danabot | ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549

Analysis

max time kernel
121s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-12-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe
Size

3.6MB
MD5

2d5452372ed89a637202f5c4311d6b83
SHA1

70f812ddb79efec13fb89c30d29ac9abbc17d623
SHA256

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549
SHA512

4ad38958af05f101fa07c90a78857af24f641e299315d039596af0c4669095ba68838b0f5a2ba78bf070e143ada84b2a82e25ba004791ee696d9491470bbaba7
SSDEEP

49152:zjvWrU4VyUHA3iRYoySMbSsigAh14tKS2lw4I0LGAEJxQGV3O:3wU4VyUHpRYoESsigAlyG

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
05464755482ADBCA40CEC902795D5204
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

2 968 rundll32.exe
5 968 rundll32.exe
9 968 rundll32.exe

flow	pid	process
2	968	rundll32.exe
5	968	rundll32.exe
9	968	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SY______\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\SY______.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SY______\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exesvchost.exe

pid process

968 rundll32.exe
968 rundll32.exe
968 rundll32.exe
968 rundll32.exe
1096 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
968	rundll32.exe
968	rundll32.exe
968	rundll32.exe
968	rundll32.exe
1096	svchost.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 968 set thread context of 1032 968 rundll32.exe rundll32.exe

description	pid	process	target process
PID 968 set thread context of 1032	968	rundll32.exe	rundll32.exe

Drops file in Program Files directory 32 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CP1253.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\brt32.clx	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\UKRAINE.TXT	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\drvDX8.x3d	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\DWTRIG20.EXE	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\MTEXTRA.TTF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\A3DUtility.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\license.html	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\VDK10.SYX	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\brt55.ths	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CENTEURO.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\drvSOFT.x3d	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\AXSLE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\ReadMe.htm	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1372 1064 WerFault.exe ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

pid	pid_target	process	target process
1372	1064	WerFault.exe	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 968 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1032 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	968	rundll32.exe

pid	process
1032	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exerundll32.exe

description	pid	process	target process
PID 1064 wrote to memory of 968	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1064 wrote to memory of 968	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1064 wrote to memory of 968	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1064 wrote to memory of 968	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1064 wrote to memory of 968	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1064 wrote to memory of 968	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1064 wrote to memory of 968	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1064 wrote to memory of 1372	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	WerFault.exe
PID 1064 wrote to memory of 1372	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	WerFault.exe
PID 1064 wrote to memory of 1372	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	WerFault.exe
PID 1064 wrote to memory of 1372	1064	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	WerFault.exe
PID 968 wrote to memory of 1032	968	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 1032	968	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 1032	968	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 1032	968	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 1032	968	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe
"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20224
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1032

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 208
2⤵
- Program crash
PID:1372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
PID:1096

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\microsoft sync framework\v1.0\sy______.dll",f0Q7STRRUQ==
2⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp
Filesize
2.3MB

MD5
5dfc58d07c91a283b23533b0e16507e0

SHA1
1d676639bc43d2a5ab3c2c029de956017c9c0579

SHA256
20c60035ef56520689d5403950def07449b2a037583f994c93cffe69243f186f

SHA512
8748376326a3aa158a6afbffd1c2d3285c385b86e97187296f0828109008fee4c9daca10120c802db92b73e4328e19fe2af5ef21d2aa6250e06260c864640e4c

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Desktop.ini
Filesize
1KB

MD5
6ce9bf045d627596d601b3f3794c7fe0

SHA1
c512e26a135a199e276c2a75cdb2651b55d61e8a

SHA256
d9de8d9582912455294bd1f34618fde6b366e4d31b003078c85eb4401b99cfdd

SHA512
08cc7b04e458144ee1b55a3c42b7a1d4f6eb4d9c68b22da2375247e03ed1e599203d27f9cf27e0fdc57f6e28b8eb307cccb2e2126ab7414c36355477089b81f6

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_CValidator.H1D
Filesize
11KB

MD5
78f3883f7874696dcd58786ee1d13bea

SHA1
8162c11cbe06fd3106707c3a8bbc284cb4229ab1

SHA256
8aa4719ed70a2f56d42a40943325093c09fc3cdd265dae176fa9e3905d7fed3d

SHA512
4913ed573bafcc9b4e9e8b43cbf91b18a1e2c0c9451ab1ef2a1b64f1c6f994fa17eb13f9e9885fcc1b450cd0122273f255bc6d8e8101514877ce2f217b01343b

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MKWD_AssetId.H1W
Filesize
229KB

MD5
e0bbbc43fada1cb3a1e4ed3aa1280ec7

SHA1
d1d8e0dc3123e3c9b53befe742e8e102ca4bf56c

SHA256
03114b5cdbfb0692a71385c08eea9be49822656f9845ec654a0c6f5240df04ed

SHA512
e7acacbab46c1b69ca2f86a9ef393fa1fbd8870dd1555d1f374d230df357a90fd4953ed89d66b5a634f852a996653428fbb6368335bb3ab18e5cb84555335aec

