danabot | 58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

Analysis

max time kernel
133s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exe
Size

1.1MB
MD5

5da677383072aa1b16364c5d580414f2
SHA1

4e9cc6e2e72453eac12712f5306595ba4d1f4e43
SHA256

58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e
SHA512

ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76
SSDEEP

24576:dTiahP6tMNEBezImabtZrx4VzPDWDs6VAmre:0tMNE0zImaz94tPDWDs6ym6

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

10 1952 rundll32.exe
12 1952 rundll32.exe
43 1952 rundll32.exe
269 1952 rundll32.exe

flow	pid	process
10	1952	rundll32.exe
12	1952	rundll32.exe
43	1952	rundll32.exe
269	1952	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reflow\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\reflow.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reflow\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reflow\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService䨀"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1952 rundll32.exe
2616 svchost.exe
392 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1952 set thread context of 628 1952 rundll32.exe rundll32.exe

pid	process
1952	rundll32.exe
2616	svchost.exe
392	rundll32.exe

description	pid	process	target process
PID 1952 set thread context of 628	1952	rundll32.exe	rundll32.exe

Drops file in Program Files directory 35 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reflow.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroSup64.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icucnv40.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ahclient.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\COPYING.LGPLv2.1.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DarkTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\weblink.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\end_review.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

732 1776 WerFault.exe 58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exe

pid	pid_target	process	target process
732	1776	WerFault.exe	58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exe

Checks processor information in registry 2 TTPs 40 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

2616 svchost.exe
2616 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1952 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

628 rundll32.exe

pid	process
2616	svchost.exe
2616	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1952	rundll32.exe

pid	process
628	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exerundll32.exesvchost.exe

description	pid	process	target process
PID 1776 wrote to memory of 1952	1776	58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exe	rundll32.exe
PID 1776 wrote to memory of 1952	1776	58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exe	rundll32.exe
PID 1776 wrote to memory of 1952	1776	58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exe	rundll32.exe
PID 1952 wrote to memory of 628	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 628	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 628	1952	rundll32.exe	rundll32.exe
PID 2616 wrote to memory of 392	2616	svchost.exe	rundll32.exe
PID 2616 wrote to memory of 392	2616	svchost.exe	rundll32.exe
PID 2616 wrote to memory of 392	2616	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exe
"C:\Users\Admin\AppData\Local\Temp\58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14130
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:628

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3200

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 536
2⤵
- Program crash
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1776 -ip 1776
1⤵
PID:2504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\reflow.dll",FRIDS294
2⤵
- Loads dropped DLL
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\reflow.dll
Filesize
797KB

MD5
912324bf2145596d64821ea237c8b490

SHA1
424d8daa66f13214b4ba5c4b09883ffd67bc9d39

SHA256
9224950c527a50b6e5012ffdc91ba16c5f7a620fa78de5c77a437d6771e0e08b

SHA512
1b428be396630a837bf2fed36c95db4d4736745ebac812bf4851d41ae52fefe7c1d649e22f7a0eac8994649c0bf16d5129e3f0dd43f8421aecd137c8fef0a496

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\reflow.dll
Filesize
797KB

MD5
912324bf2145596d64821ea237c8b490

SHA1
424d8daa66f13214b4ba5c4b09883ffd67bc9d39

SHA256
9224950c527a50b6e5012ffdc91ba16c5f7a620fa78de5c77a437d6771e0e08b

SHA512
1b428be396630a837bf2fed36c95db4d4736745ebac812bf4851d41ae52fefe7c1d649e22f7a0eac8994649c0bf16d5129e3f0dd43f8421aecd137c8fef0a496

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
1f8001c5a3ab09524c8185d2657e471c

SHA1
2297cd6ba695d3fa72f2a70a7db95f2e241116ab

SHA256
c8c2ac11232a448dd5d78c34752f56b8f5b8e18fe79b3176fdd88759d5b703d5

SHA512
d038b9b97a96b267684ba1a7d2458ddf63d3fd3ea8c58a213b5085196da9c7001fe1dbadfc75d2364befc09c9618c133b331ed487fcb043b6a923f3951be0b37

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
326a2e8d3d11468fa4842d612161e48d

