danabot | eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

218KB
MD5

fc5b8196fdcab0454747420f33347e53
SHA1

e6c81c9d28dfefaec07c60485776ca8299dbb83c
SHA256

eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1
SHA512

feee13743922d97a685db172f93aa300fcb1e1a44c814d51c46461a65c4aae57dce0c6288e227ba99003200c37ab32e70c3f5aa79ef4898d97199f2bd26553ac
SSDEEP

3072:VloBonOLHf6CgHR6XqjhnBmK09E7Cin0Ah7b/6jpFBTnNHCDml:VaB4OL/1Z0Wi7CinV5oDCa

Score

10^/10

danabot smokeloader systembc backdoor banker discovery trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/676-133-0x00000000005A0000-0x00000000005A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

61 3748 rundll32.exe
119 3748 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

85C.exe3C4E.exettsreadfhcge.exe

pid process

3692 85C.exe
3560 3C4E.exe
4004 ttsread
4412 fhcge.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3748 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3748 set thread context of 4676 3748 rundll32.exe rundll32.exe
Drops file in Windows directory 2 IoCs

Processes:

3C4E.exe

description ioc process

File created C:\Windows\Tasks\fhcge.job 3C4E.exe
File opened for modification C:\Windows\Tasks\fhcge.job 3C4E.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3900 3692 WerFault.exe 85C.exe
4848 3560 WerFault.exe 3C4E.exe

flow	pid	process
61	3748	rundll32.exe
119	3748	rundll32.exe

pid	process
3692	85C.exe
3560	3C4E.exe
4004	ttsread
4412	fhcge.exe

pid	process
3748	rundll32.exe

description	pid	process	target process
PID 3748 set thread context of 4676	3748	rundll32.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\fhcge.job	3C4E.exe
File opened for modification	C:\Windows\Tasks\fhcge.job	3C4E.exe

pid	pid_target	process	target process
3900	3692	WerFault.exe	85C.exe
4848	3560	WerFault.exe	3C4E.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ttsreadfile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ttsread
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ttsread
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ttsread
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094553a5e100054656d7000003a0009000400efbe0c55199994553b5e2e00000000000000000000000000000000000000000000000000dfb9fa00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

744

pid	process
744

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
676	file.exe
676	file.exe
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

744
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exettsread

pid process

676 file.exe
4004 ttsread

pid	process
744

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4676 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

744
744

pid	process
4676	rundll32.exe

pid	process
744
744

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

85C.exerundll32.exe

description	pid	process	target process
PID 744 wrote to memory of 3692	744		85C.exe
PID 744 wrote to memory of 3692	744		85C.exe
PID 744 wrote to memory of 3692	744		85C.exe
PID 3692 wrote to memory of 3748	3692	85C.exe	rundll32.exe
PID 3692 wrote to memory of 3748	3692	85C.exe	rundll32.exe
PID 3692 wrote to memory of 3748	3692	85C.exe	rundll32.exe
PID 744 wrote to memory of 3560	744		3C4E.exe
PID 744 wrote to memory of 3560	744		3C4E.exe
PID 744 wrote to memory of 3560	744		3C4E.exe
PID 3748 wrote to memory of 4676	3748	rundll32.exe	rundll32.exe
PID 3748 wrote to memory of 4676	3748	rundll32.exe	rundll32.exe
PID 3748 wrote to memory of 4676	3748	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:676

C:\Users\Admin\AppData\Local\Temp\85C.exe
C:\Users\Admin\AppData\Local\Temp\85C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14144
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 528
2⤵
- Program crash
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3692 -ip 3692
1⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\3C4E.exe
C:\Users\Admin\AppData\Local\Temp\3C4E.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 956
2⤵
- Program crash
PID:4848

C:\Users\Admin\AppData\Roaming\ttsread
C:\Users\Admin\AppData\Roaming\ttsread
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4004

