danabot | 1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe
Size

218KB
MD5

4e5d5bb87c7124a8499561f7cf9aaae1
SHA1

0f3bbe5b06c4d18e35a4c8d0da928e4d4c2e3675
SHA256

1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d
SHA512

11bb1546f3c379329a89c8ef88d7ea5a88bbefd46579b2d144f99d74f7ac994fe1613e9ff30ec8695185f87034c25e6ef8e40d1f090bfdf7bcdb7ff9e1e2d30b
SSDEEP

3072:KgPdJqLfSt9R370ZL8IElanwOB8abX7bm7b/eUKKw7NHCDml:K03qL69omIE+TB8ab+a5Ca

Score

10^/10

danabot smokeloader systembc backdoor banker discovery persistence trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-133-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

35 2956 rundll32.exe
38 2956 rundll32.exe
61 2956 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

E554.exeFC57.exelbdt.exewhsifrw

pid process

2852 E554.exe
5012 FC57.exe
3116 lbdt.exe
4372 whsifrw

flow	pid	process
35	2956	rundll32.exe
38	2956	rundll32.exe
61	2956	rundll32.exe

pid	process
2852	E554.exe
5012	FC57.exe
3116	lbdt.exe
4372	whsifrw

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ended_review_or_form\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\ended_review_or_form.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ended_review_or_form\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\ended_review_or_form.dll\uff00"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ended_review_or_form\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalServiceĀ"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2956 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2956 set thread context of 4288 2956 rundll32.exe rundll32.exe

pid	process
2956	rundll32.exe

description	pid	process	target process
PID 2956 set thread context of 4288	2956	rundll32.exe	rundll32.exe

Drops file in Program Files directory 38 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobepdf.xdc	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-hover.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ended_review_or_form.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\UnifiedShare.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AppCenter_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_xd.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QRCode.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe

Drops file in Windows directory 2 IoCs

Processes:

FC57.exe

description ioc process

File created C:\Windows\Tasks\lbdt.job FC57.exe
File opened for modification C:\Windows\Tasks\lbdt.job FC57.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2672 2852 WerFault.exe E554.exe
4956 5012 WerFault.exe FC57.exe

description	ioc	process
File created	C:\Windows\Tasks\lbdt.job	FC57.exe
File opened for modification	C:\Windows\Tasks\lbdt.job	FC57.exe

pid	pid_target	process	target process
2672	2852	WerFault.exe	E554.exe
4956	5012	WerFault.exe	FC57.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exewhsifrw

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	whsifrw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	whsifrw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	whsifrw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009455795a100054656d7000003a0009000400efbe6b557d6c94557c5a2e00000000000000000000000000000000000000000000000000bca52300540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2096

pid	process
2096

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe

pid	process
1980	1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe
1980	1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096
2096

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2096
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exewhsifrw

pid process

1980 1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe
4372 whsifrw

pid	process
2096

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096
Token: SeShutdownPrivilege	2096
Token: SeCreatePagefilePrivilege	2096

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4288 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2096
2096

pid	process
4288	rundll32.exe

pid	process
2096
2096

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

E554.exerundll32.exe

description	pid	process	target process
PID 2096 wrote to memory of 2852	2096		E554.exe
PID 2096 wrote to memory of 2852	2096		E554.exe
PID 2096 wrote to memory of 2852	2096		E554.exe
PID 2852 wrote to memory of 2956	2852	E554.exe	rundll32.exe
PID 2852 wrote to memory of 2956	2852	E554.exe	rundll32.exe
PID 2852 wrote to memory of 2956	2852	E554.exe	rundll32.exe
PID 2096 wrote to memory of 5012	2096		FC57.exe
PID 2096 wrote to memory of 5012	2096		FC57.exe
PID 2096 wrote to memory of 5012	2096		FC57.exe
PID 2956 wrote to memory of 4288	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 4288	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 4288	2956	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe
"C:\Users\Admin\AppData\Local\Temp\1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1980

