danabot | f380226c6bc0023ecad559e1e7fca052c21d26630130fa598c04f495737bc60e

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

219KB
MD5

af89a5eddc4439ca0935391a6632b04d
SHA1

949f47250dab6df77ac228ef7611b5552b97f64f
SHA256

f380226c6bc0023ecad559e1e7fca052c21d26630130fa598c04f495737bc60e
SHA512

052473a2505fec50c3ec33fdbc628833039a3f9d211d177017fb88c0f9c76c1158eda8877fc97c64017f46f01aa8acbf9bf7850463fb8a8107d6e2cad95389ec
SSDEEP

3072:H16AdgLSdU15hsk/rEEAomp5bpS7njMTROL1TW8zkqWzgKr/so:wASLwb0mPbejlBTWEkqWzz/

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/904-133-0x00000000005B0000-0x00000000005B9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

50 1332 rundll32.exe
53 1332 rundll32.exe
61 1332 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

4C1C.exe

pid process

1684 4C1C.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1332 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1332 set thread context of 3948 1332 rundll32.exe rundll32.exe

flow	pid	process
50	1332	rundll32.exe
53	1332	rundll32.exe
61	1332	rundll32.exe

pid	process
1684	4C1C.exe

pid	process
1332	rundll32.exe

description	pid	process	target process
PID 1332 set thread context of 3948	1332	rundll32.exe	rundll32.exe

Drops file in Program Files directory 7 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eula.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4340 1684 WerFault.exe 4C1C.exe

pid	pid_target	process	target process
4340	1684	WerFault.exe	4C1C.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009555964d100054656d7000003a0009000400efbe0c551d9c95559b4d2e00000000000000000000000000000000000000000000000000c8116500540065006d007000000014000000

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3060

pid	process
3060

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
904	file.exe
904	file.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3060
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

904 file.exe

pid	process
3060

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3948 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3060
3060

pid	process
3948	rundll32.exe

pid	process
3060
3060

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4C1C.exerundll32.exe

description	pid	process	target process
PID 3060 wrote to memory of 1684	3060		4C1C.exe
PID 3060 wrote to memory of 1684	3060		4C1C.exe
PID 3060 wrote to memory of 1684	3060		4C1C.exe
PID 1684 wrote to memory of 1332	1684	4C1C.exe	rundll32.exe
PID 1684 wrote to memory of 1332	1684	4C1C.exe	rundll32.exe
PID 1684 wrote to memory of 1332	1684	4C1C.exe	rundll32.exe
PID 1332 wrote to memory of 3948	1332	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 3948	1332	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 3948	1332	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:904

C:\Users\Admin\AppData\Local\Temp\4C1C.exe
C:\Users\Admin\AppData\Local\Temp\4C1C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14137
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 528
2⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1684 -ip 1684
1⤵
PID:1044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4936

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adoberfp.dll",fylWTDQ=
2⤵
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll
Filesize
797KB

MD5
0af9cdb85d4d4955377ace0fd9427af3

SHA1
32d9cff4bde5094261ffd2888f07593fe3dcfb81

SHA256
bbfb0f9ac603a2b7226a3fa8cf5141fb0092ce63d83105a1bf63d81213d19b68

SHA512
c3f5b84f41bf7473ffef350bf2f988c69a31a36cfcfd7bbebd51ce97101b42ae17604ec85e2c29872950bb9dd2a3559f6c1a16518bbbaa3ca88e51336a460366

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll
Filesize
797KB

MD5
0af9cdb85d4d4955377ace0fd9427af3

SHA1
32d9cff4bde5094261ffd2888f07593fe3dcfb81

SHA256
bbfb0f9ac603a2b7226a3fa8cf5141fb0092ce63d83105a1bf63d81213d19b68

SHA512
c3f5b84f41bf7473ffef350bf2f988c69a31a36cfcfd7bbebd51ce97101b42ae17604ec85e2c29872950bb9dd2a3559f6c1a16518bbbaa3ca88e51336a460366

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\EventStore.db
Filesize
60KB