C:\ProgramData\kkwjbs\fhcge.exe
C:\ProgramData\kkwjbs\fhcge.exe start
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3560 -ip 3560
1⤵
PID:4372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4988

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\addressbook2x.dll",VTsaMTgzUQ==
2⤵
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.dll
Filesize
797KB

MD5
f974b1983e6fbdd3a284c072d5dd9eb1

SHA1
795f2f80d41d7aa0d07b35b4271a6042f93f66ba

SHA256
6f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938

SHA512
a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.dll
Filesize
797KB

MD5
f974b1983e6fbdd3a284c072d5dd9eb1

SHA1
795f2f80d41d7aa0d07b35b4271a6042f93f66ba

SHA256
6f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938

SHA512
a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878

Download Submit
C:\ProgramData\kkwjbs\fhcge.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\kkwjbs\fhcge.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.wordmui.msi.16.en-us.xml
Filesize
77KB

MD5
50a33f3ee76c3f15703f82890efcc8c8

SHA1
b24e99bb702478edcbbda43f75457e5833abdc95

SHA256
77a2a4517a0c488c78bf9742e86de5af419d6c148346845d8b0f062d5f8a631a

SHA512
f14e224c1582476f09f969f1e29d5e2fa7855b22aa6b35682e264da0fc6cafdc1d62022dde5032206e1d973382604d9ccfa7495ebf90578a55c9c74bac1e606e

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\CiST0000.001
Filesize
64KB

MD5
2a1801484fed207d6469068f57a62214

SHA1
c12999e2fa101c6b6bb3a5f0e66f4e0c5b938d4e

SHA256
30c7988571781563e5e697f564b616750e354bcd69e9bf7a39e3854e4b7bec28

SHA512
a7e12254278e83710077d5cb3b8162cd74c4211147a6823afa8aa3c67cc3041e066b34e63bcf0cae9087177543c52871e67bac373db1b8ab3d5058ba9f3f41b4

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
2094f706e145587e44286d0656f45954

SHA1
4b4169005ee590bb2cb704e4b319789b168b0db0

SHA256
ce37a5efcd48da13c803a61cb44865dbcfd256a07e3def58bb36204e718db119

SHA512
92ca225bdec112c2615285637a65214711fb559343afa4881f2607e9a49c34aa6794ea059d18f4a191dac4e8aae47a91fe3ee6b75517cd9c1ad5f39ef83399a1

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.ECApp_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml
Filesize
2KB

MD5
13eb9cfbca43ebcd240e1fcff5acab4d

SHA1
5a0da86ab3f30905433677284eb843742f05afe5

SHA256
616d6a37866683e848fac3a17cecdea05e51da55420adcf947e40d062f587bb8

SHA512
256879b3d2c86ed4c3e8fccc8ffa09d11ae6eb6a2c9da4afa834f36b399752d7c46ceb638497cb28c48d874db0ccde15b73a22f1aa894b376aafd00f20b23352

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe.xml
Filesize
20KB

MD5
419d040255d3d92a74e19e346588ad4d

SHA1
4f005faf5b002a85a890a76900aec198b0b157ae

SHA256
43b225fa33b598526a7f3813c243575001643d3161ae55ecc9f62d5e2372e4f3

SHA512
9630665cbce8681653c14efb38cae9a28c9deaba7991596bac172e5bff4795c6f98f743b24d40d4abb79c3c07298333af2b559668528694bb8f8e063e1a377ed

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
6KB

MD5
d218cf550fbd777e789242cafb804d10

SHA1
05175dd84f05a7989944e48db6a811c297fa47e3

SHA256
8143763940b906ea93cd7288a08f251203d9f21da5282a6c20201ea7530df8c4

SHA512
9134ace4de9b6bae58b161af4ede7ca9b24bd396c6b1e24ec8301ecb90278bc8b61d7600be7248b2f35acc49b83fcd627045f18c61ee57a2da0e19d61330261d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2010Win64.xml
Filesize
71KB

