danabot | 2e2d1b4e01e684060c4d78838abd43364c6ca15086be2d1e3a5ba9adb0185675

Analysis

max time kernel
123s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe
Size

1.1MB
MD5

8a4cb873c04ffe6859dd5bb381fed9b2
SHA1

c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256

c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512

352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
SSDEEP

24576:cV/Gyl0a5nGoVsJIsk/DVdmsbzK8+2HDE0j1D3W9:u1F5nnsJvk/Tmsb2sHB7W9

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

12 4108 rundll32.exe
13 4108 rundll32.exe
52 4108 rundll32.exe

flow	pid	process
12	4108	rundll32.exe
13	4108	rundll32.exe
52	4108	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DVA\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\DVA.dll㌀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DVA\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\DVA.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DVA\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4108 rundll32.exe
3468 svchost.exe
4380 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4108	rundll32.exe
3468	svchost.exe
4380	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4108 set thread context of 204 4108 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4108 set thread context of 204	4108	rundll32.exe	rundll32.exe

Drops file in Program Files directory 40 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cryptocme.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\pmd.cer	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\plugins.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\SignHere.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Protect_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\open_original_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\IA32.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4468 4820 WerFault.exe c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe

pid	pid_target	process	target process
4468	4820	WerFault.exe	c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe

Checks processor information in registry 2 TTPs 44 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

3468 svchost.exe
3468 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 4108 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

204 rundll32.exe

pid	process
3468	svchost.exe
3468	svchost.exe

description	pid	process
Token: SeDebugPrivilege	4108	rundll32.exe

pid	process
204	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4820 wrote to memory of 4108	4820	c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe	rundll32.exe
PID 4820 wrote to memory of 4108	4820	c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe	rundll32.exe
PID 4820 wrote to memory of 4108	4820	c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe	rundll32.exe
PID 4108 wrote to memory of 204	4108	rundll32.exe	rundll32.exe
PID 4108 wrote to memory of 204	4108	rundll32.exe	rundll32.exe
PID 4108 wrote to memory of 204	4108	rundll32.exe	rundll32.exe
PID 3468 wrote to memory of 4380	3468	svchost.exe	rundll32.exe
PID 3468 wrote to memory of 4380	3468	svchost.exe	rundll32.exe
PID 3468 wrote to memory of 4380	3468	svchost.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe
"C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4108

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23986
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:204

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:828

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 528
2⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4820 -ip 4820
1⤵
PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\dva.dll",mV47WFJXU2NT
2⤵
- Loads dropped DLL
PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.dll
Filesize
726KB

MD5
73b31f274b20093282ef6dfd45e02052

SHA1
588e215ded09878bfc986ea82f28c3a1b56992d1

SHA256
39ef4edde5099d5177fee26d0ae233739c1616a92b04bed5ccc9c81563b9dc0b

SHA512
cf844f25dbef95b994edee21ad587715cc8650408de165769e23a0f3df2428de7a14f729fbc573878198302c2e14afb62e7eecb4c102b5006a066cfe41108c3d

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.dll
Filesize
726KB

MD5
73b31f274b20093282ef6dfd45e02052

SHA1
588e215ded09878bfc986ea82f28c3a1b56992d1

SHA256
39ef4edde5099d5177fee26d0ae233739c1616a92b04bed5ccc9c81563b9dc0b

SHA512
cf844f25dbef95b994edee21ad587715cc8650408de165769e23a0f3df2428de7a14f729fbc573878198302c2e14afb62e7eecb4c102b5006a066cfe41108c3d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.powerpointmui.msi.16.en-us.xml
Filesize
27KB

MD5
e9ed7134ebf28fea3f7aa5691a28438a

SHA1
ea1e55c279ed9f8dae333ae436204d8d67d46adf

SHA256
8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28

SHA512
535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\CiST0000.000
Filesize
240B

MD5
aaafafa2062f5e73e13d15c88e85bd0b

SHA1
b53df7eeed7a4de3daaa77ea8b75204521e37b72

SHA256
b789f340022b08ca918bab1c1bf0b93a903c6289f4a2b566aeeaee0fdb7bbd67

SHA512
b9d6d9a0af57473d4944de4b437b10d45fcb1cd86be0284e6a50f3837ee66225b63d0babb0f357e5e964e09227935be0512b0756f367cf6fa82f325fe19568b4

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_8_12_19_30_52.etl
Filesize
256KB

