danabot | 1880b1a25e05835f30fb291b7871e594a85aec146c659ee32b8ab4f950635a4f

Analysis

max time kernel
119s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20-12-2022 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52a4ac130352fd65ad0f411799d74abe.exe
Size

1005KB
MD5

52a4ac130352fd65ad0f411799d74abe
SHA1

bb2d4993fc3cf1b110e81a68a26c606f71c10c3e
SHA256

1880b1a25e05835f30fb291b7871e594a85aec146c659ee32b8ab4f950635a4f
SHA512

2115c912a44b6e881558c6c593bf480882bdcddadb7401a1cea0841946f848865992287429eaf4d2950fb1f2753b903a5e58cafb9c5b7b06e909def98673bfbf
SSDEEP

24576:CYzxn6MvPWzlhSOjIi4K4dWRT63gqYbXF:CMxJvSIi4ipX

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

2 864 rundll32.exe
5 864 rundll32.exe
9 864 rundll32.exe

flow	pid	process
2	864	rundll32.exe
5	864	rundll32.exe
9	864	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\acro20\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Media Player\\en-US\\acro20.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\acro20\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

864 rundll32.exe
780 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
864	rundll32.exe
780	svchost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rundll32.exe
File created	C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Desktop.ini	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 864 set thread context of 1556 864 rundll32.exe rundll32.exe

description	pid	process	target process
PID 864 set thread context of 1556	864	rundll32.exe	rundll32.exe

Drops file in Program Files directory 30 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFPrevHndlr.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.LIC	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\DisplayLanguageNames.en_US.txt	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AcroTextExtractor.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AdobeUpdater.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\EQNEDT32.CNT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Thawte Root Certificate.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\CP1253.TXT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AdobeAUM_rootCert.cer	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\acro20.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\HLS.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\usa.fca	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\eng32.clx	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AcroIEHelperShim.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HLS.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\info.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 864 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1556 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	864	rundll32.exe

pid	process
1556	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

52a4ac130352fd65ad0f411799d74abe.exerundll32.exe

description	pid	process	target process
PID 1784 wrote to memory of 864	1784	52a4ac130352fd65ad0f411799d74abe.exe	rundll32.exe
PID 1784 wrote to memory of 864	1784	52a4ac130352fd65ad0f411799d74abe.exe	rundll32.exe
PID 1784 wrote to memory of 864	1784	52a4ac130352fd65ad0f411799d74abe.exe	rundll32.exe
PID 1784 wrote to memory of 864	1784	52a4ac130352fd65ad0f411799d74abe.exe	rundll32.exe
PID 1784 wrote to memory of 864	1784	52a4ac130352fd65ad0f411799d74abe.exe	rundll32.exe
PID 1784 wrote to memory of 864	1784	52a4ac130352fd65ad0f411799d74abe.exe	rundll32.exe
PID 1784 wrote to memory of 864	1784	52a4ac130352fd65ad0f411799d74abe.exe	rundll32.exe
PID 864 wrote to memory of 1556	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 1556	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 1556	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 1556	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 1556	864	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\52a4ac130352fd65ad0f411799d74abe.exe
"C:\Users\Admin\AppData\Local\Temp\52a4ac130352fd65ad0f411799d74abe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23973
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1148

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:780

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows media player\en-us\acro20.dll",ZzUydFE=
2⤵
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\7-Zip Help.lnk

Filesize
747B

MD5
1fac7ff1bacda7dc00f09536e5b5ad05

SHA1
11ad3a5fb213b64453dbf3abea46871136376231

SHA256
d6721f8dc3b8c613db18a9f039f00bcc2f087bdeef696877834bcbd1ec4ec296

SHA512
434ab10410a8bfdbc714556a6b84c399fb043967550094f38b6fc30dd756bfecc417cd0ca81cbe014f9dc63452358c4de44b229a884739a7fd2f867469ba429e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\CiST0000.001

Filesize
64KB

MD5
e927ce2d6fea5f6a171e7f6e484667c6

SHA1
5cd8a011fdb445c3fe1a9812ef2105d16e142673

SHA256
933659673867cfb86161b9e18bfc7b2a92da0506fc8491fde8cda87b1405fb5a

SHA512
2e2da0b3a9053f2c9a6a570e1a0a2ba30f7f565216a42fba7b303aa777e5de097b85242508bf5a315a6b650de586c5e075b59d34bc0804cb73cddcfa6d8efc4e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Desktop.ini

