danabot | 7c790cb2f253102366ed85cc6c3f765a29116b33ec26a91d2ba57a66e6940ee4

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe
Size

215KB
MD5

3b17f10ec44f19f0e4e05fb5c3d5fb20
SHA1

9afeff022ddd92b6dac4017dcc272a1497820105
SHA256

8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820
SHA512

bd4eb7e6ca93544df0f75a18530292aaed0e02e2e42bfe0961d5e8f1a9bcbf5404e6f5799bec59cb33dd84a5b827195cc7fc961df07ca0632b18783e20955d15
SSDEEP

3072:JekQL87GOaRWHf7ucni1rKjsECwfMIawaNRAtOba+lhgjcbImdzmuX:JLQL8GoHTuc8e7CR/30agjcbXF

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1392-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

28 2012 rundll32.exe
30 2012 rundll32.exe
56 2012 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

DE3F.exe

pid process

2624 DE3F.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2012 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2012 set thread context of 3628 2012 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2876 2624 WerFault.exe DE3F.exe

flow	pid	process
28	2012	rundll32.exe
30	2012	rundll32.exe
56	2012	rundll32.exe

pid	process
2624	DE3F.exe

pid	process
2012	rundll32.exe

description	pid	process	target process
PID 2012 set thread context of 3628	2012	rundll32.exe	rundll32.exe

pid	pid_target	process	target process
2876	2624	WerFault.exe	DE3F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355e5a0100054656d7000003a0009000400efbe6b557d6c9355eaa02e0000000000000000000000000000000000000000000000000095880c01540065006d007000000014000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2020

pid	process
2020

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe

pid	process
1392	8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe
1392	8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2020
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe

pid process

1392 8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe

pid	process
2020

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3628 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2020
2020

pid	process
3628	rundll32.exe

pid	process
2020
2020

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DE3F.exerundll32.exe

description	pid	process	target process
PID 2020 wrote to memory of 2624	2020		DE3F.exe
PID 2020 wrote to memory of 2624	2020		DE3F.exe
PID 2020 wrote to memory of 2624	2020		DE3F.exe
PID 2624 wrote to memory of 2012	2624	DE3F.exe	rundll32.exe
PID 2624 wrote to memory of 2012	2624	DE3F.exe	rundll32.exe
PID 2624 wrote to memory of 2012	2624	DE3F.exe	rundll32.exe
PID 2012 wrote to memory of 3628	2012	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 3628	2012	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 3628	2012	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe
"C:\Users\Admin\AppData\Local\Temp\8a2d5eb9812c117d72f8192ab9709a20e392bf3527671026b79594db7c0a6820.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1392

C:\Users\Admin\AppData\Local\Temp\DE3F.exe
C:\Users\Admin\AppData\Local\Temp\DE3F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14100
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 220
2⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2624 -ip 2624
1⤵
PID:2996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:904

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\drvdx9.dll",YQBhSHNDZA==
2⤵
PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\drvDX9.dll

Filesize
797KB

MD5
ab8cf2a28abb7a430fb36ef87a46730d

SHA1
89c8ca326be448e251b0a179f27058f8d5ab4645

SHA256
aa9860a990250ce2098da5df9a21e2b21f394e338dc510f61d8d35e70550f460

SHA512
45566694accd88ffa15c22819bdd644a38eeaf4db1e306385acfc67da0d5369263cd6f6c1eac24a384a1dbf15e5da9fc3c12e6dbbc0f738345a5cc0bacb9e1c4

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\drvDX9.dll

Filesize
797KB

MD5
ab8cf2a28abb7a430fb36ef87a46730d

SHA1
89c8ca326be448e251b0a179f27058f8d5ab4645

SHA256
aa9860a990250ce2098da5df9a21e2b21f394e338dc510f61d8d35e70550f460

SHA512
45566694accd88ffa15c22819bdd644a38eeaf4db1e306385acfc67da0d5369263cd6f6c1eac24a384a1dbf15e5da9fc3c12e6dbbc0f738345a5cc0bacb9e1c4

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
6b84fcfc480e341a556fae93aa6d1052

SHA1
9e12adb5724516f98b74077106ae311109c227cf

SHA256
cf81ec040d4d8f8d3c5afddf1978d0e57cb395ac295ab0ededdbec459efe77fb

SHA512
c27c5aead8cc33733ab0c65b3d8ecd22455c33bb8558a8fde6157750fca76da2bf8332601502337779db51d4c8f9ff24224a1595d3dd91c9630ef0611856b258

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe.xml

Filesize
7KB

MD5
b290178a94a0bd93830d5714c11f9681

SHA1
9dd5d3337117568b6423a32dff9baf14fb11e73c

SHA256
5876d6a887dd7db15a3bea28e71c0aa044023eafb1eed8ca9356035f5943249c

SHA512
ef5af5bc01510ea6e865e11a94bcf67966a01930fcdd9ab10bcb854a06976f59c909bd10e9ff3ef0aea53bad9a4af510401c05ada4c017e45ff512a127dea9fb

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xml

Filesize
6KB

MD5
e2a07f037256d69937145aea357735fe

SHA1
07ce3d26f68b90604543f441bf75f57fbf6f5f99

SHA256
0f20839ad81a013e9700e22a629e7284a5b817adff6d992d4b761b6875ace257

SHA512
f78e8d10675b7c8d3fd8af0780fb979c1cca6b5ccfd1422529d7837f34f9973dc26a174f4b86587f7a1e1dbe1a3fe59cc0342379332a2e726a41c180a0dbad7d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
27KB

