0x0000000004270000-0x00000000043B0000-memory.dmp

Filesize
1.2MB

Download
memory/3196-175-0x0000000000000000-mapping.dmp

Download
memory/3196-179-0x00000000036F0000-0x00000000041A2000-memory.dmp

Filesize
10.7MB

Download
memory/3196-177-0x0000000001210000-0x0000000001BA2000-memory.dmp

Filesize
9.6MB

Download
memory/3196-197-0x00000000036F0000-0x00000000041A2000-memory.dmp

Filesize
10.7MB

Download
memory/3196-178-0x00000000036F0000-0x00000000041A2000-memory.dmp

Filesize
10.7MB

Download
memory/3844-146-0x0000000005A00000-0x00000000063D6000-memory.dmp

Filesize
9.8MB

Download
memory/3844-145-0x0000000003A19000-0x0000000004255000-memory.dmp

Filesize
8.2MB

Download
memory/3844-137-0x0000000000000000-mapping.dmp

Download
memory/4276-155-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4276-161-0x0000000002E53000-0x0000000002E7F000-memory.dmp

Filesize
176KB

Download
memory/4276-150-0x0000000000000000-mapping.dmp

Download
memory/4276-162-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4276-154-0x0000000002DC0000-0x0000000002E09000-memory.dmp

Filesize
292KB

Download
memory/4276-153-0x0000000002E53000-0x0000000002E7F000-memory.dmp

Filesize
176KB

Download
memory/4844-136-0x0000000000400000-0x0000000002C2A000-memory.dmp

Filesize
40.2MB

Download
memory/4844-135-0x0000000002D52000-0x0000000002D68000-memory.dmp

Filesize
88KB

Download
memory/4844-134-0x0000000000400000-0x0000000002C2A000-memory.dmp

Filesize
40.2MB

Download
memory/4844-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4844-132-0x0000000002D52000-0x0000000002D68000-memory.dmp

Filesize
88KB

Download
memory/4924-148-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4924-176-0x0000000003AE0000-0x0000000004592000-memory.dmp

Filesize
10.7MB

Download
memory/4924-174-0x0000000004760000-0x00000000048A0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-173-0x0000000004760000-0x00000000048A0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-171-0x0000000004760000-0x00000000048A0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-172-0x0000000004760000-0x00000000048A0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-170-0x0000000004760000-0x00000000048A0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-169-0x0000000004760000-0x00000000048A0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-168-0x0000000004760000-0x00000000048A0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-167-0x0000000004760000-0x00000000048A0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-166-0x0000000003AE0000-0x0000000004592000-memory.dmp

Filesize
10.7MB

Download
memory/4924-165-0x0000000003AE0000-0x0000000004592000-memory.dmp

Filesize
10.7MB

Download
memory/4924-164-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4924-163-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4924-149-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4924-144-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4924-143-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4924-196-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4924-141-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4924-140-0x0000000000000000-mapping.dmp

Download