Filesize
1KB

MD5
e8c93f12a5844c4428c3dd02b11b3208

SHA1
a30d7d74b08f501be1eab28dc7d2fbe908edcfc7

SHA256
230d79f7ba0e6b11a5ab27484a39ffca842ea3da5b1d5567bc9274e291d89f8c

SHA512
398dbe6a3093b40ee7fdda4c3c3927dcb1659d7d3af628adfa51aa53fb3078e08807c0b5be8acc1fcf6858a50947649123a603c88827a793c4c7276af4c33842

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\DocumentRepository.ico

Filesize
24KB

MD5
17cd612fc869d247280277b7797afbca

SHA1
98268ab5cdafe56d93ad4eef19f9a0f2b725e58c

SHA256
d12cae5b4e6bb2a7adc77d52565038fbda8e3da919e3ee2890f9dc7159f47fd5

SHA512
126c9152436e12dbf88c44c4cfd1d85d1c8d7a1dbc4d3a9194d86e0b41cdf2fae31a310be5d6933a8c49c014a17ec71e17f99d2da22cc7cd2cd5837c7f6fbe6a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_CValidator.H1D

Filesize
11KB

MD5
0e1f7541bb8b64deb9ebb3be8880c9d2

SHA1
c3504e15ca060ef4345d9961d73dbd84ac2987d5

SHA256
25c31a7c0090fde3f08c84c5eb81bc879b79e8f677260bd26225592d03d51c97

SHA512
e1b93b3f0080b524d42358952b205d63e1909ad495b9b09fe5b2a0a884ddeda078f1f217c4313632c1ed5c036cbaea538135c0b2a2bd8f282ffac55c8ae7b631

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MySharePoints.ico

Filesize
340KB

MD5
1f24dae5e9da4d6e021683d7d03fb528

SHA1
c986d8e34f84c7b2e931a7ff61eb307ef8789f0d

SHA256
241b42c7911a7c36ae89c45366397384f91145fe39308352f0242c357505e06b

SHA512
b1e6e9d4e2ff4cd1b452de1ae14b40e436cc82f22251cbc87788742145000d650b522544bba9085ba36f5cab43d9e4481a7b8ef46acb280da6bd83ab0441b58d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\OUTLLIBR.REST.trx_dll

Filesize
665KB

MD5
753df8b9141a1939d4454d07aed78e06

SHA1
514d203a4a8e8a26c8def2c4c21d34da7c5a8243

SHA256
91f6c4f198a868abbd3f7cf31373d8e65618092f680be3304b77d66fedabb7d0

SHA512
d280ed303c8e51dc5b60357a83839d1ad4ac5ced836422649c88616063e46b88c5c713707b448e192a5b429ac815c8d3eeff27fbb3dbf1b373414cee8e3ee880

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\PPINTL.DLL.trx_dll

Filesize
51KB

MD5
774d0f398412285a452200181126833b

SHA1
1952250eb4e4eb242c23ec2150b018eb7539b1ef

SHA256
fc461a8cfb1a70d7c0d2273f08c130be7a4a6c89d0aaee4024ab2b25c0e67130

SHA512
43e050a22c5d6ce9ec1e76428ad9afd5aa7f3e373609df470a7178d7cbb10100bc6fba96c806161353bc467073ec1b9885c570b53a10c9524e8228f2de4fd3f5

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
f0c4d324e6e84d70ad151906415b4ce3

SHA1
28ca6896e647093bf1e8fc2edc847480bc98d21b

SHA256
1d13300766da9b883e632dd49afed452ed22e514e87fe75bd73d42076fbbe411

SHA512
f0e173e4f7c17917f0bbf404f87237bf9420ca6217110c37f96e91c010e2976a740d97af7480bc91c53711d9d9a500ce8349f746ba5a6eea63e3ed6636897c3f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
e05f43432f425c0e16bff86fe900fc7d

SHA1
e8ac91815f087e993e165bb98739d6738e84f292

SHA256
5ffa834784b383653f9f5473690c81989dca69a9c0d4522c56a9dd5561390067

SHA512
45133a125d35b99594213007c03dcf02fdf9f781389e59774b443efb4a631b747ca1b5bce53ea9cabe638f99ba2e190782aa1ff37c05b86a45cf3c7d9d5c9751

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Speech Recognition.lnk

Filesize
1KB

MD5
1c2d57f6d10fc5fbc894a70c3c3e3cb3

SHA1
758c3a4828c321ae9c008e66067811baddb91b3c

SHA256
df9bdfa348c754781446438c5c46b3c2864a788e4ad735e9eaded00bd8c96de7

SHA512
f77720c2071a84f45aaa371912f8e5132d24de8d709efbb7c6a75c4faad463125c96cef988768277d92650b2e9216e53340a4e45fff4ab41426697d7ce5daf6f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Sticky Notes.lnk