C:\Users\Admin\AppData\Local\Temp\E554.exe
C:\Users\Admin\AppData\Local\Temp\E554.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14100
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 536
2⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2852 -ip 2852
1⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\FC57.exe
C:\Users\Admin\AppData\Local\Temp\FC57.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 956
2⤵
- Program crash
PID:4956

C:\ProgramData\oaaeulk\lbdt.exe
C:\ProgramData\oaaeulk\lbdt.exe start
1⤵
- Executes dropped EXE
PID:3116

C:\Users\Admin\AppData\Roaming\whsifrw
C:\Users\Admin\AppData\Roaming\whsifrw
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5012 -ip 5012
1⤵
PID:4840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:5096

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\ended_review_or_form.dll",mV08N1BEbk4=
2⤵
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\ended_review_or_form.dll
Filesize
797KB

MD5
370861c41bc5fb2b244bc4b621b21539

SHA1
356d6be9e8853a1778c1b26fbfed34f624bf74cd

SHA256
29a6bbbc7acf35322d1ff6262f47fa3d8b2e8e8d6f40e33c0e4ee5f48e542993

SHA512
a19d75545345461e4592a5b0944f9026c03b2f7f94df95fcd8624617db54e1f4790c3b86b218bf0651e61d1c79be8e7cb840b7d472f052ffe9cd29b96d71b755

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\ended_review_or_form.dll
Filesize
797KB

MD5
370861c41bc5fb2b244bc4b621b21539

SHA1
356d6be9e8853a1778c1b26fbfed34f624bf74cd

SHA256
29a6bbbc7acf35322d1ff6262f47fa3d8b2e8e8d6f40e33c0e4ee5f48e542993

SHA512
a19d75545345461e4592a5b0944f9026c03b2f7f94df95fcd8624617db54e1f4790c3b86b218bf0651e61d1c79be8e7cb840b7d472f052ffe9cd29b96d71b755

Download Submit
C:\ProgramData\oaaeulk\lbdt.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\oaaeulk\lbdt.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch
Filesize
262B

MD5
0c19329f1a0959d6e069dd77dc32e7fc

SHA1
8216c5d18000ff6c11f0b562a85d650b3e07da7c

SHA256
ca469f2580e20b3d1077355a1e0e673be724ac15ab15e859b7bc3bcf60854120

SHA512
fbbe1626c32f7b77c77fa1e0e5f0c22562d3bdc15a4290cf300625efa782c31d9ac461ea2b6552dbc42f16137bfc226d98ee2f002a353245eae6afca873e912d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\DesktopSettings2013.xml
Filesize
17KB

MD5
c6b6b07071e0f8ff39f5941a3169b20c

SHA1
d77fd2513ac3cb9b8595424d1f695fce21e33d96

SHA256
f8b710777d2c0105e74ee27ee6dfc8e43ca4ff7e14b4dba390eb72dad20705bd

SHA512
167ab504d6e4c91239f8239722aba17a7f6748fb3e8ee750b2d3f3fd677e6646a8149c8b956513cb2e90722196471865591215938cea8444fdf2e5cff180fdec

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
b8ba06d2f04c201f49bde6f9312308a8

SHA1
2d0c31f2349fec4667c4c1bbf35be65c2be4059e

SHA256
89c8cdce65ca319b169e8a7dfe96e2bc7edc5736800ffc1d6f5bc91c43b75fd4

SHA512
25b948f3046cc353cc164f1d96c8808a41e7b641a66b6da2c9b3455970f9f40d4c39ceb431f663be88a6aa2c5550aa78d18233ba3bb1ce9ed9890301c6d714d7

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
d23fed404d850404c4e27109f04d25dc

SHA1
57e507639a1e9a1f528ff8a740346bf6e6a04118

SHA256
6aed7540212658c15bd69c10a8cbc253c8731c17520d1abba756fe336e4a4c82

SHA512
f69209ed141d79b6bf483f49a79359abcc978ebd16c9e3156f6159d68ff28e730ef059b899988f530ff347383e2dc89aadd6bd0280b9c3525e75f205059defe5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.BioEnrollment_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
3KB

