danabot | 618eb7d2b5bd2e32203d01e076ce78fb580f4af7a3a417ec800d8d726b333df3

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

216KB
MD5

0f72a0242a1cfa4af571328687d73b90
SHA1

1b3af5d6e9ca50592211e3a29e65a1c7817c6e5e
SHA256

618eb7d2b5bd2e32203d01e076ce78fb580f4af7a3a417ec800d8d726b333df3
SHA512

0b318e94d76d660673bb0ebc4440889e48eea1be3df08a176190dbc3efefbfbf6bbf53a7f035c7f0fa7d4b40d829bcf0308eb04a40e7cdb8dcba28ed056228f5
SSDEEP

3072:9mDhL7HoV5Kzo8XKC0z77KeYGe5+hx7szW7b/zNHCDml:AdLTHzTaz77KeeK6S5Ca

Score

10^/10

danabot smokeloader backdoor banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3440-133-0x00000000004E0000-0x00000000004E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

40 3652 rundll32.exe
45 3652 rundll32.exe
62 3652 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

E786.exesswrrcb

pid process

4436 E786.exe
2676 sswrrcb

flow	pid	process
40	3652	rundll32.exe
45	3652	rundll32.exe
62	3652	rundll32.exe

pid	process
4436	E786.exe
2676	sswrrcb

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\stop_collection_data.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService䨀"	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

3652 rundll32.exe
1240 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3652	rundll32.exe
1240	svchost.exe

Drops file in Program Files directory 26 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reader_sl.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Protect_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\stop_collection_data.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Close2x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef.css	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4908 4436 WerFault.exe E786.exe

pid	pid_target	process	target process
4908	4436	WerFault.exe	E786.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exesswrrcb

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sswrrcb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sswrrcb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sswrrcb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
3440	file.exe
3440	file.exe
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2628
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exesswrrcb

pid process

3440 file.exe
2676 sswrrcb
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2628
Token: SeCreatePagefilePrivilege 2628

pid	process
2628

description	pid	process
Token: SeShutdownPrivilege	2628
Token: SeCreatePagefilePrivilege	2628

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

E786.exe

description	pid	process	target process
PID 2628 wrote to memory of 4436	2628		E786.exe
PID 2628 wrote to memory of 4436	2628		E786.exe
PID 2628 wrote to memory of 4436	2628		E786.exe
PID 4436 wrote to memory of 3652	4436	E786.exe	rundll32.exe
PID 4436 wrote to memory of 3652	4436	E786.exe	rundll32.exe
PID 4436 wrote to memory of 3652	4436	E786.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3440

C:\Users\Admin\AppData\Local\Temp\E786.exe
C:\Users\Admin\AppData\Local\Temp\E786.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
PID:3652

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124
3⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 556
2⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4436 -ip 4436
1⤵
PID:5000

C:\Users\Admin\AppData\Roaming\sswrrcb
C:\Users\Admin\AppData\Roaming\sswrrcb
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2676

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
PID:1240

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\stop_collection_data.dll",bBVXcVlsSVdR
2⤵
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\stop_collection_data.dll
Filesize
797KB

MD5
e0d1e0ebf1d0984357037aae57fa19fd

SHA1
0b866ea0b917481fde547bea710ff9a7522f9e08

SHA256
8c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487

SHA512
6467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\stop_collection_data.dll
Filesize
797KB

MD5
e0d1e0ebf1d0984357037aae57fa19fd

SHA1
0b866ea0b917481fde547bea710ff9a7522f9e08

SHA256
8c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487

SHA512
6467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\AirSpace.Etw.man
Filesize
412KB

MD5
39e5270caae15015c8203fec413669c7

SHA1
f44f5617f2bc496fb497a1e8ad13997ccecf0f6d

SHA256
2e6cbfc09039d76897eaf701179ba2011d2ea134ca8b6c6e9792a0843006a5f1

SHA512
9bdab6d4cea87cd1172a77554c0059dbd5f7f29ca754e4ed21aa99bc4b16f40fc28e32c81f0ab3ea49158c12cc6c5318a81bd942b916c0b1241b2c6818b2657a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
8c98f951c66074d9810d55dcaa90a177