Filesize
1KB

MD5
aa1a91c1e8c7d03b9d7339b3fdc0ec27

SHA1
92910279a9882dc7f067bf78ee59fdda20c53c13

SHA256
7ef2fc02370a8b64feb26dfeae4b9f85904c3c0aa6cf24c805f832a5655fef51

SHA512
4c4b98a7baaab12b3bc6a0bec569a141f2bd2243a26858104ea28d75e9517371c8aaca57fb48e617c143efce8b446849f4a994de532890dd58d8b000d2a46a1b

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\behavior.xml

Filesize
1KB

MD5
0a143381eb5b3e52322d08c9ed95ce58

SHA1
9c2b249a7dbc085028bb4aa64420650dc1986b0e

SHA256
f0572b5708c83015d326607631d8247090242ddebb08f342d75bc9171db82ef2

SHA512
6e18f13517eebb3529093e5a61b8447b8214e442475d45b214e01658c01e3da403be600b113547688c2fb3f3bd7a18e2bad02cbcb0d1c4b648058dbe6e3bdb7f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile15.bmp

Filesize
48KB

MD5
5bbeef2274e18d8837659aff869d8f05

SHA1
203f71f7353bca2b6f6802acfe7c7f39c1be4a48

SHA256
f120cb4f7f7539412edf4e4c4fca3b5666e2dfb3196e8460584fd6c9a073265b

SHA512
72212cfdfd61b802f3dc0854223d975260392dd4e78b8bbe0ca8783ee6bc8c71bf35e45e971443cb86f7a361c485bcdc8c464c83d64e31253b1c56d34ccfab9e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile35.bmp

Filesize
48KB

MD5
c8d351bf2848d70bacc8c54aebe5ce0a

SHA1
f3e4789442f2bf6f76a03d2462bcdc26e9efc78e

SHA256
b0c2252a53340d411dab77569089953661edf4bbb0e87c2b4b7ab792adc9818f

SHA512
18461905567ed2e40fa29dd7ab1d6a485e0896c8860180286f5524cb4fcc75890b3dcd785163f962b2e3819f9c4bd62d353feb8ba1ba67f73011ec4b42eb2ec5

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\{41C2DDAB-12B9-44DB-BCD2-300ED30259A1}.2.ver0x0000000000000001.db

Filesize
1KB

MD5
892023f20b46f1f34e3e8aebd8dbba3d

SHA1
0c13a1653f1f6102c761f5e2a27a054dfd337e58

SHA256
af59a23e472b9d496600f9592555649bb2626daf6b8c11ac0e7abd04d5cad2dd

SHA512
72a1a7750d87140c6877b405856ad22d38238c432cbfe21456baf9b572a21cd7b20c2a129a0614eb954d4193d777d0067a68cf4ce858b910415022d64f04255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windows media player\en-us\acro20.dll

Filesize
726KB

MD5
0c28f4b2c79dcd838acb05ee094d8f87

SHA1
5707b457f84e9daef648b0e9b54fe9e0fb24ba08

SHA256
85a63669e990748fb576259ce6df72e46c43137085051e2c795b54302b8587ea

SHA512
253e85d714c22cb1b50ef7cf37136dae2e9b1baa568c4e9b75d46bde4c977afd84f2efb6ca9a1ad4253bdbdd488420f33a123a03979e1d76cf24f827784b21bb

Download Submit
\Program Files (x86)\Windows Media Player\en-US\acro20.dll

Filesize
726KB

MD5
0c28f4b2c79dcd838acb05ee094d8f87

SHA1
5707b457f84e9daef648b0e9b54fe9e0fb24ba08

SHA256
85a63669e990748fb576259ce6df72e46c43137085051e2c795b54302b8587ea

SHA512
253e85d714c22cb1b50ef7cf37136dae2e9b1baa568c4e9b75d46bde4c977afd84f2efb6ca9a1ad4253bdbdd488420f33a123a03979e1d76cf24f827784b21bb

Download Submit
\Program Files (x86)\Windows Media Player\en-US\acro20.dll

Filesize
726KB

MD5
0c28f4b2c79dcd838acb05ee094d8f87

SHA1
5707b457f84e9daef648b0e9b54fe9e0fb24ba08

SHA256
85a63669e990748fb576259ce6df72e46c43137085051e2c795b54302b8587ea

SHA512
253e85d714c22cb1b50ef7cf37136dae2e9b1baa568c4e9b75d46bde4c977afd84f2efb6ca9a1ad4253bdbdd488420f33a123a03979e1d76cf24f827784b21bb

