danabot | 5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2022 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe
Size

255KB
MD5

276085b18f05cec3c45b2df874b0578c
SHA1

823345f5a8b63871ec46b82a521eb5393010b63c
SHA256

5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c
SHA512

4c29c31bd4dccf9d82c4a2c8df1922834f14dcd75fe76894895427174163236f2c627fc55a3a257b8773c9bdd06fead1816880e0bd0eb54e5cfe061084f2b702
SSDEEP

3072:iXVfWAPpxR+LZSiOBrRrPf82RW/2fR3oLF4pUk8e4QJZ7Nk3T1aYvDq77:iU+L+Lh8rRrPf8V+fyxiZ5oT16

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4980-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

84 3068 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

569C.exeDE4B.exe

pid process

4876 569C.exe
4404 DE4B.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

DE4B.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation DE4B.exe
Loads dropped DLL 3 IoCs

Processes:

DE4B.exe

pid process

4404 DE4B.exe
4404 DE4B.exe
4404 DE4B.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

569C.exe

description pid process target process

PID 4876 set thread context of 3068 4876 569C.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
84	3068	rundll32.exe

pid	process
4876	569C.exe
4404	DE4B.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DE4B.exe

pid	process
4404	DE4B.exe
4404	DE4B.exe
4404	DE4B.exe

description	pid	process	target process
PID 4876 set thread context of 3068	4876	569C.exe	rundll32.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2444	4404	WerFault.exe	DE4B.exe
2284	4876	WerFault.exe	569C.exe
4472	4876	WerFault.exe	569C.exe
2472	4876	WerFault.exe	569C.exe
2680	4876	WerFault.exe	569C.exe
3096	4876	WerFault.exe	569C.exe
4656	4876	WerFault.exe	569C.exe
2644	4876	WerFault.exe	569C.exe
3188	4876	WerFault.exe	569C.exe
1424	4876	WerFault.exe	569C.exe
3476	4876	WerFault.exe	569C.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe

Checks processor information in registry 2 TTPs 41 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

569C.exerundll32.exeDE4B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DE4B.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	569C.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	569C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	569C.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	569C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DE4B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	569C.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	569C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1092 timeout.exe

pid	process
1092	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 21 IoCs

Processes:

OpenWith.exerundll32.exe569C.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	569C.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3060

pid	process
3060

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe

pid	process
4980	5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe
4980	5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3060
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe

pid process

4980 5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe

pid	process
3060

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3860	svchost.exe
Token: SeShutdownPrivilege	3860	svchost.exe
Token: SeCreatePagefilePrivilege	3860	svchost.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3068 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

3880 OpenWith.exe
3060
3060

pid	process
3068	rundll32.exe

pid	process
3880	OpenWith.exe
3060
3060

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

569C.exeDE4B.execmd.exe

description	pid	process	target process
PID 3060 wrote to memory of 4876	3060		569C.exe
PID 3060 wrote to memory of 4876	3060		569C.exe
PID 3060 wrote to memory of 4876	3060		569C.exe
PID 4876 wrote to memory of 4424	4876	569C.exe	agentactivationruntimestarter.exe
PID 4876 wrote to memory of 4424	4876	569C.exe	agentactivationruntimestarter.exe
PID 4876 wrote to memory of 4424	4876	569C.exe	agentactivationruntimestarter.exe
PID 3060 wrote to memory of 4404	3060		DE4B.exe
PID 3060 wrote to memory of 4404	3060		DE4B.exe
PID 3060 wrote to memory of 4404	3060		DE4B.exe
PID 4404 wrote to memory of 4268	4404	DE4B.exe	cmd.exe
PID 4404 wrote to memory of 4268	4404	DE4B.exe	cmd.exe
PID 4404 wrote to memory of 4268	4404	DE4B.exe	cmd.exe
PID 4268 wrote to memory of 1092	4268	cmd.exe	timeout.exe
PID 4268 wrote to memory of 1092	4268	cmd.exe	timeout.exe
PID 4268 wrote to memory of 1092	4268	cmd.exe	timeout.exe
PID 4876 wrote to memory of 3068	4876	569C.exe	rundll32.exe
PID 4876 wrote to memory of 3068	4876	569C.exe	rundll32.exe
PID 4876 wrote to memory of 3068	4876	569C.exe	rundll32.exe
PID 4876 wrote to memory of 3068	4876	569C.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe
"C:\Users\Admin\AppData\Local\Temp\5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4980