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MTOC_help.H1H
Filesize
531KB

MD5
aa7cd98925d3360470d9ad55d17d0cad

SHA1
46c0bf202c8edc55e958a072cc0ddf24bd5cbb69

SHA256
7db90dc486a9b61cc88344f87ed9db717ffcc946cb94399a093e7f45607ecf3b

SHA512
726590cde89a1706f3130ed178b1dffedc98003b502d73af588e8e72cc8ef58fdc1012790966254283ccd0f691af06cdfb8b8cbc39de74cf7bdd147a7490b689

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Mobility Center.lnk
Filesize
1KB

MD5
ba40e2f08ca68f25103da982c8c83e9e

SHA1
fc31171eb5edf879c9690f2fe022add29ea92246

SHA256
53da45e07b8c6517a37a11f24c7d670d9cfa69ee581940b211b4ce7bcd5ed92a

SHA512
0a1cbeaf53760b85f9c3be4054ef7a11aad6d66756b4c04255ab0b71786b9b88bae8d9f555064f8e7285654c7ba00b97cdb53cd16123ea81c8645afd89d3c6d2

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MySharePoints.ico
Filesize
340KB

MD5
1f24dae5e9da4d6e021683d7d03fb528

SHA1
c986d8e34f84c7b2e931a7ff61eb307ef8789f0d

SHA256
241b42c7911a7c36ae89c45366397384f91145fe39308352f0242c357505e06b

SHA512
b1e6e9d4e2ff4cd1b452de1ae14b40e436cc82f22251cbc87788742145000d650b522544bba9085ba36f5cab43d9e4481a7b8ef46acb280da6bd83ab0441b58d

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\VISINTL.DLL.trx_dll
Filesize
462KB

MD5
13097a116f09601935ab89fdbb604402

SHA1
6da82026200b90dde4dd61359cf559e2c3c77863

SHA256
bc65e3c6f0ca6ffffcf885836f3b9372a8774c47c2bd260158619804cd8b8c5f

SHA512
ff60810d07c76badb62fa074d49addd40ab8fb936c4c2a24bf2d1a78f0e9395bbc4de19e5aa4d8e7e5d0234ec3dbc6cd49788f83fa94e1bdf9d933c8d4ab19fd

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\background.png
Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\folder.ico
Filesize
52KB

MD5
bbf9dbdc079c0cd95f78d728aa3912d4

SHA1
051f76cc8c6520768bac9559bb329abeebd70d7c

SHA256
bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2

SHA512
af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\overlay.png
Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\ppcrlui.dll
Filesize
248KB

MD5
046a9363a58f8c4105e5871a514b63cc

SHA1
2656816adb38ea616506b8b5f7db49e53a3ba28c

SHA256
c1f80d9e281441239c5f40d8ae18a867b2d517385d16fd05c122a0b2716cba56

SHA512
0d12c72d6f7cd9652afdde3e9e10e678c31e11a5f37991d5c7e73617f361d7636b76e8579ec7c8e32caa5d35271224dc182833378b9d63f90b6019a1aefa160c

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\print_queue.ico
Filesize
55KB

MD5
0f3c6d90637f0fdc57b1d303cf8d76cd

SHA1
91cef4325b363b31e4555302a70321a2110b51cf

SHA256
4858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261

SHA512
6f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\resource.xml
Filesize
1KB

MD5
0e190f6bbc7898c31d4eae77c6abebfe

SHA1
fb6673c8116b650f0536d56be09eb188d7bdc930

SHA256
f7f461d92f4a45d1232e7e5ad76cffbbb7b83abd69df864387c757051494d118

SHA512
faaf0699ddb7e4e152afaf54bed0794c9e816cb762454c277f5d52acf88a44535cc3a44797c73393fc50db8afe2566bcaf9a4f93d945c6b0b3d8458d16ae5312

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\superbar.png
Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
c889ec269e74696582449d20dedbbc9a

SHA1
2c1938fcaf61e3be1865645d159910e827850b8e

SHA256
f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e

SHA512
1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

Download Submit
\??\c:\program files (x86)\microsoft sync framework\v1.0\sy______.dll
Filesize
2.4MB