SHA1
784d09a92081e7673354bf96578181b3a3c44a52

SHA256
fc79383f62cf6ff7913dfbd755ed3f2f2feb4e6746a7ec77ee6592cab6248075

SHA512
581c6a3f0f0c1ccd2ae9f7a6fc7413d6c3b5305ab3b526c90147b4202d31cf41a6d252d34d1d465d90300a84588c1d96c00103f2a61525ed0bcefaee3344e572

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
326a2e8d3d11468fa4842d612161e48d

SHA1
784d09a92081e7673354bf96578181b3a3c44a52

SHA256
fc79383f62cf6ff7913dfbd755ed3f2f2feb4e6746a7ec77ee6592cab6248075

SHA512
581c6a3f0f0c1ccd2ae9f7a6fc7413d6c3b5305ab3b526c90147b4202d31cf41a6d252d34d1d465d90300a84588c1d96c00103f2a61525ed0bcefaee3344e572

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe.xml
Filesize
22KB

MD5
e0deca52ec488a29758550b78fa3b719

SHA1
188ae9939a0875f11a611ee7d8604c7a348bc0d2

SHA256
9337e81fdc5c57705e3c587ce9bf99bc176e127acd2539eb6a18c3a6c2b87816

SHA512
ce84157a418fa8b2d5b576da37796b323b8d2a5e8af6e9651c23ecfb1a32dc0f65872d2919f148c5deaed4acd5b4336767fd949fd98ab2aafbf36abaeca863f3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
7KB

MD5
e585657cf3525fd22dad5e2409eb9e60

SHA1
1c0b9d97bb93098e1d8a162b9725a0d6134dc913

SHA256
581fd3d9aa551599bd691b5b23cdc51c48f7f3a65955adf1e1d0fef0a8cfb8b8

SHA512
601c03a19bb0d1170db8c3a05ff4a38d209e2ec53426b2048362504b75e3971f40480afd118cd741a52e69ba5a55c61dd4cc488f335be3d67584982009392ced

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe.xml
Filesize
1KB

MD5
c1e304a57b77d96dbac8ca07849f9b86

SHA1
76a2051cdd63b97419d076ee3e0972c7b11ee10c

SHA256
28bf7f3525db4ecacb36705ff7d30bee209ff200a15178bae8a2f0f27f7058b8

SHA512
86b48ef3207a257799b9d9c0e23859391dd3c5984e30d4fa761bc8853bbcc8b37193ab4bdb95b7dd36906ebdd8ad83f29811d9c76675f93f261d9d0cf7a26662

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOutlook2013CAWin32.xml
Filesize
1KB

MD5
42acdf1f7faad8e138134083a57424bd

SHA1
f6b05b2eba7723ed2b61c698377053b05ee8eeb5

SHA256
91bcc8d78d76422bf8a162c10d96ce91435470d8601290ddcbe3216c3bb7009c

SHA512
ca976b96bb036d2a72a61f5d0da83de6e4deb694353ca57e3016124db4a041c3ba7391bb1f508e3fa010b0f412df2b71b3acbaa5ad99c189beace9fcc5193abb

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOutlook2013CAWin64.xml
Filesize
1KB

MD5
880227fa1e5c41f3a7ea11e13f156de7

SHA1
042b7a68c2b3c588522edd750209bb4576638991

SHA256
c7f9df2f4c59a9f856761c82d28874f752cad8bdca8102bff4ff41c514f0b9fc

SHA512
caa06d82bb2e828e4e08fcca96c4b789b31611864b827ae9468e9dfbadbe10a48ae366d3d96bf92567f41d0c6792986363a0dfa6564332296fe1c111ffef4f30

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\guest.png
Filesize
5KB

MD5
d7ee4543371744836d520e0ce24a9ee6

SHA1
a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0

SHA256
98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9

SHA512
e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml
Filesize
1KB

MD5
09e877cc25ec3ade6e0d56000025e7ae

SHA1
fef683c766926d84804867a6a711c200e2ceb406

SHA256
995f07448661dec2389b445cbe054e4fce31d07bed2f3f9f4bc94ee9a875fc92

SHA512
02b7ed4cba2f3b153f055c51b24eb4a7ca9cec136274a00fcc2efebd21ad410d826d92b0113229e2817930a6a84dfa27e809290cb0522535202116c24ac8f1a3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\scan_settings.ico
Filesize
62KB

