danabot | f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe
Size

310KB
MD5

f14580f740879c9230c6279de9884f5f
SHA1

34bbebb5cde36964e902c0aba70c971f207efa05
SHA256

f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72
SHA512

f73ce4acabdc3f761d54c6b77dd088b435ee0de35a6b6de2aab625c2aada603c358ee78a8c82144b5b975aec45cf4f68d93a9430568f12dc2a919a3a88a35dfc
SSDEEP

6144:H5zL35k5l27GmrryI0p5lGa0H4rWlRjO1n:HBj5k5QqmKnrlGaXrW9u

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2956-133-0x0000000002190000-0x0000000002199000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

37 5088 rundll32.exe
38 5088 rundll32.exe
55 5088 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

13E6.exe

pid process

1048 13E6.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5088 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 5088 set thread context of 2336 5088 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3916 1048 WerFault.exe 13E6.exe

flow	pid	process
37	5088	rundll32.exe
38	5088	rundll32.exe
55	5088	rundll32.exe

pid	process
1048	13E6.exe

pid	process
5088	rundll32.exe

description	pid	process	target process
PID 5088 set thread context of 2336	5088	rundll32.exe	rundll32.exe

pid	pid_target	process	target process
3916	1048	WerFault.exe	13E6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093551577100054656d7000003a0009000400efbe6b55586c93551a772e00000000000000000000000000000000000000000000000000ecdd6600540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2476

pid	process
2476

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe

pid	process
2956	f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe
2956	f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2476
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe

pid process

2956 f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe

pid	process
2476

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2476
Token: SeCreatePagefilePrivilege	2476
Token: SeShutdownPrivilege	2476
Token: SeCreatePagefilePrivilege	2476
Token: SeShutdownPrivilege	2476
Token: SeCreatePagefilePrivilege	2476
Token: SeShutdownPrivilege	2476
Token: SeCreatePagefilePrivilege	2476
Token: SeShutdownPrivilege	2476
Token: SeCreatePagefilePrivilege	2476
Token: SeShutdownPrivilege	2476
Token: SeCreatePagefilePrivilege	2476
Token: SeShutdownPrivilege	2476
Token: SeCreatePagefilePrivilege	2476
Token: SeShutdownPrivilege	2476
Token: SeCreatePagefilePrivilege	2476

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

2336 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2476
2476

pid	process
2336	rundll32.exe

pid	process
2476
2476

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

13E6.exerundll32.exe

description	pid	process	target process
PID 2476 wrote to memory of 1048	2476		13E6.exe
PID 2476 wrote to memory of 1048	2476		13E6.exe
PID 2476 wrote to memory of 1048	2476		13E6.exe
PID 1048 wrote to memory of 5088	1048	13E6.exe	rundll32.exe
PID 1048 wrote to memory of 5088	1048	13E6.exe	rundll32.exe
PID 1048 wrote to memory of 5088	1048	13E6.exe	rundll32.exe
PID 5088 wrote to memory of 2336	5088	rundll32.exe	rundll32.exe
PID 5088 wrote to memory of 2336	5088	rundll32.exe	rundll32.exe
PID 5088 wrote to memory of 2336	5088	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe
"C:\Users\Admin\AppData\Local\Temp\f99d35d14e88e96a1aeb242b4d7aae7f187a43e6b986e3ce55826e0c3c840d72.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2956

C:\Users\Admin\AppData\Local\Temp\13E6.exe
C:\Users\Admin\AppData\Local\Temp\13E6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23979
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 528
2⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1048 -ip 1048
1⤵
PID:3092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4260

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:2400

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\email_all.dll",cSBR
2⤵
PID:3580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.dll
Filesize
726KB

MD5
d61a9f88d8585a6cdc565e9384f6f5b8

SHA1
95b2e31d3eda913b5ae860db8a94b98055305e53

SHA256
82d262abdd86de3fd2c14a996e6f5897d40cef2e215bd2f5b36c31b8de045661

SHA512
b37cc9df4279c70886f4bfbb09fe830bebbb6ac0592fc1c3e8c0213ab64cd47971f4359cb91a5d646ab23aa839137fb355a13076828c27ba930bf3d52b965c59

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.dll
Filesize
726KB

MD5
d61a9f88d8585a6cdc565e9384f6f5b8

SHA1
95b2e31d3eda913b5ae860db8a94b98055305e53

SHA256
82d262abdd86de3fd2c14a996e6f5897d40cef2e215bd2f5b36c31b8de045661

SHA512
b37cc9df4279c70886f4bfbb09fe830bebbb6ac0592fc1c3e8c0213ab64cd47971f4359cb91a5d646ab23aa839137fb355a13076828c27ba930bf3d52b965c59

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch
Filesize
110B

MD5
37a1115747e63e1c0ead2c66301f22d3

SHA1
44339aa5b475ecc2669a69fa1850ffcbf6fc666e

SHA256
9496889b2cbda0bcb85b8ef91dc323107702c214ee37a7c1057b8fc9c8874589

SHA512
6ecc4b9f1d08bccc3f1ae111391e83b8a1ae3788f532ae3afac5ed91823891aaf6a56385e3856910730d312d5374c779bdab7760d82a685ee99c077a3180357d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.osmuxmui.msi.16.en-us.xml
Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\CiPT0000.001
Filesize
64KB