SHA1
950357da8b72af9a9cc9675b107604bb68ede633

SHA256
2d926ee6c111c525890b8ebfa320fbe5096ec9521529353cc2c6baea439639e0

SHA512
70de0a50c7d28c0828d002b781d27691e1f8bfd2b569e10d624d1c191a0f686ad4d9b01484672d6a773a652d8914b2ee62018a47e038f0657eed60d5892c4537

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.ECApp_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml
Filesize
2KB

MD5
13eb9cfbca43ebcd240e1fcff5acab4d

SHA1
5a0da86ab3f30905433677284eb843742f05afe5

SHA256
616d6a37866683e848fac3a17cecdea05e51da55420adcf947e40d062f587bb8

SHA512
256879b3d2c86ed4c3e8fccc8ffa09d11ae6eb6a2c9da4afa834f36b399752d7c46ceb638497cb28c48d874db0ccde15b73a22f1aa894b376aafd00f20b23352

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
820B

MD5
a8664f5906d9060a0a87bc01e35179bb

SHA1
1bbbc9f10431d2941805907a8a6d4009f4e2938c

SHA256
a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309

SHA512
389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
26KB

MD5
26b4cb86e7313855e188214dfee0abe4

SHA1
c4488e4c3c91bb6bd49cc3e68d9fce83c59f8422

SHA256
d182821a1030c629318d6e379cba49ac00db7a2b6aab70a3d245f7418ef490bc

SHA512
78dd7247c0fd372bc146562f46dd453aaa9fc3e4a49fb669240f76bd90249534bf6ca660058bf854eb4c05170a2e2ddabc0813223b61f09f0673fb3939f6f2b1

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftNotepad.xml
Filesize
957B

MD5
06f405331f1f99bd455f4afa7b8ee0cc

SHA1
815d8d81c01208aef4bc1a0048b2d4f4171b26f6

SHA256
b752d2c5a3c66c338fd6cd92224d5995be0eac8fd47092b8cd6ea2cc28a5e790

SHA512
a2a771f97346a5db7ee8e948cba2c9e223848e1c395eb335a6e3609739c125e0414e7a254f5ac81ca4a28b04cf4e631ee69edaaf24ef534b96c01c30f96c3a2c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Windows.jfm
Filesize
16KB

MD5
0038c90112a3e94c27bc88839e13c254

SHA1
0bd10b12e4f2ad7ca5658d073411bb6afa2ee1de

SHA256
6f7a587c68234ca1995d98b82dba1a8ab84a58c69d5c298bbdd40f8ee75b75d1

SHA512
bc991dcc5518018b051c11a8f92758d53dbb6105d31551325a7b4fc1cb35b82e1fb7ad675fe81bdca165578df4d7ad2e0b413d009f65ed2d47ad399e90a3d906

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\superbar.png
Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\utc.privacy.json
Filesize
31B

MD5
4870433b19757ef8721b38acf2baa272

SHA1
d9def40343d41a6a80e936fc12db58ebb3e3fdb8

SHA256
cf39cf82fe54738a64f566a0f947ddabf90b7af56a899596fb34dca2a67ddfbc

SHA512
79c72e2c4d8a8538879f11c09877f78ea363ee28f70da66cae50a3372e600a1939372945dc4542a5ee649c18adb5e7d1129fc97635d48c165737193f8b682550

Download Submit
C:\Users\Admin\AppData\Local\Temp\E786.exe
Filesize
1.1MB

MD5
4c218215518e8bb6e9b02894ea2f3e46

SHA1
b8c23cf7863abcc30bc79191f609c9ee4f9f33d2

SHA256
03ac48aee2955b42f75b62c563887341a4157e910925e89e6fd6aed32595e1cb

SHA512
9d58653c1c6338bf5323ecf6db0f7c362e60c820ab84d3483b324179588d3261c6479a60cc9bcc1f5d5875e7a7fa1e061a69f9a26b61f358f8d576f5db457b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\E786.exe
Filesize
1.1MB

MD5
4c218215518e8bb6e9b02894ea2f3e46

SHA1
b8c23cf7863abcc30bc79191f609c9ee4f9f33d2

SHA256
03ac48aee2955b42f75b62c563887341a4157e910925e89e6fd6aed32595e1cb

SHA512
9d58653c1c6338bf5323ecf6db0f7c362e60c820ab84d3483b324179588d3261c6479a60cc9bcc1f5d5875e7a7fa1e061a69f9a26b61f358f8d576f5db457b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Roaming\sswrrcb
Filesize
216KB