MD5
8f6abfe0c274c41c3ad3c1becf2317f5

SHA1
6dc69b46e569ca11e3ec081293df69a6d115674c

SHA256
d660f44fb7efbfdcec4cba821fea1be0977e3f66cc709b313edf9ead575994a5

SHA512
ed474a6d52df65b5bf7a1bd81d54458a1258571f16b28ce043189815bf6dc57c49cb31c6f48fed9791de6b69f93331282a0c6e76e54d488ddad7e30d2333a1b2

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\sync.ico
Filesize
48KB

MD5
d1c012ba7049a4525a89b26c846ce0d3

SHA1
769fccd1ed39b3b6ce1ec6e44f096107b4375c58

SHA256
fce3d2b3ca14bbb41fcb8956ef80af38976f4c32787cc1ac3cc1e465ce0453cc

SHA512
538b3c161e3192d3cb8b78f0fb5f863ae84d04a9f236a876e5002a90189cb4b5beea496aefb444de2dd9ea45d1f530359b38d6a45f3260d1d14924bd31918dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\reflow.dll
Filesize
797KB

MD5
912324bf2145596d64821ea237c8b490

SHA1
424d8daa66f13214b4ba5c4b09883ffd67bc9d39

SHA256
9224950c527a50b6e5012ffdc91ba16c5f7a620fa78de5c77a437d6771e0e08b

SHA512
1b428be396630a837bf2fed36c95db4d4736745ebac812bf4851d41ae52fefe7c1d649e22f7a0eac8994649c0bf16d5129e3f0dd43f8421aecd137c8fef0a496

Download Submit
memory/392-174-0x0000000003E70000-0x0000000004595000-memory.dmp

Filesize
7.1MB

Download
memory/392-173-0x0000000003E70000-0x0000000004595000-memory.dmp

Filesize
7.1MB

Download
memory/392-171-0x0000000000000000-mapping.dmp

Download
memory/628-147-0x00007FF744736890-mapping.dmp

Download
memory/628-151-0x0000000000230000-0x0000000000449000-memory.dmp

Filesize
2.1MB

Download
memory/628-152-0x0000023DBE550000-0x0000023DBE77A000-memory.dmp

Filesize
2.2MB

Download
memory/628-149-0x0000023DBFF20000-0x0000023DC0060000-memory.dmp

Filesize
1.2MB

Download
memory/628-148-0x0000023DBFF20000-0x0000023DC0060000-memory.dmp

Filesize
1.2MB

Download
memory/1776-135-0x00000000006D7000-0x00000000007C5000-memory.dmp

Filesize
952KB

Download
memory/1776-136-0x0000000002290000-0x00000000023C0000-memory.dmp

Filesize
1.2MB

Download
memory/1776-137-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1952-143-0x0000000005280000-0x00000000053C0000-memory.dmp

Filesize
1.2MB

Download
memory/1952-144-0x00000000052F9000-0x00000000052FB000-memory.dmp

Filesize
8KB

Download
memory/1952-145-0x0000000005280000-0x00000000053C0000-memory.dmp

Filesize
1.2MB

Download
memory/1952-150-0x00000000052F9000-0x00000000052FB000-memory.dmp

Filesize
8KB

Download
memory/1952-142-0x0000000005280000-0x00000000053C0000-memory.dmp

Filesize
1.2MB

Download
memory/1952-141-0x0000000005280000-0x00000000053C0000-memory.dmp

Filesize
1.2MB

Download
memory/1952-140-0x0000000005280000-0x00000000053C0000-memory.dmp

Filesize
1.2MB

Download
memory/1952-139-0x0000000006110000-0x0000000006835000-memory.dmp

Filesize
7.1MB

Download
memory/1952-138-0x0000000006110000-0x0000000006835000-memory.dmp

Filesize
7.1MB

Download
memory/1952-146-0x0000000005280000-0x00000000053C0000-memory.dmp

Filesize
1.2MB

Download
memory/1952-153-0x0000000006110000-0x0000000006835000-memory.dmp

Filesize
7.1MB

Download
memory/1952-132-0x0000000000000000-mapping.dmp

Download
memory/2616-157-0x0000000003800000-0x0000000003F25000-memory.dmp

Filesize
7.1MB

Download
memory/2616-158-0x0000000003800000-0x0000000003F25000-memory.dmp

Filesize
7.1MB

Download
memory/2616-177-0x0000000003800000-0x0000000003F25000-memory.dmp

Filesize
7.1MB

Download
memory/3200-175-0x0000000000000000-mapping.dmp

Download
memory/3644-176-0x0000000000000000-mapping.dmp

Download