Download Submit
\Program Files (x86)\Windows Media Player\en-US\acro20.dll

Filesize
726KB

MD5
0c28f4b2c79dcd838acb05ee094d8f87

SHA1
5707b457f84e9daef648b0e9b54fe9e0fb24ba08

SHA256
85a63669e990748fb576259ce6df72e46c43137085051e2c795b54302b8587ea

SHA512
253e85d714c22cb1b50ef7cf37136dae2e9b1baa568c4e9b75d46bde4c977afd84f2efb6ca9a1ad4253bdbdd488420f33a123a03979e1d76cf24f827784b21bb

Download Submit
\Program Files (x86)\Windows Media Player\en-US\acro20.dll

Filesize
726KB

MD5
0c28f4b2c79dcd838acb05ee094d8f87

SHA1
5707b457f84e9daef648b0e9b54fe9e0fb24ba08

SHA256
85a63669e990748fb576259ce6df72e46c43137085051e2c795b54302b8587ea

SHA512
253e85d714c22cb1b50ef7cf37136dae2e9b1baa568c4e9b75d46bde4c977afd84f2efb6ca9a1ad4253bdbdd488420f33a123a03979e1d76cf24f827784b21bb

Download Submit
\Program Files (x86)\Windows Media Player\en-US\acro20.dll

Filesize
726KB

MD5
0c28f4b2c79dcd838acb05ee094d8f87

SHA1
5707b457f84e9daef648b0e9b54fe9e0fb24ba08

SHA256
85a63669e990748fb576259ce6df72e46c43137085051e2c795b54302b8587ea

SHA512
253e85d714c22cb1b50ef7cf37136dae2e9b1baa568c4e9b75d46bde4c977afd84f2efb6ca9a1ad4253bdbdd488420f33a123a03979e1d76cf24f827784b21bb

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
memory/780-89-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/780-87-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/780-90-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/780-121-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/808-122-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/808-115-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/808-114-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/808-112-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/808-105-0x0000000000000000-mapping.dmp

Download
memory/864-68-0x0000000004070000-0x00000000041B0000-memory.dmp

Filesize
1.2MB

Download
memory/864-63-0x0000000004510000-0x0000000004C35000-memory.dmp

Filesize
7.1MB

Download
memory/864-82-0x0000000004510000-0x0000000004C35000-memory.dmp

Filesize
7.1MB

Download
memory/864-72-0x00000000053E0000-0x0000000005520000-memory.dmp

Filesize
1.2MB

Download
memory/864-73-0x0000000004070000-0x00000000041B0000-memory.dmp

Filesize
1.2MB

Download
memory/864-56-0x0000000000000000-mapping.dmp

Download
memory/864-74-0x0000000004070000-0x00000000041B0000-memory.dmp

Filesize
1.2MB

Download
memory/864-69-0x00000000053E0000-0x0000000005520000-memory.dmp

Filesize
1.2MB

Download
memory/864-65-0x0000000004510000-0x0000000004C35000-memory.dmp

Filesize
7.1MB

Download
memory/864-66-0x0000000004510000-0x0000000004C35000-memory.dmp

Filesize
7.1MB

Download
memory/864-67-0x0000000004070000-0x00000000041B0000-memory.dmp

Filesize
1.2MB

Download
memory/1148-120-0x0000000000000000-mapping.dmp

Download
memory/1556-75-0x00000000FF7E3CEC-mapping.dmp

Download
memory/1556-78-0x00000000001C0000-0x00000000003D9000-memory.dmp

Filesize
2.1MB

Download
memory/1556-70-0x00000000001C0000-0x00000000003D9000-memory.dmp

Filesize
2.1MB

Download
memory/1556-80-0x0000000002000000-0x000000000222A000-memory.dmp

Filesize
2.2MB

Download
memory/1556-79-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1556-81-0x0000000002000000-0x000000000222A000-memory.dmp

Filesize
2.2MB

Download
memory/1556-77-0x0000000002230000-0x0000000002370000-memory.dmp

Filesize
1.2MB

Download
memory/1556-76-0x0000000002230000-0x0000000002370000-memory.dmp

Filesize
1.2MB

Download
memory/1784-57-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

Filesize
856KB

Download
memory/1784-55-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1784-60-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1784-58-0x0000000001EC0000-0x0000000001FD5000-memory.dmp

Filesize
1.1MB

Download
memory/1784-54-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

Filesize
856KB

Download
memory/1944-123-0x0000000000000000-mapping.dmp

Download