MD5
3e0786e68ac00141fd51790c561c60ef

SHA1
96f2bdc8310d74e466bd8ef0931baaa2f276de03

SHA256
1545f3cf4b4c17d52c387e560dcb777e1748757c1dbb18788080d9dac64a82a6

SHA512
cdcecba2775b627e9e6fce205166e2f0f9af9550ed838689c586c707c29d6d7e7a5daa03814b0c95f5da3b8b2d2366b77e5011a8cad8fac448feaa96679353f2

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe.xml
Filesize
9KB

MD5
993d82e37af681bd65f1d428b6ee281e

SHA1
bb1a8402cfccd1d97ea58d6136847a4dd1ba0f65

SHA256
1bc1d4525a46e58edd165a9d792f50441ea3cbcecd14022dc112e02f3d9b5bf8

SHA512
4eb247e384ffa84460e43abe7563643de30f397b628c02f3e6e51c69669d5d7b8be6ebe51355586e5cd5a252652e0eef7f1bd0219b416b61e1db318db4ac833c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xml
Filesize
2KB

MD5
c8d6f0d26db52746e243b785c269cacd

SHA1
b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1

SHA256
d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21

SHA512
c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe.xml
Filesize
17KB

MD5
88edd5a41ab82f584c96038657f61fa0

SHA1
7196dd2233a620172932cbe75afc1eae004de540

SHA256
fc79e5ee3a80f00498b8be20796daacc279aee43b522cf3a968266c629e27ff5

SHA512
d75a11ab48d11114c753a1cb7c1cb3ef19e5b5e90818d6842278d28d72d85582aabfbcf324af94abc1fe47ed7b1d7cfd9660852dc59f9026f812a662adfbee4d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
6KB

MD5
d218cf550fbd777e789242cafb804d10

SHA1
05175dd84f05a7989944e48db6a811c297fa47e3

SHA256
8143763940b906ea93cd7288a08f251203d9f21da5282a6c20201ea7530df8c4

SHA512
9134ace4de9b6bae58b161af4ede7ca9b24bd396c6b1e24ec8301ecb90278bc8b61d7600be7248b2f35acc49b83fcd627045f18c61ee57a2da0e19d61330261d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftSkypeForBusiness2016Win64.xml
Filesize
2KB

MD5
bd044f090776619270e4e49b20dd006f

SHA1
8279e5b49f7322f11364ff10d694578b56fafcd2

SHA256
40ad82a3af39ac5ecca299f7d0c57a8de41c75c96e2c0fa49c0dcb5b442f14cf

SHA512
19214b4e046c1146ca1e06a35f69daaccf604b7fb42f6d6050794874e4bab03c6bbff66e68e7d9243265c246126d9231fe24ff633a6adcbcffd7a0831f91deaf

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\abcpy.ini
Filesize
608B

MD5
818d3a4899c5596d8d8da00a87e6d8bb

SHA1
4e0e04f5ca5d81661702877852fd9d059722762f

SHA256
9986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d

SHA512
1cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\behavior.xml
Filesize
1KB

MD5
6c23b0f54e5c427ff8f3db170b62616f

SHA1
44f1d0f71cbab0e05d9a563bf9e92759898ca4e9

SHA256
7cfdc107f1bc076ca39ee36960bbb1d64a6c9faac9ba73a106f6e85224da4a1b

SHA512
f511e1aa2f7dcac52ad5452ef8e9e403a77b55a6e9c7bf8248db00e85cee61f1e28ebe6470084a1f22cf64664b8a9ec84975afda1e26e348b4948de4583313a6

