danabot | a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe
Size

305KB
MD5

38534d532efd591c8e8ac97eca8d0571
SHA1

732865d75c66eb16492b3efc24dd650079744b60
SHA256

a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0
SHA512

6d2a384dfe6efa8dea22370f1564a3589536fdf90a9de6ea99828d3137af064de51a9ee8113becc3327203e2f5f265a8bcf27a7f9171bcb3c68e98db84293c6a
SSDEEP

6144:Zv8ILSYLFj8iAkseICh2oC0XDxO0iPvzpQ6rFiaI:Z/fLFgku+2oVxOxnzpQ6rF

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4612-133-0x00000000005B0000-0x00000000005B9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

94 4836 rundll32.exe
111 4836 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

F8DC.exe

pid process

4936 F8DC.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4836 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4836 set thread context of 3624 4836 rundll32.exe rundll32.exe

flow	pid	process
94	4836	rundll32.exe
111	4836	rundll32.exe

pid	process
4936	F8DC.exe

pid	process
4836	rundll32.exe

description	pid	process	target process
PID 4836 set thread context of 3624	4836	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Spelling.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_shared.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1748 4936 WerFault.exe F8DC.exe

pid	pid_target	process	target process
1748	4936	WerFault.exe	F8DC.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093556c40100054656d7000003a0009000400efbe0c551999935571402e00000000000000000000000000000000000000000000000000999cf800540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2424

pid	process
2424

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe

pid	process
4612	a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe
4612	a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2424
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe

pid process

4612 a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe

pid	process
2424

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3624 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2424
2424

pid	process
3624	rundll32.exe

pid	process
2424
2424

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

F8DC.exerundll32.exe

description	pid	process	target process
PID 2424 wrote to memory of 4936	2424		F8DC.exe
PID 2424 wrote to memory of 4936	2424		F8DC.exe
PID 2424 wrote to memory of 4936	2424		F8DC.exe
PID 4936 wrote to memory of 4836	4936	F8DC.exe	rundll32.exe
PID 4936 wrote to memory of 4836	4936	F8DC.exe	rundll32.exe
PID 4936 wrote to memory of 4836	4936	F8DC.exe	rundll32.exe
PID 4836 wrote to memory of 3624	4836	rundll32.exe	rundll32.exe
PID 4836 wrote to memory of 3624	4836	rundll32.exe	rundll32.exe
PID 4836 wrote to memory of 3624	4836	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe
"C:\Users\Admin\AppData\Local\Temp\a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4612

C:\Users\Admin\AppData\Local\Temp\F8DC.exe
C:\Users\Admin\AppData\Local\Temp\F8DC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 536
2⤵
- Program crash
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4936 -ip 4936
1⤵
PID:3708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:3104

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_wob.dll",ij1NRVlHVA==
2⤵
PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.dll
Filesize
726KB

MD5
121f0292c99908701253c6f030636f97

SHA1
dbe1a8ebd5e1c394fe89a2ca8eb863e4c0b45bca

SHA256
7937a5e46fae86457d213a83bec0575eacc0bf464e1184d8e3ddcca03511340d

SHA512
535222a50829d6773c99d32c7adc562452d25d84bef1466d29ac4bd9fcc01e82c609987008877d2b5e63eb6f2d5fc9aa27e0c863f8f16d3b68954316196c98fa

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.dll
Filesize
726KB

MD5
121f0292c99908701253c6f030636f97

SHA1
dbe1a8ebd5e1c394fe89a2ca8eb863e4c0b45bca

SHA256
7937a5e46fae86457d213a83bec0575eacc0bf464e1184d8e3ddcca03511340d

SHA512
535222a50829d6773c99d32c7adc562452d25d84bef1466d29ac4bd9fcc01e82c609987008877d2b5e63eb6f2d5fc9aa27e0c863f8f16d3b68954316196c98fa