MD5
08c1446a011937f5608e5f2448443304

SHA1
53e7291e9b33e46a17d9514a6005302e79a36407

SHA256
c10595f1ade2f1adced14a578b437e6958adf631c01a4c167b14b6904eaf2680

SHA512
a7a339940faba59e5a07b715ae39df9de39a4e69913d8d347cd696709a3191483537d1c011a1bea2d5faa222bf768e33dbde5791d04458b7e14a3db494eb6b07

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\DeploymentConfig.0.xml
Filesize
1KB

MD5
e4b9cc9585f7c7605c9b9ffbb6b2f621

SHA1
c0719259211262ee6f0fea428bba4fb5f7cfae08

SHA256
e3fe8fc8edfe491475b3ca4dc91b111e8b8ed5eac2594b12e86c2ca9e1da1477

SHA512
bbfae4ff1b1c5fe0ef2999ea0c2fc82ab392eb9780c3293626c519b12c00e0450f69db0942bd44afe2984f6a5a3d0bedc276da48d8a9654c7dc037e58d6bcad0

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.AAD.BrokerPlugin_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy.xml
Filesize
3KB

MD5
98ae97fa11eb54bbf404e472b857093b

SHA1
859feeb045c84ad850bc67cac09a426d8ee1ff41

SHA256
e203064f61cceb8000a1483d3757cb25ee9adff3f6c91d5eeb82d3e237a76920

SHA512
66ab3c402757b769fd6c96ef7c05809b4ede4bb89a725ae03d8c461aae0bdc0b8c472033218d531604e47c9051d5e6768921d8de964a90f75f4aa6ae2e372487

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftLync2013Win64.xml
Filesize
2KB

MD5
e3a68bbd204d36868c6f5570e4576675

SHA1
bc5c44144e8e962c62f7febabdb3d0ba20a8162a

SHA256
11031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac

SHA512
7c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
568dd5b04186501d2ef08f29c78bb387

SHA1
ba614d66c3a9244a1ad2c0a337eedc151a35f5c2

SHA256
e49f85f0b26fcdacac7fbb45b6bd35e6f25ceeab175a1e3028573d754ba61e97

SHA512
7de3adfa36aeee0b1606aa7c56268592964462e0187bbd3778d03f8a335b53ab1e459665cf1895ce67da77f49dd57ad67a83850b7af8983ccadd3db58c720359

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
b9f3f18f2c77939229710f7f6a6c23e8

SHA1
368b5503b54cc3568e067463f34afd7971f43202

SHA256
83ff1d9d017a39e1feacc0292dacf313ff01c63663ea64aaddbeeca73938883d

SHA512
26bb475d0e4d1e276977fbb864e108b5895d6d9fc405a9c9e92527546cde186ee7e94ee4a08198c29076987ad028bb3dd5294d5a9117677672dc2a37e467e47b

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\VdiState.xml
Filesize
892B

MD5
05a593ddf82be0bb1f258c9d0585f75d

SHA1
6712a2dd452fc768e5d9f7cd3805d1592c27d676

SHA256
bf438bec47694988412b0b5d395e112ffd4376521c0cc9c523a2a8d265c3b6be

SHA512
f379ebcc30a0368757500677691d5429fc4a1876379fb83101f7183e844bed37577fcf836cbbcdd09ff696e24745fdc9aa3149c4d7ea1fdc7d9fe243d384ece4

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edb.chk
Filesize
8KB

MD5
21340b30b50bf39023c82c3f5f7e2191

SHA1
be30fd0676ee73ad765b60a8260b16fbb5aee75b

SHA256
44b356799549f16cb20a4bdd111b599c48d8f0ee05441e2a12999fa0e45a9ec4

SHA512
4b75fd293d2c659503d59045d5953c1d75d559775effc5babe0d358b15c1805cc4e6709940a647128da2cfbf191d8abee7c0f643b38858a80d6adcb7e66ffcaf

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edb00002.log
Filesize
64KB

MD5
1763dcf873d30e1e6e1fe3f4e42d8fdb

SHA1
5d7b561415247a42c49319a9df2f658177635aed

SHA256
1436666818b3e273989df89ef1fe862b71075911a58588d26d8e382a212c0f14

SHA512
daca0e4dd7069c465b4474b6302ac64b9d37b44766da6d988bad40eb18f6b5e645a41fcb8fbbdfd4561ecdd6899910ae6fe03d7da1e1a374357b94165ba9dd55

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\msoutilstat.etw.man
Filesize
111KB

MD5
c1e8b625377c75454266f9d172d2f77d

SHA1
68ee3ac1b685d68bfdc434f430b6158a98073807

SHA256
7847e5ba06ca0a834454a3c62ec343dcaa4339e6ef2ed5bd42e460ade5331628

SHA512
1f04e28609f08a8616c7d1ebecfa6949f1eb939b29386365e72d4263dfd13fe81d036c8f9fce41f18b1e008f47b76c7278a00a770542411f751641fe7d756d21