C:\Users\Admin\AppData\Local\Temp\569C.exe
C:\Users\Admin\AppData\Local\Temp\569C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 652
2⤵
- Program crash
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1048
2⤵
- Program crash
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1112
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1048
2⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1048
2⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1120
2⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1136
2⤵
- Program crash
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1308
2⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1036
2⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1420
2⤵
- Program crash
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x4b4
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\DE4B.exe
C:\Users\Admin\AppData\Local\Temp\DE4B.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DE4B.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1856
2⤵
- Program crash
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4404 -ip 4404
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4876 -ip 4876
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4876 -ip 4876
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4876 -ip 4876
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4876 -ip 4876
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4876 -ip 4876
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4876 -ip 4876
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4876 -ip 4876
1⤵
PID:3752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4876 -ip 4876
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4876 -ip 4876
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4876 -ip 4876
1⤵
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\02fc4909-db62-4fee-8646-109dbf6b271b.tmp
Filesize
21KB

MD5
301ea18f32584b0102b1e4f710c6054d

SHA1
e970ec47138c443ec94a4c3671622f578ed09a26

SHA256
7f4e382d1c6724a5f173f3617e35d5ad74c28ffce9a918f00b48c88f978dc34e

SHA512
3c1dd0687ff4a98324f8f0c054e2bf24a3adc2edb28a4ee095f5e71d5943702bcdf36b4c5b2e163e17cc207833194539ed98b7830e94ac446a9d48d29837627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\53e6a9ff-6628-4c05-9f9e-5740d15f61de.tmp
Filesize
19KB

MD5
613b4d43b64a6d9630f389c4e12295b4

SHA1
06bef00ff378997f9b05d77c78563e01fb713e2d

SHA256
bbe5def034f4c1e6c16beb775ecbbbbe5e6f1aa8100639e87997c9f656a002c6

SHA512
3d48d3dbd49750d6154a3ecde4f60b7ba0cdfbf4781357971102222707ff9a6ee34f5cdbbb64111e3b43bf3946c1fdfb5024d1bcf710e13a850b257c61e5a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\569C.exe
Filesize
8.4MB

MD5
febec851b0cd98f6b628a1ef567f6ecb

SHA1
72409831f8ddf8b7e97be8a63af7c7d93fed8249

SHA256
d08d5bcd7ac37694068e193afbff3460992a5b44d599bb2642529622a5c69a34

SHA512
545cb635fdebace748edfa94b4b4a840fbacf21d481ee05f2bdf35f88ffa7496d1bdeef720ee98841956313f62b575a16854d9cdc83ef8c81973451cb00b37e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\569C.exe
Filesize
8.4MB

MD5
febec851b0cd98f6b628a1ef567f6ecb

SHA1
72409831f8ddf8b7e97be8a63af7c7d93fed8249

SHA256
d08d5bcd7ac37694068e193afbff3460992a5b44d599bb2642529622a5c69a34

SHA512
545cb635fdebace748edfa94b4b4a840fbacf21d481ee05f2bdf35f88ffa7496d1bdeef720ee98841956313f62b575a16854d9cdc83ef8c81973451cb00b37e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\607cd18f-98c4-4c86-94ad-33f9ee772d45.tmp
Filesize
25KB

MD5
9f670566b87be47f09e3871cd67ed6d9

SHA1
8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

SHA256
d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

SHA512
6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE4B.exe
Filesize
318KB

MD5
e58c70e8e2cde5c7aee3975db0a2e559

SHA1
4c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe

SHA256
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf

SHA512
b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE4B.exe
Filesize
318KB

MD5
e58c70e8e2cde5c7aee3975db0a2e559

SHA1
4c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe

SHA256
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf

SHA512
b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
Filesize
25KB

MD5
e51378ad4760b76c65c377b422a67edf

SHA1
043123fc49bc9018918d39b7b7ca93d1ad8c478b

SHA256
833a94dd9e8aef79c0eba1208f9c2446898d21c210bc14f1567586811964a9c6

SHA512
08ed090bc9054a8d4c9fb3c1d9eac20031587a191518a393e248c87087bdbce7f1d80b468c2a0a53d20dcc8086b8b4445674e75a36e4e2164c10aea6909a8d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_194409742.html
Filesize
93KB

MD5
71758797ae7914b1227d0b34c30c0797

SHA1
f63e17acdd4f8ed417c476a19742547291408963

SHA256
62bfa55487dface1cb7989308d91488315e79714153a4e40e1c14d4ca7a4a1c2

SHA512
98be11d1d910ad96ca12c39262e0be6ce451baebb2ceb0cc559762906e4993bdfaf7bdf3cb38eb67e055c9778560fe686fe155b39f8afc4a9d70880c14e9a829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZIOFAVD-20220812-1951.log
Filesize
56KB