MD5
283a4cf597b209e42e4beca22f43063d

SHA1
a5ecff128c6c41a9882d1a5dd70300aef8811312

SHA256
0722cbcf645501ff880b4900d6c4314c4a5d4f2b030a1ad78e9a03994be3ebf4

SHA512
1ab412a977706a876c89577f66965121a4ca638c4c8370547b6d9f531aeffb4c8d91562844eb77fb37af260435c01506bacc2f790482c886a42a0c4312303b48

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
13KB

MD5
c7405e2e68aec89e44862595ccc0d186

SHA1
2cc8d73f93dd875134917795633bb606911f1069

SHA256
9a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37

SHA512
0cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe.xml
Filesize
9KB

MD5
993d82e37af681bd65f1d428b6ee281e

SHA1
bb1a8402cfccd1d97ea58d6136847a4dd1ba0f65

SHA256
1bc1d4525a46e58edd165a9d792f50441ea3cbcecd14022dc112e02f3d9b5bf8

SHA512
4eb247e384ffa84460e43abe7563643de30f397b628c02f3e6e51c69669d5d7b8be6ebe51355586e5cd5a252652e0eef7f1bd0219b416b61e1db318db4ac833c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
855B

MD5
7ec956334fec33862a86ae1d3db724f5

SHA1
009ef40b310d0068ec42c3ec85a424a147e9e712

SHA256
c861b14bdbc003a3029af12487b4b01b9e3ece914afc6029b4cf59eb3156e3d7

SHA512
ba478d4138c56b6a5e89a0daa58234a2c872e39684c946711b0fc972e63a91ab97bbb5e8300e03094e8fc243f8bf39e1931162bf95762142998428faf69c2af9

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xml
Filesize
15KB

MD5
2f71d0396b93381c1fd86bf822612868

SHA1
d0801700dd00a51276f32c6ed19f5b713b5db825

SHA256
0543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026

SHA512
67022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
839B

MD5
2f6bc19cc3de731b8eaec46910edaf83

SHA1
61fd41f1fd1e4c6d7178a204c8ab68add839a199

SHA256
6893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966

SHA512
841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013Office365Win64.xml
Filesize
10KB

MD5
46353bb25b4eb2e9d26a25744c716563

SHA1
a9a9c2a1260542b5246fd642425dcc2a29a098c1

SHA256
3fae1d780e8a63d73847dc38412952c238d0e3ca01a97caee718489a3d424893

SHA512
09027ff22d03712258dbd10d6fe2cafbefd90e974210b09d20008d8eb6b569915064c65a7403187b0d78e79c96838cc0bba49b089acc7c7ab790866359719197

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013Win64.xml
Filesize
66KB

MD5
c08e2d9084398ad29bb453183bb2155d

SHA1
285b0d897ff73444a74bf9e253d30f7cb1f4f2be

SHA256
9ddc306cee7a71d98fe59c39ce5fb74cc7e36c54a55cc46f2e8136c12e890418

SHA512
d032acce3071bb26d688aa4a816d09b6852c3ccb179f66a0001038b94f556a4b04401e02a4dc3b8eb7f4c4aa0fb74aa009a5db786972c56cb08d5dbeeaefad83

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2016BackupWin32.xml
Filesize
12KB

MD5
ffbc41d3c63bccdca27c2c88ab0e85c4

SHA1
f3923962734058dc0b91515b2981d1eb33f8a8dd

SHA256
caf2eef3b42d36b4d6d4a24597557a7feada559e99abedb56287248286531dea

SHA512
9da5dd978c9faa7de1552117207fb694e97f895b054a457ffe0b9444251e7203774b142ee558317136dd8f240c12f7309b137eb930417c181c404f8318a3f8fa

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\RegisterInboxTemplates.ps1
Filesize
611B

MD5
05f7a98933d942ced40039a39cdb3fda

SHA1
c7d59ec61f4e454b0c8e38d921fb5e7f127ee46d

SHA256
a9b8f3753fb1adf3fdd9558cd49e0be28d0fd781eb192ff9e8b0cc736ee173eb

SHA512
dc01d47114be1fece3b4a87498194ae8c102d863f384e4b45009d5ddc8e1bfe77ecab99bf8ea76c53177a847b312f5a743ac9f06eb4a3619b91ec2adf19d4f34

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
afc346fde79e567a4549fcb6c99a9cca

