danabot | 37397d4daba951caf74ad3438dfaf81709fbb8e37df7f441ae38c515418ff0c9

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

220KB
MD5

10284282f79b91bed875fde9f063739d
SHA1

e10112f1ae9bf0eb94ec12446a3bb42f355834c1
SHA256

37397d4daba951caf74ad3438dfaf81709fbb8e37df7f441ae38c515418ff0c9
SHA512

8b47b8cc64b1a6f86b5f5032cdba44b974186e8c1e55034b4568f782d250927ded315889b831102f501d6df39e018d0c3b8802a739ddd5d29c9600a31e3cc078
SSDEEP

3072:tLk7LiGf115+wMmmxBnYgdTb1T1EqeIVk2B1V7b/H4uNHCDml:l6LiGfgVX9Jflkyf4sCa

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4388-134-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

39 4456 rundll32.exe
56 4456 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

3B9.exe

pid process

4196 3B9.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4456 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4456 set thread context of 1796 4456 rundll32.exe rundll32.exe

flow	pid	process
39	4456	rundll32.exe
56	4456	rundll32.exe

pid	process
4196	3B9.exe

pid	process
4456	rundll32.exe

description	pid	process	target process
PID 4456 set thread context of 1796	4456	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cryptocme.sig	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-default.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4340 4196 WerFault.exe 3B9.exe

pid	pid_target	process	target process
4340	4196	WerFault.exe	3B9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009555771c100054656d7000003a0009000400efbe6b558a6c95557c1c2e00000000000000000000000000000000000000000000000000a877df00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2480

pid	process
2480

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4388	file.exe
4388	file.exe
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2480
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

4388 file.exe

pid	process
2480

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480
Token: SeShutdownPrivilege	2480
Token: SeCreatePagefilePrivilege	2480

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1796 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2480
2480

pid	process
1796	rundll32.exe

pid	process
2480
2480

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3B9.exerundll32.exe

description	pid	process	target process
PID 2480 wrote to memory of 4196	2480		3B9.exe
PID 2480 wrote to memory of 4196	2480		3B9.exe
PID 2480 wrote to memory of 4196	2480		3B9.exe
PID 4196 wrote to memory of 4456	4196	3B9.exe	rundll32.exe
PID 4196 wrote to memory of 4456	4196	3B9.exe	rundll32.exe
PID 4196 wrote to memory of 4456	4196	3B9.exe	rundll32.exe
PID 4456 wrote to memory of 1796	4456	rundll32.exe	rundll32.exe
PID 4456 wrote to memory of 1796	4456	rundll32.exe	rundll32.exe
PID 4456 wrote to memory of 1796	4456	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4388

C:\Users\Admin\AppData\Local\Temp\3B9.exe
C:\Users\Admin\AppData\Local\Temp\3B9.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 528
2⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4196 -ip 4196
1⤵
PID:4540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:1936

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\back-arrow-default.dll",XCU3aFZB
2⤵
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-default.dll
Filesize
797KB

MD5
5d7e190668edc0a6698cfad6a18afa58

SHA1
9e35f54fc9c1b4b36c4d29c3158244e3b561e926

SHA256
6d886a5386770f3c33039943dd20817f03362a755419dbc09aa0c3c10767aec1

SHA512
99391bd169b58777fbe6c0b60d4d0cb8fda4baa0f00509846d36bca5a32e054da018e46e58b85c27a00cdfedf0b527ded36b28fc6055ed66c62084e10375a065

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-default.dll
Filesize
797KB

MD5
5d7e190668edc0a6698cfad6a18afa58

SHA1
9e35f54fc9c1b4b36c4d29c3158244e3b561e926

SHA256
6d886a5386770f3c33039943dd20817f03362a755419dbc09aa0c3c10767aec1

SHA512
99391bd169b58777fbe6c0b60d4d0cb8fda4baa0f00509846d36bca5a32e054da018e46e58b85c27a00cdfedf0b527ded36b28fc6055ed66c62084e10375a065

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\EventStore.db
Filesize
32KB

MD5
4e40dbba4bf3ea44a50ff74457aaf232

SHA1
1b79ebb121abfb9c431852f0f783dfd89ec19f01

SHA256
0580713efb76985a3b2157d6f0b08665f8084243caad401a1faf53900564f935

SHA512
0fbd8723391dfc132e24068c2c79094cc788cd9e996eac81f07f7c6c44904cc483eedb4a6ae116cdbff8d35b769179635a71ef1a95882a356ce73e56f10a2790

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
6b958c4a39a289fb50d1be3c67790743

SHA1
cc5d65de72ef80f940f34349fd8edb6a123f2ff0

SHA256
e347fda5fe266ffc80eb6a8b0f42a8d760e24a9163b68268fea075bdff84238d

SHA512
0d7f833d427d5330aaf2f85943db12d82923bc522d85e93d80dbc65539f8710966715d5f330ba6701449ca788971a84bf7605bc7263ee0793021a0eaeb956044