MD5
0f72a0242a1cfa4af571328687d73b90

SHA1
1b3af5d6e9ca50592211e3a29e65a1c7817c6e5e

SHA256
618eb7d2b5bd2e32203d01e076ce78fb580f4af7a3a417ec800d8d726b333df3

SHA512
0b318e94d76d660673bb0ebc4440889e48eea1be3df08a176190dbc3efefbfbf6bbf53a7f035c7f0fa7d4b40d829bcf0308eb04a40e7cdb8dcba28ed056228f5

Download Submit
C:\Users\Admin\AppData\Roaming\sswrrcb
Filesize
216KB

MD5
0f72a0242a1cfa4af571328687d73b90

SHA1
1b3af5d6e9ca50592211e3a29e65a1c7817c6e5e

SHA256
618eb7d2b5bd2e32203d01e076ce78fb580f4af7a3a417ec800d8d726b333df3

SHA512
0b318e94d76d660673bb0ebc4440889e48eea1be3df08a176190dbc3efefbfbf6bbf53a7f035c7f0fa7d4b40d829bcf0308eb04a40e7cdb8dcba28ed056228f5

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\stop_collection_data.dll
Filesize
797KB

MD5
e0d1e0ebf1d0984357037aae57fa19fd

SHA1
0b866ea0b917481fde547bea710ff9a7522f9e08

SHA256
8c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487

SHA512
6467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a

Download Submit
memory/1240-169-0x00000000039F0000-0x0000000004115000-memory.dmp

Filesize
7.1MB

Download
memory/1240-158-0x00000000039F0000-0x0000000004115000-memory.dmp

Filesize
7.1MB

Download
memory/2676-152-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2676-150-0x0000000000703000-0x0000000000714000-memory.dmp

Filesize
68KB

Download
memory/2676-151-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2964-171-0x0000000003F30000-0x0000000004655000-memory.dmp

Filesize
7.1MB

Download
memory/2964-170-0x0000000003F30000-0x0000000004655000-memory.dmp

Filesize
7.1MB

Download
memory/2964-167-0x0000000000000000-mapping.dmp

Download
memory/3440-135-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3440-134-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3440-133-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/3440-132-0x0000000000603000-0x0000000000614000-memory.dmp

Filesize
68KB

Download
memory/3652-174-0x00000000048B0000-0x00000000049F0000-memory.dmp

Filesize
1.2MB

Download
memory/3652-153-0x00000000048B0000-0x00000000049F0000-memory.dmp

Filesize
1.2MB

Download
memory/3652-175-0x00000000048B0000-0x00000000049F0000-memory.dmp

Filesize
1.2MB

Download
memory/3652-146-0x0000000004C50000-0x0000000005375000-memory.dmp

Filesize
7.1MB

Download
memory/3652-145-0x0000000004C50000-0x0000000005375000-memory.dmp

Filesize
7.1MB

Download
memory/3652-147-0x0000000004C50000-0x0000000005375000-memory.dmp

Filesize
7.1MB

Download
memory/3652-173-0x0000000006650000-0x0000000006790000-memory.dmp

Filesize
1.2MB

Download
memory/3652-172-0x0000000006650000-0x0000000006790000-memory.dmp

Filesize
1.2MB

Download
memory/3652-154-0x00000000048B0000-0x00000000049F0000-memory.dmp

Filesize
1.2MB

Download
memory/3652-139-0x0000000000000000-mapping.dmp

Download
memory/4436-144-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4436-143-0x00000000022E0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/4436-142-0x0000000000814000-0x0000000000902000-memory.dmp

Filesize
952KB

Download
memory/4436-136-0x0000000000000000-mapping.dmp

Download
memory/4776-176-0x00007FF690596890-mapping.dmp

Download
memory/4776-177-0x0000023B32710000-0x0000023B32850000-memory.dmp

Filesize
1.2MB

Download
memory/4776-178-0x0000023B32710000-0x0000023B32850000-memory.dmp

Filesize
1.2MB

Download
memory/4776-179-0x0000000000440000-0x0000000000659000-memory.dmp

Filesize
2.1MB

Download
memory/4776-180-0x0000023B32880000-0x0000023B32AAA000-memory.dmp

Filesize
2.2MB

Download