SHA1
b6bda7ba4d94b4e26f90723e4b5cf13925169856

SHA256
e30a702b657b7e4f96bdf4a5d87d3958e9c03e07490cb06dd530fcaa27d83ab6

SHA512
6ce60a7b178a7de1b09551f1dd6f62fc7b3b5974ce65f62f77dfeb8e4e9d4d72b055afc5d9cd38ecf43448adb1a9df8ca1f9d25cc876fb0aacc2b5666f1cf821

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml
Filesize
1KB

MD5
66963736ebb1e54dc596701206eaed3f

SHA1
18bc8dfc779d407398af193f3d265ff93f253bc2

SHA256
fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b

SHA512
96aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\scan_settings.ico
Filesize
62KB

MD5
8f6abfe0c274c41c3ad3c1becf2317f5

SHA1
6dc69b46e569ca11e3ec081293df69a6d115674c

SHA256
d660f44fb7efbfdcec4cba821fea1be0977e3f66cc709b313edf9ead575994a5

SHA512
ed474a6d52df65b5bf7a1bd81d54458a1258571f16b28ce043189815bf6dc57c49cb31c6f48fed9791de6b69f93331282a0c6e76e54d488ddad7e30d2333a1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\dva.dll
Filesize
726KB

MD5
73b31f274b20093282ef6dfd45e02052

SHA1
588e215ded09878bfc986ea82f28c3a1b56992d1

SHA256
39ef4edde5099d5177fee26d0ae233739c1616a92b04bed5ccc9c81563b9dc0b

SHA512
cf844f25dbef95b994edee21ad587715cc8650408de165769e23a0f3df2428de7a14f729fbc573878198302c2e14afb62e7eecb4c102b5006a066cfe41108c3d

Download Submit
memory/204-151-0x000001CCA7820000-0x000001CCA7A4A000-memory.dmp

Filesize
2.2MB

Download
memory/204-150-0x0000000000370000-0x0000000000589000-memory.dmp

Filesize
2.1MB

Download
memory/204-148-0x000001CCA9060000-0x000001CCA91A0000-memory.dmp

Filesize
1.2MB

Download
memory/204-147-0x000001CCA9060000-0x000001CCA91A0000-memory.dmp

Filesize
1.2MB

Download
memory/204-146-0x00007FF6935F6890-mapping.dmp

Download
memory/632-179-0x0000000000000000-mapping.dmp

Download
memory/828-178-0x0000000000000000-mapping.dmp

Download
memory/3468-156-0x0000000003270000-0x0000000003995000-memory.dmp

Filesize
7.1MB

Download
memory/3468-173-0x0000000003270000-0x0000000003995000-memory.dmp

Filesize
7.1MB

Download
memory/3468-180-0x0000000003270000-0x0000000003995000-memory.dmp

Filesize
7.1MB

Download
memory/4108-145-0x0000000005770000-0x00000000058B0000-memory.dmp

Filesize
1.2MB

Download
memory/4108-138-0x0000000004F80000-0x00000000056A5000-memory.dmp

Filesize
7.1MB

Download
memory/4108-132-0x0000000000000000-mapping.dmp

Download
memory/4108-144-0x0000000005770000-0x00000000058B0000-memory.dmp

Filesize
1.2MB

Download
memory/4108-143-0x0000000005770000-0x00000000058B0000-memory.dmp

Filesize
1.2MB

Download
memory/4108-142-0x0000000005770000-0x00000000058B0000-memory.dmp

Filesize
1.2MB

Download
memory/4108-140-0x0000000005770000-0x00000000058B0000-memory.dmp

Filesize
1.2MB

Download
memory/4108-141-0x0000000005770000-0x00000000058B0000-memory.dmp

Filesize
1.2MB

Download
memory/4108-139-0x0000000004F80000-0x00000000056A5000-memory.dmp

Filesize
7.1MB

Download
memory/4108-152-0x0000000004F80000-0x00000000056A5000-memory.dmp

Filesize
7.1MB

Download
memory/4108-149-0x00000000057E9000-0x00000000057EB000-memory.dmp

Filesize
8KB

Download
memory/4380-176-0x0000000004B10000-0x0000000005235000-memory.dmp

Filesize
7.1MB

Download
memory/4380-177-0x0000000004B10000-0x0000000005235000-memory.dmp

Filesize
7.1MB

Download
memory/4380-172-0x0000000000000000-mapping.dmp

Download
memory/4820-135-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4820-134-0x0000000002400000-0x0000000002515000-memory.dmp

Filesize
1.1MB

Download
memory/4820-133-0x0000000002283000-0x0000000002359000-memory.dmp

Filesize
856KB

Download