MD5
490d1e0a28234dcd02db60d5a87f0691

SHA1
6edc0f7aa19150b49df1b96b5c6bbee036c0ef7a

SHA256
06ce8cb39081cd09df95911494f46ae85b27e37e4f83aa9c80b887bf69e87e22

SHA512
0ea4a0b0030371c031de694df115a284fa2d3a7697071072e2a7d83afbb60201313787e4d537a6111ba716e78d9dcfcac523633e2667bc00bbe1b125fb6641eb

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOutlook2013CAWin32.xml
Filesize
1KB

MD5
42acdf1f7faad8e138134083a57424bd

SHA1
f6b05b2eba7723ed2b61c698377053b05ee8eeb5

SHA256
91bcc8d78d76422bf8a162c10d96ce91435470d8601290ddcbe3216c3bb7009c

SHA512
ca976b96bb036d2a72a61f5d0da83de6e4deb694353ca57e3016124db4a041c3ba7391bb1f508e3fa010b0f412df2b71b3acbaa5ad99c189beace9fcc5193abb

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml
Filesize
3KB

MD5
1a3168a15983b890b16390a23a89a02e

SHA1
d56ce16d88d79159a27c2d1cd3770dc56d897ebe

SHA256
334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946

SHA512
f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml
Filesize
3KB

MD5
2dd9bafcbda61d5d509e48086cd0a986

SHA1
821e66af11451535cdc249ec1493e5bca4d2cad2

SHA256
2da208b3e33831803c1b830244636ca3d6cbc54fdd7e4add03059795c169002e

SHA512
6f79656269570b309a5697b007245dff4983e6c20b9c3857ba1cc088ad4f7aec3b465e5fafc4f97b584cca88f6984ef90bbbdc499c20440f0f15da04ea79d528

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml
Filesize
1KB

MD5
09e877cc25ec3ade6e0d56000025e7ae

SHA1
fef683c766926d84804867a6a711c200e2ceb406

SHA256
995f07448661dec2389b445cbe054e4fce31d07bed2f3f9f4bc94ee9a875fc92

SHA512
02b7ed4cba2f3b153f055c51b24eb4a7ca9cec136274a00fcc2efebd21ad410d826d92b0113229e2817930a6a84dfa27e809290cb0522535202116c24ac8f1a3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\ringtones.ico
Filesize
50KB

MD5
8b30e7cbd25f178baac418e9b507b61e

SHA1
73c93d967571bb88b1bdf33477e7a5f758fc18e9

SHA256
0afa2eb896ffe20c5244dd191be791231c8b5b71eff200e75a3150a8e3296f30

SHA512
6b0ff7ff67cbb4c8611696273ee16fc5d57b53ea7869e0c97686583d7875faa65f04d7678017628a11420000f8bb869f6dca5fcbefb53b1824443fa73544944d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C4E.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C4E.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\85C.exe
Filesize
1.1MB

MD5
be1369ec379e0ec8dd84be3d5a26ac00

SHA1
ee6832ff5c366b22291778d8c314f0d4ec6b1225

SHA256
4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912

SHA512
4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171

Download Submit
C:\Users\Admin\AppData\Local\Temp\85C.exe
Filesize
1.1MB

MD5
be1369ec379e0ec8dd84be3d5a26ac00

SHA1
ee6832ff5c366b22291778d8c314f0d4ec6b1225

SHA256
4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912

SHA512
4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Roaming\ttsread
Filesize
218KB

MD5
fc5b8196fdcab0454747420f33347e53

SHA1
e6c81c9d28dfefaec07c60485776ca8299dbb83c

SHA256
eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1

SHA512
feee13743922d97a685db172f93aa300fcb1e1a44c814d51c46461a65c4aae57dce0c6288e227ba99003200c37ab32e70c3f5aa79ef4898d97199f2bd26553ac