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml
Filesize
1KB

MD5
93a100713ff56b66e15f984d3100aab7

SHA1
4ffb9e5c0d7687a38cc9b9f767bd4b9d4a325656

SHA256
0c80edf0d6699061728f917d731ea29e7ad3c7f2ea067d4510a01369255cbd26

SHA512
df8b5e56e9dcf0c3e4737e8ab878a4182c757d731f8e893c0285fa5e5d89faec75f4f1f0e8fbf2d502a28632410198ae6dfed82ac5a593d23cf5c2bd59c3c4fc

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\user-40.png
Filesize
525B

MD5
3bde564b05fe619b8082900b5c83b536

SHA1
656b402ff5e478471b1053e50ed8e5bfcc011a11

SHA256
1fa751b71307c22ceb94e3af09688c0e123b26ae8c16e1c521510f309bca4308

SHA512
00303409ca69ee71e6e2702d8f06a8ee5418d01e2e0f726394042b0af4b6a5b35f66d5a70664f031feb7e28d13c124b5d08e4b3998b443a2cba3574c4996ca0b

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\wlidsvcconfig.xml
Filesize
12KB

MD5
f9f25c79e2df9c8c8209b5d052a557b0

SHA1
2d4a14e2df96245a599bacb530e396c2900a5b61

SHA256
385214231d70603caaf00c1f2e9f115be35cc603d289dd878069f9933aa591b5

SHA512
7c9d68d4f96cef25f4703fe4db68fda9689308df759ef05666421c74f0e57b4c25fa8d1c6cf9e5a6a0e9a81d230669b8656279076e60ebfd1ba5b56770fa4ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E554.exe
Filesize
1.1MB

MD5
c8beb87469647c6fb577d2bfec8e0fcd

SHA1
dcbbd759d34cb4d23c53d67943c47a250ee32767

SHA256
c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6

SHA512
678bbc9fcaa886d4babf499303afdbdf737d0e98d830bc404bcd74255742595229fa99c757f2b6c90b729b3fe260faecd2928405aaa641d774fda96fd80870fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E554.exe
Filesize
1.1MB

MD5
c8beb87469647c6fb577d2bfec8e0fcd

SHA1
dcbbd759d34cb4d23c53d67943c47a250ee32767

SHA256
c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6

SHA512
678bbc9fcaa886d4babf499303afdbdf737d0e98d830bc404bcd74255742595229fa99c757f2b6c90b729b3fe260faecd2928405aaa641d774fda96fd80870fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC57.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC57.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Roaming\whsifrw
Filesize
218KB

MD5
4e5d5bb87c7124a8499561f7cf9aaae1

SHA1
0f3bbe5b06c4d18e35a4c8d0da928e4d4c2e3675

SHA256
1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d

SHA512
11bb1546f3c379329a89c8ef88d7ea5a88bbefd46579b2d144f99d74f7ac994fe1613e9ff30ec8695185f87034c25e6ef8e40d1f090bfdf7bcdb7ff9e1e2d30b

Download Submit
C:\Users\Admin\AppData\Roaming\whsifrw
Filesize
218KB

MD5
4e5d5bb87c7124a8499561f7cf9aaae1

SHA1
0f3bbe5b06c4d18e35a4c8d0da928e4d4c2e3675

SHA256
1c01bfb3c6c8e8d8e41f58d91f39e9bc3f2565e608c44530deab1c21311d1f1d

SHA512
11bb1546f3c379329a89c8ef88d7ea5a88bbefd46579b2d144f99d74f7ac994fe1613e9ff30ec8695185f87034c25e6ef8e40d1f090bfdf7bcdb7ff9e1e2d30b

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\ended_review_or_form.dll
Filesize
797KB

MD5
370861c41bc5fb2b244bc4b621b21539

SHA1
356d6be9e8853a1778c1b26fbfed34f624bf74cd

SHA256
29a6bbbc7acf35322d1ff6262f47fa3d8b2e8e8d6f40e33c0e4ee5f48e542993

SHA512
a19d75545345461e4592a5b0944f9026c03b2f7f94df95fcd8624617db54e1f4790c3b86b218bf0651e61d1c79be8e7cb840b7d472f052ffe9cd29b96d71b755