MD5
d431794afa91c4c3745055b53d795183

SHA1
ca518aa0948e9e8af5ec5a89bc613d7e4fc6c9d5

SHA256
2290c5fc19f04b088974b297c2677e0e848900c9188382d3b24611a02685ae03

SHA512
1ae72c1da9b766b3bea44aa3244ab028f7ed8c6e715b284ca111f6f22d3300dbc54a89639f3af0b0371c62c7cab81d4b8b76d807e9738f9d5aa4b329f25fdd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf06a67-45af-44d3-bf33-5212b4da62fa.tmp
Filesize
23KB

MD5
7cd73270bd735f9fe77bc9278f9f2b8b

SHA1
b27a898970297c750fb7e4d70ad8f87c1e6c1739

SHA256
ee80340a02c0f96a3f9d01e635857d38d7b92444d6102ee29804f559f2eaa7f4

SHA512
1fe70455d4d8c0fbab9ef20cf85d0de55fea9f18499c653af5d234462aa5c45eaacceadab39e9be62dc548af4f710362dd34970e1d8a666bf09fe4101bf32077

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4844.log
Filesize
470B

MD5
467995413210c7391415743b595525c4

SHA1
f3ca1cf58a0e3285359840b39bcb30d49a7424d6

SHA256
cf0b731d7efcb55d5bf659817e88dcbb0aa3c6a0fe66d11ad965f1812eb3689e

SHA512
eb8987cd31907911197a818a84c790584c13a55d7a104afb542c066b66b0bd9d7c34b4fb07601bb6d31d9829d5d04eb3ad3947e7ea25c5915128ab96b9e42247

Download Submit
C:\Users\Admin\AppData\Local\Temp\b702d486-654d-4716-aaa2-bc53c138b0f8.tmp
Filesize
84KB

MD5
5d35b8c0588457da1f0ab69f754dc768

SHA1
7f23363c2bf180c2300fd27a50d264b713c89c6c

SHA256
1f7a721b714f57504dab936b57f2d5dc7a0b5c1452eebbd44360705e2a636efa

SHA512
2b0fd2ddd99d5ff7c3ed4df844ecace96b36c5903ea7d996b9d01cf433d012263e8c7f5dde8db4a9f67c49e1535d7a34c02eb295d637fb4809970a4c511a51c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7a972bc-9460-4c6f-93c0-e6dd9473f34f.tmp
Filesize
23KB

MD5
2e0a52964e4f43a9830f01775bcb061b

SHA1
deedc2124380dcc834798466b7ae8ca986aba82f

SHA256
3884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b

SHA512
56c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
1KB

MD5
93e7cb32c0803cd4f10f40068afb5ebb

SHA1
388fb2b6a393f807f5d36a320bea35a696004f9f

SHA256
fbba51574a6ba44ae6525df959ec9a14e4a1f65dbd74d2d6cd36d415b5a8bf98

SHA512
02c8f31973611f5161e5022fa4c1b042790e04bdb40221fa656e74701dd9fa2bb2b4f49dc17c8119b0d6b8838675c8755fc075545e0f091d0e96ea9aa3c8b642

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
5d031b12263e4c18b48a434aafc8209e

SHA1
ed12ea0255d2c7dc4a4afaa30de511cec539e44c

SHA256
4d5adb4dd1a5d269e017680797a0403cfca1106411c061ce8753bfe9b4cbd5e4

SHA512
6b7a2e3d3d0b082ec3272229d0e5215d2269c96fb6993671e8614c8ce55e232463f5a812ff3f41aae806aae8681e18a5506c465ef20787eabd0f2257c1c2a2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI645A.txt
Filesize
426KB

MD5
d6bf37e485af183339e35423cdd4f8e9

SHA1
c7974725701dee5fcfb0e70f73f198d4d0ce3eeb

SHA256
b2d7382b176b11d055ca783cd6ad59db1607ddd99766b2437e1d558b801f8367

SHA512
2ac89bb21d98105e202357a33d555110be2f10f5f44472f1e5ed8c8070b7c541dbc04952c555addff4ac24a77a6ebf467d823e64ede71db1cc3b1d53d8730933

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI645A.txt
Filesize
11KB

MD5
7b873b39db7b02204b2619e7ad882462

SHA1
6277c99ed98c622c7fbc190669144ccb3744c4c4

SHA256
2814f20a867472a4137808b9695eec04264dddbb2e5e9d447fd0f46c4f303b96

SHA512
429213d5ea5f84bbbd25daecfee504bafca10606204fb53569475112ef969355f9c90eb33a9af7e63ac89adef1d3e2b0af0029eff12ed2b93d265f3f89793a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI6492.txt
Filesize
11KB