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\qmgr.db
Filesize
768KB

MD5
28162e7b1ec7202327a487f83d38a873

SHA1
ae1052802005d2f0e1aaf378bbba3a7c80176896

SHA256
53a3d757852db77bf8fda088c34d7759508f1c6af57e998aa1be96cba8557a17

SHA512
345cbbbb1a62ff1f340bd66b5afafa8de10eecbf1a5126eb0fae080914c4d1a09e69c93f3f84a70ac0443d0aeff530fbc187db4c3078ebb1443e36b527b6800b

Download Submit
C:\Users\Admin\AppData\Local\Temp\13E6.exe
Filesize
1.1MB

MD5
076f3ebdf25ab73e33b760c7171db59a

SHA1
76ec6960e35a5b4adb6886479355c9a93bddcc00

SHA256
57d4d742672d0b1a350de9a156f806404a137fe73c32363df3976a5205cade21

SHA512
8e40439ec3331b877b81ee3daf15bc647cdb00092e7d50bd5df47f322d200ea1e6e3e3d8cb3951c9d8d253ae8e56de0102f98f330a29d4ba950739feb7dddba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\13E6.exe
Filesize
1.1MB

MD5
076f3ebdf25ab73e33b760c7171db59a

SHA1
76ec6960e35a5b4adb6886479355c9a93bddcc00

SHA256
57d4d742672d0b1a350de9a156f806404a137fe73c32363df3976a5205cade21

SHA512
8e40439ec3331b877b81ee3daf15bc647cdb00092e7d50bd5df47f322d200ea1e6e3e3d8cb3951c9d8d253ae8e56de0102f98f330a29d4ba950739feb7dddba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\email_all.dll
Filesize
726KB

MD5
d61a9f88d8585a6cdc565e9384f6f5b8

SHA1
95b2e31d3eda913b5ae860db8a94b98055305e53

SHA256
82d262abdd86de3fd2c14a996e6f5897d40cef2e215bd2f5b36c31b8de045661

SHA512
b37cc9df4279c70886f4bfbb09fe830bebbb6ac0592fc1c3e8c0213ab64cd47971f4359cb91a5d646ab23aa839137fb355a13076828c27ba930bf3d52b965c59

Download Submit
memory/1048-143-0x0000000002330000-0x0000000002445000-memory.dmp

Filesize
1.1MB

Download
memory/1048-136-0x0000000000000000-mapping.dmp

Download
memory/1048-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1048-142-0x0000000002153000-0x0000000002229000-memory.dmp

Filesize
856KB

Download
memory/2336-156-0x000001A45BE70000-0x000001A45BFB0000-memory.dmp

Filesize
1.2MB

Download
memory/2336-157-0x00000000001B0000-0x00000000003C9000-memory.dmp

Filesize
2.1MB

Download
memory/2336-158-0x000001A45A630000-0x000001A45A85A000-memory.dmp

Filesize
2.2MB

Download
memory/2336-155-0x000001A45BE70000-0x000001A45BFB0000-memory.dmp

Filesize
1.2MB

Download
memory/2336-153-0x00007FF79F2B6890-mapping.dmp

Download
memory/2400-164-0x0000000003590000-0x0000000003CB5000-memory.dmp

Filesize
7.1MB

Download
memory/2400-163-0x0000000003590000-0x0000000003CB5000-memory.dmp

Filesize
7.1MB

Download
memory/2956-133-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/2956-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-132-0x00000000006B8000-0x00000000006CD000-memory.dmp

Filesize
84KB

Download
memory/3580-176-0x0000000000000000-mapping.dmp

Download
memory/5088-159-0x00000000047B0000-0x0000000004ED5000-memory.dmp

Filesize
7.1MB

Download
memory/5088-146-0x00000000047B0000-0x0000000004ED5000-memory.dmp

Filesize
7.1MB

Download
memory/5088-145-0x00000000047B0000-0x0000000004ED5000-memory.dmp

Filesize
7.1MB

Download
memory/5088-148-0x0000000004FE0000-0x0000000005120000-memory.dmp

Filesize
1.2MB

Download
memory/5088-147-0x0000000004FE0000-0x0000000005120000-memory.dmp

Filesize
1.2MB

Download
memory/5088-149-0x0000000004FE0000-0x0000000005120000-memory.dmp

Filesize
1.2MB

Download
memory/5088-139-0x0000000000000000-mapping.dmp

Download
memory/5088-150-0x0000000004FE0000-0x0000000005120000-memory.dmp

Filesize
1.2MB

Download
memory/5088-151-0x0000000004FE0000-0x0000000005120000-memory.dmp

Filesize
1.2MB

Download
memory/5088-152-0x0000000004FE0000-0x0000000005120000-memory.dmp

Filesize
1.2MB

Download
memory/5088-154-0x0000000005059000-0x000000000505B000-memory.dmp

Filesize
8KB

Download