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe.xml
Filesize
849B

MD5
cff245d69fe04eec05ce3601d77467b6

SHA1
d09b1d953eea98ef0b0fcec5936fc806940f7717

SHA256
40d6a0b80770bf41ddc0a3b3607ac53eb82d0f90675e5a595a18cd3f8bdf3d94

SHA512
4615affbbc7163076cbc82a8e65cd5d168d1411a028b47bddd0ec5219e08037304de1d14ae1fa659909760150edf5401e698c9f6252674eb4e84dec341aa3666

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
2a50749dcd76166d8c08c54e0183c8ad

SHA1
91bdf6521e4201d0c4ceef89a301e622b9cfefa5

SHA256
c20373e7134051ef91e88637b470e4ec00029ca53dbf4a824b62dd4e574f260a

SHA512
e146781efbfc73e71c22e210b3d4f89fb2730f135c42e3849a5b3b0adcfc9f3a95574a106834f935ee14ad2e278fbb906a2824dd6c0881d80b836a83040769ff

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\overlay.png
Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\s640.hash
Filesize
106B

MD5
bef40d5a19278ca19b56fbcdde7e26ef

SHA1
4f01d5b8de038e120c64bd7cc22cf150af1452fb

SHA256
7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d

SHA512
5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json
Filesize
121B

MD5
70bdaa5c409965a452e47aa001033c53

SHA1
594fad49def244b2a459ddd86bf1763e190917e3

SHA256
433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58

SHA512
62f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8DC.exe
Filesize
1.1MB

MD5
52939ddac663150e902b58fdbb2d7b75

SHA1
a311ef6a1728ec247963a8b276da6f94d0d0a50c

SHA256
73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

SHA512
6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8DC.exe
Filesize
1.1MB

MD5
52939ddac663150e902b58fdbb2d7b75

SHA1
a311ef6a1728ec247963a8b276da6f94d0d0a50c

SHA256
73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

SHA512
6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_wob.dll
Filesize
726KB

MD5
121f0292c99908701253c6f030636f97

SHA1
dbe1a8ebd5e1c394fe89a2ca8eb863e4c0b45bca

SHA256
7937a5e46fae86457d213a83bec0575eacc0bf464e1184d8e3ddcca03511340d

SHA512
535222a50829d6773c99d32c7adc562452d25d84bef1466d29ac4bd9fcc01e82c609987008877d2b5e63eb6f2d5fc9aa27e0c863f8f16d3b68954316196c98fa

Download Submit
memory/3104-163-0x0000000003000000-0x0000000003725000-memory.dmp

Filesize
7.1MB

Download
memory/3624-155-0x000001D3CE300000-0x000001D3CE440000-memory.dmp

Filesize
1.2MB

Download
memory/3624-158-0x000001D3CCAC0000-0x000001D3CCCEA000-memory.dmp

Filesize
2.2MB

Download
memory/3624-153-0x00007FF734666890-mapping.dmp

Download
memory/3624-157-0x0000000000580000-0x0000000000799000-memory.dmp

Filesize
2.1MB

Download
memory/3624-154-0x000001D3CE300000-0x000001D3CE440000-memory.dmp

Filesize
1.2MB

Download
memory/3984-168-0x0000000000000000-mapping.dmp

Download
memory/4612-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4612-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4612-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/4612-132-0x00000000005D9000-0x00000000005EE000-memory.dmp

Filesize
84KB

Download
memory/4836-150-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4836-147-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4836-151-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4836-152-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4836-159-0x00000000052F0000-0x0000000005A15000-memory.dmp

Filesize
7.1MB

Download
memory/4836-149-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4836-148-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4836-156-0x00000000044D9000-0x00000000044DB000-memory.dmp

Filesize
8KB

Download
memory/4836-145-0x00000000052F0000-0x0000000005A15000-memory.dmp

Filesize
7.1MB

Download
memory/4836-146-0x00000000052F0000-0x0000000005A15000-memory.dmp

Filesize
7.1MB

Download
memory/4836-139-0x0000000000000000-mapping.dmp

Download
memory/4936-143-0x0000000002220000-0x0000000002335000-memory.dmp

Filesize
1.1MB

Download
memory/4936-142-0x0000000001FE9000-0x00000000020BF000-memory.dmp

Filesize
856KB

Download
memory/4936-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4936-136-0x0000000000000000-mapping.dmp

Download