MD5
20141c14bea9fb0aaa62db2c2fe72f46

SHA1
ba48fea9da8c80d86e1df8d1bf8170cc4adbfc34

SHA256
035e5f5e3c2293ecc83bd18fdb00a4939c635ee21c9a8506fa439193c9c166b6

SHA512
808d015172ff730a087576e5b45f3b659e53fd149a89376194eb11ab9f1e616da3757554eba9e40d82de3afc46e9f1b6251c19bee42af99bac4a7c23a9dbbb84

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
df24cc76c3706e2d0f4afb30f1a55ef8

SHA1
ec526ca35c9192df1ba14138423da21e9ca1f95e

SHA256
c16dfceb4b17e161ce06d4e916d8d8cd9614cc2982514bba41bad2dff9f27014

SHA512
6de4c4177694b58a9648ab2a9b60a72677605480d2e327eb16583f727767654b4085aa9a7466ace015df9732c808506780cb8f0cbc703ee51418b96a670e2f37

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
df24cc76c3706e2d0f4afb30f1a55ef8

SHA1
ec526ca35c9192df1ba14138423da21e9ca1f95e

SHA256
c16dfceb4b17e161ce06d4e916d8d8cd9614cc2982514bba41bad2dff9f27014

SHA512
6de4c4177694b58a9648ab2a9b60a72677605480d2e327eb16583f727767654b4085aa9a7466ace015df9732c808506780cb8f0cbc703ee51418b96a670e2f37

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe.xml
Filesize
58KB

MD5
ca7452f3c00cc3083d549346e3726b1c

SHA1
64c6e09bffa49ef36ab0ac3a7a0d98ff944eb89a

SHA256
a8736abe4c9f3715f7f737db3437af332373204263e458978f653a1c860f088b

SHA512
1a307069368230702b9d397640e4ae16cad64958aea87437b9d0c443a43242d0e72bab932be1a5fa294138c792cdbd0752edb783afe51d253cb7502fa0bc719d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftInternetExplorer2013Backup.xml
Filesize
2KB

MD5
16fa6bd16573d544916a2cb3335a1f13

SHA1
479c5b9375b5b351d7dc217deb159fe92da03f75

SHA256
37e639679abd36b5b59324eea7aa1d602ff9c287e5c07dfd335ee1a85b68fc50

SHA512
9a871284356b2217fc8dbd568c6731def7781cac4550e77824f5c683b29313cd46e444760413ec730e8f70669ff08b62ab9b73c8099115a71eb84d7d728e2873

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\StorageHealthModel.dat
Filesize
542KB

MD5
1ffbb6bf6ac240feb3fada4eedbe5310

SHA1
3f8ef6d47bda2b464024e8d09577591fab2685d7

SHA256
c09e4425d87b888993f114755887611f68d351961e429628b952b9b62b49ef5a

SHA512
18c37c2c207664a231144dced3f8a4b97c3787da1174c08f357d9d6e80ae5cd68bcaf2c89062371b40ac9d235a882053bb80d46c28ff7f4e85c2ab25dc5a7081

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml
Filesize
1KB

MD5
8a660378169f2615d70683a49d6540c9

SHA1
4e78f156eb4b8766568071e81b793f05b9ea7658

SHA256
f288b4ffdb060471a51dcea18c8e104c62cfcd8c37d7a41ee343145b4953cf46

SHA512
754bc1a9c90e4c4ea6cf1881d26c1afbb049870f41ff71c7c943726a1706f6b0b44a2f32742065f9d5eacc54d21cb54b76f5f17315af04614612f9cc58e46648

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C1C.exe
Filesize
1.1MB

MD5
96e78dc64ec67e77e1738da9b733dc86

SHA1
b9dd381c4f1d359ecb73dacd187642db300ab90c

SHA256
ff48a20d7f33ff96546a5b6e060f6bb570b4e398d77991d720d60ddf4f30f167

SHA512
7533b4fa266e003905638176710aec4203d9f5808505ef4d619eddd4570b2d6b58b99933d976903b60d0b7d23b485778962782f8d84a387316e416dcd62fcaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C1C.exe
Filesize
1.1MB