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
843B

MD5
72d7dc9f57f3487a99e2f05c06274c28

SHA1
ba789a0e8174327b30443f5b7131228f4ad40cf0

SHA256
dae20c31fd2cd68389b40f99cb7791c8d79d8d8aca2c417d90713ad6c926471f

SHA512
aa15897d32ee44cbb2a8d9dfbdbf32b7a6885150ca8fb5c715020310385e6f889612f80eb452ec73d444fdf03fef7eb920fe586662c2185c93a695e72d56362c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\print_queue.ico
Filesize
55KB

MD5
0f3c6d90637f0fdc57b1d303cf8d76cd

SHA1
91cef4325b363b31e4555302a70321a2110b51cf

SHA256
4858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261

SHA512
6f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\scan_.ico
Filesize
59KB

MD5
a161b3f9fd62c3931fbd79512810cffa

SHA1
a63f1d8945b983356b66819b3aa5b0bd409995e4

SHA256
d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7

SHA512
f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\setup.ini
Filesize
214B

MD5
d8b2e1bfe12db863bdccdd49a5e1c8b5

SHA1
9c979907f03887b270d4e87b0cdd5377cff3692c

SHA256
00b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301

SHA512
3bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B9.exe
Filesize
1.1MB

MD5
7e9ce657b646e0ecff706bf6680061f0

SHA1
8f576b573c55ba4b3a36b495e9ab0361270b0fd7

SHA256
f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9

SHA512
360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B9.exe
Filesize
1.1MB

MD5
7e9ce657b646e0ecff706bf6680061f0

SHA1
8f576b573c55ba4b3a36b495e9ab0361270b0fd7

SHA256
f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9

SHA512
360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\back-arrow-default.dll
Filesize
797KB

MD5
5d7e190668edc0a6698cfad6a18afa58

SHA1
9e35f54fc9c1b4b36c4d29c3158244e3b561e926

SHA256
6d886a5386770f3c33039943dd20817f03362a755419dbc09aa0c3c10767aec1

SHA512
99391bd169b58777fbe6c0b60d4d0cb8fda4baa0f00509846d36bca5a32e054da018e46e58b85c27a00cdfedf0b527ded36b28fc6055ed66c62084e10375a065

Download Submit
memory/1796-156-0x00000276764C0000-0x0000027676600000-memory.dmp

Filesize
1.2MB

Download
memory/1796-157-0x00000276764C0000-0x0000027676600000-memory.dmp

Filesize
1.2MB

Download
memory/1796-160-0x0000027674AF0000-0x0000027674D1A000-memory.dmp

Filesize
2.2MB

Download
memory/1796-155-0x00007FF701756890-mapping.dmp

Download
memory/1796-159-0x0000000000740000-0x0000000000959000-memory.dmp

Filesize
2.1MB

Download
memory/1936-165-0x0000000003530000-0x0000000003C55000-memory.dmp

Filesize
7.1MB

Download
memory/4196-142-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/4196-141-0x0000000002300000-0x0000000002430000-memory.dmp

Filesize
1.2MB

Download
memory/4196-140-0x0000000000865000-0x0000000000954000-memory.dmp

Filesize
956KB

Download
memory/4196-137-0x0000000000000000-mapping.dmp

Download
memory/4196-146-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/4388-136-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4388-135-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4388-134-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4388-133-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/4456-143-0x0000000000000000-mapping.dmp

Download
memory/4456-161-0x00000000061D0000-0x00000000068F5000-memory.dmp

Filesize
7.1MB

Download
memory/4456-158-0x0000000004F99000-0x0000000004F9B000-memory.dmp

Filesize
8KB

Download
memory/4456-154-0x0000000004F20000-0x0000000005060000-memory.dmp

Filesize
1.2MB

Download
memory/4456-153-0x0000000004F20000-0x0000000005060000-memory.dmp

Filesize
1.2MB

Download
memory/4456-152-0x0000000004F20000-0x0000000005060000-memory.dmp

Filesize
1.2MB

Download
memory/4456-151-0x0000000004F20000-0x0000000005060000-memory.dmp

Filesize
1.2MB

Download
memory/4456-150-0x0000000004F20000-0x0000000005060000-memory.dmp

Filesize
1.2MB

Download
memory/4456-149-0x0000000004F20000-0x0000000005060000-memory.dmp

Filesize
1.2MB

Download
memory/4456-148-0x00000000061D0000-0x00000000068F5000-memory.dmp

Filesize
7.1MB

Download
memory/4456-147-0x00000000061D0000-0x00000000068F5000-memory.dmp

Filesize
7.1MB

Download
memory/4620-171-0x0000000000000000-mapping.dmp

Download
memory/4620-173-0x0000000003FE0000-0x0000000004705000-memory.dmp

Filesize
7.1MB

Download