Download Submit
C:\Users\Admin\AppData\Roaming\ttsread
Filesize
218KB

MD5
fc5b8196fdcab0454747420f33347e53

SHA1
e6c81c9d28dfefaec07c60485776ca8299dbb83c

SHA256
eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1

SHA512
feee13743922d97a685db172f93aa300fcb1e1a44c814d51c46461a65c4aae57dce0c6288e227ba99003200c37ab32e70c3f5aa79ef4898d97199f2bd26553ac

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\addressbook2x.dll
Filesize
797KB

MD5
f974b1983e6fbdd3a284c072d5dd9eb1

SHA1
795f2f80d41d7aa0d07b35b4271a6042f93f66ba

SHA256
6f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938

SHA512
a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878

Download Submit
memory/676-132-0x0000000000799000-0x00000000007AA000-memory.dmp

Filesize
68KB

Download
memory/676-136-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/676-133-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/676-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/676-135-0x0000000000799000-0x00000000007AA000-memory.dmp

Filesize
68KB

Download
memory/732-193-0x0000000000000000-mapping.dmp

Download
memory/3560-177-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3560-146-0x0000000000000000-mapping.dmp

Download
memory/3560-151-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3560-149-0x0000000000709000-0x000000000071A000-memory.dmp

Filesize
68KB

Download
memory/3560-170-0x0000000000709000-0x000000000071A000-memory.dmp

Filesize
68KB

Download
memory/3560-150-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/3692-137-0x0000000000000000-mapping.dmp

Download
memory/3692-143-0x0000000002222000-0x0000000002311000-memory.dmp

Filesize
956KB

Download
memory/3692-144-0x0000000002320000-0x0000000002450000-memory.dmp

Filesize
1.2MB

Download
memory/3692-145-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3748-157-0x00000000051E0000-0x0000000005320000-memory.dmp

Filesize
1.2MB

Download
memory/3748-171-0x0000000006070000-0x0000000006795000-memory.dmp

Filesize
7.1MB

Download
memory/3748-159-0x00000000051E0000-0x0000000005320000-memory.dmp

Filesize
1.2MB

Download
memory/3748-153-0x0000000006070000-0x0000000006795000-memory.dmp

Filesize
7.1MB

Download
memory/3748-140-0x0000000000000000-mapping.dmp

Download
memory/3748-155-0x00000000051E0000-0x0000000005320000-memory.dmp

Filesize
1.2MB

Download
memory/3748-156-0x00000000051E0000-0x0000000005320000-memory.dmp

Filesize
1.2MB

Download
memory/3748-152-0x0000000006070000-0x0000000006795000-memory.dmp

Filesize
7.1MB

Download
memory/3748-154-0x00000000051E0000-0x0000000005320000-memory.dmp

Filesize
1.2MB

Download
memory/3748-163-0x0000000005259000-0x000000000525B000-memory.dmp

Filesize
8KB

Download
memory/3748-158-0x00000000051E0000-0x0000000005320000-memory.dmp

Filesize
1.2MB

Download
memory/4004-174-0x0000000000688000-0x0000000000698000-memory.dmp

Filesize
64KB

Download
memory/4004-176-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4004-175-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4412-172-0x0000000000742000-0x0000000000753000-memory.dmp

Filesize
68KB

Download
memory/4412-173-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4676-165-0x00000221263D0000-0x00000221265FA000-memory.dmp

Filesize
2.2MB

Download
memory/4676-164-0x0000000000FF0000-0x0000000001209000-memory.dmp

Filesize
2.1MB

Download
memory/4676-162-0x0000022127DA0000-0x0000022127EE0000-memory.dmp

Filesize
1.2MB

Download
memory/4676-161-0x0000022127DA0000-0x0000022127EE0000-memory.dmp

Filesize
1.2MB

Download
memory/4676-160-0x00007FF7167E6890-mapping.dmp

Download
memory/4988-181-0x00000000038C0000-0x0000000003FE5000-memory.dmp

Filesize
7.1MB

Download
memory/4988-195-0x00000000038C0000-0x0000000003FE5000-memory.dmp

Filesize
7.1MB

Download