MD5
96e78dc64ec67e77e1738da9b733dc86

SHA1
b9dd381c4f1d359ecb73dacd187642db300ab90c

SHA256
ff48a20d7f33ff96546a5b6e060f6bb570b4e398d77991d720d60ddf4f30f167

SHA512
7533b4fa266e003905638176710aec4203d9f5808505ef4d619eddd4570b2d6b58b99933d976903b60d0b7d23b485778962782f8d84a387316e416dcd62fcaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\adoberfp.dll
Filesize
797KB

MD5
0af9cdb85d4d4955377ace0fd9427af3

SHA1
32d9cff4bde5094261ffd2888f07593fe3dcfb81

SHA256
bbfb0f9ac603a2b7226a3fa8cf5141fb0092ce63d83105a1bf63d81213d19b68

SHA512
c3f5b84f41bf7473ffef350bf2f988c69a31a36cfcfd7bbebd51ce97101b42ae17604ec85e2c29872950bb9dd2a3559f6c1a16518bbbaa3ca88e51336a460366

Download Submit
memory/904-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/904-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/904-132-0x0000000000663000-0x0000000000674000-memory.dmp

Filesize
68KB

Download
memory/904-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1332-148-0x0000000004DD0000-0x0000000004F10000-memory.dmp

Filesize
1.2MB

Download
memory/1332-151-0x0000000004DD0000-0x0000000004F10000-memory.dmp

Filesize
1.2MB

Download
memory/1332-150-0x0000000004DD0000-0x0000000004F10000-memory.dmp

Filesize
1.2MB

Download
memory/1332-153-0x0000000004DD0000-0x0000000004F10000-memory.dmp

Filesize
1.2MB

Download
memory/1332-152-0x0000000004DD0000-0x0000000004F10000-memory.dmp

Filesize
1.2MB

Download
memory/1332-149-0x0000000004DD0000-0x0000000004F10000-memory.dmp

Filesize
1.2MB

Download
memory/1332-157-0x0000000004E49000-0x0000000004E4B000-memory.dmp

Filesize
8KB

Download
memory/1332-147-0x00000000045E0000-0x0000000004D05000-memory.dmp

Filesize
7.1MB

Download
memory/1332-142-0x0000000000000000-mapping.dmp

Download
memory/1332-146-0x00000000045E0000-0x0000000004D05000-memory.dmp

Filesize
7.1MB

Download
memory/1332-160-0x00000000045E0000-0x0000000004D05000-memory.dmp

Filesize
7.1MB

Download
memory/1684-139-0x000000000089E000-0x000000000098C000-memory.dmp

Filesize
952KB

Download
memory/1684-145-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1684-141-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1684-140-0x0000000002330000-0x0000000002460000-memory.dmp

Filesize
1.2MB

Download
memory/1684-136-0x0000000000000000-mapping.dmp

Download
memory/2268-175-0x0000000004C60000-0x0000000005385000-memory.dmp

Filesize
7.1MB

Download
memory/2268-174-0x0000000004C60000-0x0000000005385000-memory.dmp

Filesize
7.1MB

Download
memory/2268-171-0x0000000000000000-mapping.dmp

Download
memory/2268-173-0x0000000004C60000-0x0000000005385000-memory.dmp

Filesize
7.1MB

Download
memory/3948-156-0x000001D1BDA70000-0x000001D1BDBB0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-154-0x00007FF711936890-mapping.dmp

Download
memory/3948-155-0x000001D1BDA70000-0x000001D1BDBB0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-159-0x000001D1BC0A0000-0x000001D1BC2CA000-memory.dmp

Filesize
2.2MB

Download
memory/3948-158-0x0000000000CF0000-0x0000000000F09000-memory.dmp

Filesize
2.1MB

Download
memory/4936-164-0x0000000003900000-0x0000000004025000-memory.dmp

Filesize
7.1MB

Download