MD5
3deb951d119c378dff3d7911fa48dd12

SHA1
b74cbbddb4b37d46456da7a3e86260a3d8144e17

SHA256
0cf9936341117c121cc50582950760d7b24f1117749b451d82a45202f5aad461

SHA512
d9fc285be218af35e81d17b6bd78644d9bad8995cbfc466a0a671f171012f5ff760863e359ea49c9329c951a2280fa5b8e08e72c431e2c961e9fbc65bba7ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctD292.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
697B

MD5
16a993a13d195d20dca07319d0725671

SHA1
2642524456da144d2db89ea760fdd788461d74db

SHA256
4f17ddbb8ccc7da41e95a5f5bd1c4c7c99f7bf321cfdf67988e32591a4e375f2

SHA512
afaea880275fa137598f5bb676059966e5b3df29473ad978ae1e4e378b674d9e52cb79629a0be5399c02170306658a635d909efe8b82daa848328858d1cf0be0

Download Submit
memory/1092-155-0x0000000000000000-mapping.dmp

Download
memory/3068-172-0x0000000000000000-mapping.dmp

Download
memory/3068-194-0x0000000003460000-0x0000000003F12000-memory.dmp

Filesize
10.7MB

Download
memory/3068-196-0x0000000003460000-0x0000000003F12000-memory.dmp

Filesize
10.7MB

Download
memory/3068-174-0x0000000004140000-0x0000000004280000-memory.dmp

Filesize
1.2MB

Download
memory/3068-176-0x0000000004140000-0x0000000004280000-memory.dmp

Filesize
1.2MB

Download
memory/3068-175-0x0000000001010000-0x00000000019A2000-memory.dmp

Filesize
9.6MB

Download
memory/3068-173-0x0000000003460000-0x0000000003F12000-memory.dmp

Filesize
10.7MB

Download
memory/4268-154-0x0000000000000000-mapping.dmp

Download
memory/4404-148-0x0000000002F33000-0x0000000002F5F000-memory.dmp

Filesize
176KB

Download
memory/4404-157-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4404-145-0x0000000000000000-mapping.dmp

Download
memory/4404-149-0x0000000002ED0000-0x0000000002F19000-memory.dmp

Filesize
292KB

Download
memory/4404-150-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4404-156-0x0000000002F33000-0x0000000002F5F000-memory.dmp

Filesize
176KB

Download
memory/4424-140-0x0000000000000000-mapping.dmp

Download
memory/4876-162-0x0000000007410000-0x0000000007EC2000-memory.dmp

Filesize
10.7MB

Download
memory/4876-169-0x0000000008100000-0x0000000008240000-memory.dmp

Filesize
1.2MB

Download
memory/4876-164-0x0000000008100000-0x0000000008240000-memory.dmp

Filesize
1.2MB

Download
memory/4876-163-0x0000000008100000-0x0000000008240000-memory.dmp

Filesize
1.2MB

Download
memory/4876-161-0x0000000007410000-0x0000000007EC2000-memory.dmp

Filesize
10.7MB

Download
memory/4876-160-0x0000000007410000-0x0000000007EC2000-memory.dmp

Filesize
10.7MB

Download
memory/4876-159-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/4876-158-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/4876-165-0x0000000008100000-0x0000000008240000-memory.dmp

Filesize
1.2MB

Download
memory/4876-171-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/4876-166-0x0000000008100000-0x0000000008240000-memory.dmp

Filesize
1.2MB

Download
memory/4876-170-0x0000000008100000-0x0000000008240000-memory.dmp

Filesize
1.2MB

Download
memory/4876-197-0x0000000007410000-0x0000000007EC2000-memory.dmp

Filesize
10.7MB

Download
memory/4876-167-0x0000000008100000-0x0000000008240000-memory.dmp

Filesize
1.2MB

Download
memory/4876-144-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/4876-143-0x0000000005940000-0x0000000006316000-memory.dmp

Filesize
9.8MB

Download
memory/4876-142-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/4876-141-0x0000000005940000-0x0000000006316000-memory.dmp

Filesize
9.8MB

Download
memory/4876-168-0x0000000008100000-0x0000000008240000-memory.dmp

Filesize
1.2MB

Download
memory/4876-139-0x0000000003757000-0x0000000003F92000-memory.dmp

Filesize
8.2MB

Download
memory/4876-136-0x0000000000000000-mapping.dmp

Download
memory/4980-135-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/4980-134-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/4980-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4980-132-0x0000000002EE2000-0x0000000002EF7000-memory.dmp

Filesize
84KB

Download