MD5
1cef1a17af19cd221b168384320770e5

SHA1
1b694f2e2c2f87becfd9d4d1b271843c928dbfc4

SHA256
cf103015c20fbe6aebd3b83104eb034f2ff6e40187296a5a7e71a9f77013294b

SHA512
61a7f84dc4970a564056407549bc3664bf67d18a93f86a2be73ea39d8fb5d7007bb7531d881e516196c5139c1c5f67d7b602d0b26dfd1f13ebba7e90e3b8c377

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2013Office365Win64.xml

Filesize
10KB

MD5
46353bb25b4eb2e9d26a25744c716563

SHA1
a9a9c2a1260542b5246fd642425dcc2a29a098c1

SHA256
3fae1d780e8a63d73847dc38412952c238d0e3ca01a97caee718489a3d424893

SHA512
09027ff22d03712258dbd10d6fe2cafbefd90e974210b09d20008d8eb6b569915064c65a7403187b0d78e79c96838cc0bba49b089acc7c7ab790866359719197

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\utc.app.json

Filesize
4KB

MD5
698ab53163e6d1e3adcf0afd1eb51f87

SHA1
3b16e9895c947a8518b986a5e826230d1664eb10

SHA256
2b480c322e917aa7e0424ebe728dfaaf65fb72e3db19c301a6101dc922b5df2b

SHA512
f54943ac9c0d5eb705c0651f657d04fdabd9af7188538e6ef7ff5b94e78f0390fc75477c7bef5129cba081ea00bc967fb24a28e68809a338a98370cea5242204

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE3F.exe

Filesize
1.1MB

MD5
f54e72ec43ba9b6d7dcb039cc2ad48f6

SHA1
4dd3e8194b67d5e594eee18101bee38a69d1343a

SHA256
106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

SHA512
50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE3F.exe

Filesize
1.1MB

MD5
f54e72ec43ba9b6d7dcb039cc2ad48f6

SHA1
4dd3e8194b67d5e594eee18101bee38a69d1343a

SHA256
106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

SHA512
50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\drvdx9.dll

Filesize
797KB

MD5
ab8cf2a28abb7a430fb36ef87a46730d

SHA1
89c8ca326be448e251b0a179f27058f8d5ab4645

SHA256
aa9860a990250ce2098da5df9a21e2b21f394e338dc510f61d8d35e70550f460

SHA512
45566694accd88ffa15c22819bdd644a38eeaf4db1e306385acfc67da0d5369263cd6f6c1eac24a384a1dbf15e5da9fc3c12e6dbbc0f738345a5cc0bacb9e1c4

Download Submit
memory/904-164-0x0000000003650000-0x0000000003D75000-memory.dmp

Filesize
7.1MB

Download
memory/1280-170-0x0000000000000000-mapping.dmp

Download
memory/1392-132-0x00000000007E8000-0x00000000007F9000-memory.dmp

Filesize
68KB

Download
memory/1392-135-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1392-134-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1392-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/2012-152-0x00000000056F0000-0x0000000005830000-memory.dmp

Filesize
1.2MB

Download
memory/2012-149-0x00000000056F0000-0x0000000005830000-memory.dmp

Filesize
1.2MB

Download
memory/2012-153-0x00000000056F0000-0x0000000005830000-memory.dmp

Filesize
1.2MB

Download
memory/2012-139-0x0000000000000000-mapping.dmp

Download
memory/2012-146-0x0000000004E50000-0x0000000005575000-memory.dmp

Filesize
7.1MB

Download
memory/2012-145-0x0000000004E50000-0x0000000005575000-memory.dmp

Filesize
7.1MB

Download
memory/2012-157-0x0000000005769000-0x000000000576B000-memory.dmp

Filesize
8KB

Download
memory/2012-148-0x00000000056F0000-0x0000000005830000-memory.dmp

Filesize
1.2MB

Download
memory/2012-147-0x00000000056F0000-0x0000000005830000-memory.dmp

Filesize
1.2MB

Download
memory/2012-160-0x0000000004E50000-0x0000000005575000-memory.dmp

Filesize
7.1MB

Download
memory/2012-150-0x00000000056F0000-0x0000000005830000-memory.dmp

Filesize
1.2MB

Download
memory/2012-151-0x0000000005769000-0x000000000576B000-memory.dmp

Filesize
8KB

Download
memory/2624-144-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2624-143-0x0000000002410000-0x0000000002540000-memory.dmp

Filesize
1.2MB

Download
memory/2624-142-0x000000000231D000-0x000000000240B000-memory.dmp

Filesize
952KB

Download
memory/2624-136-0x0000000000000000-mapping.dmp

Download
memory/3628-159-0x000002227E510000-0x000002227E73A000-memory.dmp

Filesize
2.2MB

Download
memory/3628-158-0x0000000000010000-0x0000000000229000-memory.dmp

Filesize
2.1MB

Download
memory/3628-155-0x000002227FD50000-0x000002227FE90000-memory.dmp

Filesize
1.2MB

Download
memory/3628-156-0x000002227FD50000-0x000002227FE90000-memory.dmp

Filesize
1.2MB

Download
memory/3628-154-0x00007FF762476890-mapping.dmp

Download