Download Submit
memory/1980-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1980-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1980-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/1980-132-0x00000000006D8000-0x00000000006E9000-memory.dmp

Filesize
68KB

Download
memory/2096-143-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-154-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-136-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-137-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-170-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/2096-138-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-169-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/2096-165-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/2096-158-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/2096-150-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-151-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-153-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/2096-157-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-156-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-155-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-139-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-152-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-148-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-149-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-147-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-146-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-144-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-145-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-142-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-141-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2096-140-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2852-159-0x0000000000000000-mapping.dmp

Download
memory/2852-168-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2852-167-0x00000000022A0000-0x00000000023D0000-memory.dmp

Filesize
1.2MB

Download
memory/2852-166-0x00000000021A2000-0x0000000002291000-memory.dmp

Filesize
956KB

Download
memory/2956-178-0x0000000005390000-0x0000000005AB5000-memory.dmp

Filesize
7.1MB

Download
memory/2956-186-0x0000000005BC0000-0x0000000005D00000-memory.dmp

Filesize
1.2MB

Download
memory/2956-162-0x0000000000000000-mapping.dmp

Download
memory/2956-177-0x0000000005390000-0x0000000005AB5000-memory.dmp

Filesize
7.1MB

Download
memory/2956-179-0x0000000005BC0000-0x0000000005D00000-memory.dmp

Filesize
1.2MB

Download
memory/2956-199-0x0000000005390000-0x0000000005AB5000-memory.dmp

Filesize
7.1MB

Download
memory/2956-180-0x0000000005BC0000-0x0000000005D00000-memory.dmp

Filesize
1.2MB

Download
memory/2956-185-0x0000000005BC0000-0x0000000005D00000-memory.dmp

Filesize
1.2MB

Download
memory/2956-187-0x0000000005BC0000-0x0000000005D00000-memory.dmp

Filesize
1.2MB

Download
memory/2956-192-0x0000000005C39000-0x0000000005C3B000-memory.dmp

Filesize
8KB

Download
memory/2956-188-0x0000000005BC0000-0x0000000005D00000-memory.dmp

Filesize
1.2MB

Download
memory/3116-184-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3116-183-0x00000000006E2000-0x00000000006F3000-memory.dmp

Filesize
68KB

Download
memory/3648-226-0x0000000003F90000-0x00000000046B5000-memory.dmp

Filesize
7.1MB

Download
memory/3648-221-0x0000000000000000-mapping.dmp

Download
memory/3648-224-0x0000000003F90000-0x00000000046B5000-memory.dmp

Filesize
7.1MB

Download
memory/3648-225-0x0000000003F90000-0x00000000046B5000-memory.dmp

Filesize
7.1MB

Download
memory/4288-191-0x0000029340320000-0x0000029340460000-memory.dmp

Filesize
1.2MB

Download
memory/4288-193-0x0000000000680000-0x0000000000899000-memory.dmp

Filesize
2.1MB

Download
memory/4288-194-0x000002933E950000-0x000002933EB7A000-memory.dmp

Filesize
2.2MB

Download
memory/4288-190-0x0000029340320000-0x0000029340460000-memory.dmp

Filesize
1.2MB

Download
memory/4288-189-0x00007FF6624A6890-mapping.dmp

Download
memory/4372-200-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4372-198-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4372-197-0x0000000000709000-0x0000000000719000-memory.dmp

Filesize
64KB

Download
memory/5012-174-0x0000000000679000-0x000000000068A000-memory.dmp

Filesize
68KB

Download
memory/5012-175-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/5012-176-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5012-171-0x0000000000000000-mapping.dmp

Download
memory/5012-201-0x0000000000679000-0x000000000068A000-memory.dmp

Filesize
68KB

Download
memory/5012-202-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5096-220-0x00000000035C0000-0x0000000003CE5000-memory.dmp

Filesize
7.1MB

Download
memory/5096-206-0x00000000035C0000-0x0000000003CE5000-memory.dmp

Filesize
7.1MB

Download