MD5
b54e57b5158cb76e5a1f5ee46f29f7f4

SHA1
482882b104f7ce86642ce5e4eea5005ca0d3cd2d

SHA256
2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c

SHA512
4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll
Filesize
2.4MB

MD5
b54e57b5158cb76e5a1f5ee46f29f7f4

SHA1
482882b104f7ce86642ce5e4eea5005ca0d3cd2d

SHA256
2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c

SHA512
4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll
Filesize
2.4MB

MD5
b54e57b5158cb76e5a1f5ee46f29f7f4

SHA1
482882b104f7ce86642ce5e4eea5005ca0d3cd2d

SHA256
2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c

SHA512
4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll
Filesize
2.4MB

MD5
b54e57b5158cb76e5a1f5ee46f29f7f4

SHA1
482882b104f7ce86642ce5e4eea5005ca0d3cd2d

SHA256
2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c

SHA512
4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll
Filesize
2.4MB

MD5
b54e57b5158cb76e5a1f5ee46f29f7f4

SHA1
482882b104f7ce86642ce5e4eea5005ca0d3cd2d

SHA256
2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c

SHA512
4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll
Filesize
2.4MB

MD5
b54e57b5158cb76e5a1f5ee46f29f7f4

SHA1
482882b104f7ce86642ce5e4eea5005ca0d3cd2d

SHA256
2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c

SHA512
4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

Download Submit
\Program Files\Mozilla Firefox\firefox.exe
Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe
Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe
Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe
Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
c889ec269e74696582449d20dedbbc9a

SHA1
2c1938fcaf61e3be1865645d159910e827850b8e

SHA256
f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e

SHA512
1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
c889ec269e74696582449d20dedbbc9a

SHA1
2c1938fcaf61e3be1865645d159910e827850b8e

SHA256
f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e

SHA512
1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
c889ec269e74696582449d20dedbbc9a

SHA1
2c1938fcaf61e3be1865645d159910e827850b8e

SHA256
f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e

SHA512
1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
c889ec269e74696582449d20dedbbc9a

SHA1
2c1938fcaf61e3be1865645d159910e827850b8e

SHA256
f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e

SHA512
1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

Download Submit
memory/968-84-0x0000000003370000-0x0000000003A95000-memory.dmp

Filesize
7.1MB

Download
memory/968-62-0x0000000001CD0000-0x0000000001F41000-memory.dmp

Filesize
2.4MB

Download
memory/968-77-0x0000000003AA0000-0x0000000003BE0000-memory.dmp

Filesize
1.2MB

Download
memory/968-72-0x0000000003C50000-0x0000000003D90000-memory.dmp

Filesize
1.2MB

Download
memory/968-70-0x0000000003AA0000-0x0000000003BE0000-memory.dmp

Filesize
1.2MB

Download
memory/968-71-0x0000000003AA0000-0x0000000003BE0000-memory.dmp

Filesize
1.2MB

Download
memory/968-69-0x0000000003370000-0x0000000003A95000-memory.dmp

Filesize
7.1MB

Download
memory/968-67-0x0000000003370000-0x0000000003A95000-memory.dmp

Filesize
7.1MB

Download
memory/968-66-0x0000000003370000-0x0000000003A95000-memory.dmp

Filesize
7.1MB

Download
memory/968-65-0x0000000001CD0000-0x0000000001F41000-memory.dmp

Filesize
2.4MB

Download
memory/968-64-0x0000000001CD0000-0x0000000001F41000-memory.dmp

Filesize
2.4MB

Download
memory/968-75-0x0000000003C50000-0x0000000003D90000-memory.dmp

Filesize
1.2MB

Download
memory/968-55-0x0000000000000000-mapping.dmp

Download
memory/968-76-0x0000000003AA0000-0x0000000003BE0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-81-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1032-83-0x0000000002080000-0x00000000022AA000-memory.dmp

Filesize
2.2MB

Download
memory/1032-82-0x0000000000230000-0x0000000000449000-memory.dmp

Filesize
2.1MB

Download
memory/1032-80-0x00000000022B0000-0x00000000023F0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-79-0x00000000022B0000-0x00000000023F0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-73-0x0000000000230000-0x0000000000449000-memory.dmp

Filesize
2.1MB

Download
memory/1032-78-0x00000000FFFB3CEC-mapping.dmp

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1096-102-0x0000000002550000-0x0000000002C75000-memory.dmp

Filesize
7.1MB

Download
memory/1096-101-0x0000000002550000-0x0000000002C75000-memory.dmp

Filesize
7.1MB

Download
memory/1096-129-0x0000000002550000-0x0000000002C75000-memory.dmp

Filesize
7.1MB

Download
memory/1096-128-0x00000000022B0000-0x0000000002521000-memory.dmp

Filesize
2.4MB

Download
memory/1096-104-0x0000000002550000-0x0000000002C75000-memory.dmp

Filesize
7.1MB

Download
memory/1096-87-0x00000000022B0000-0x0000000002521000-memory.dmp

Filesize
2.4MB

Download
memory/1096-89-0x00000000022B0000-0x0000000002521000-memory.dmp

Filesize
2.4MB

Download
memory/1180-117-0x0000000002730000-0x0000000002E55000-memory.dmp

Filesize
7.1MB

Download
memory/1180-121-0x0000000001C40000-0x0000000001EB1000-memory.dmp

Filesize
2.4MB

Download
memory/1180-122-0x0000000002730000-0x0000000002E55000-memory.dmp

Filesize
7.1MB

Download
memory/1180-120-0x0000000002730000-0x0000000002E55000-memory.dmp

Filesize
7.1MB

Download
memory/1180-118-0x0000000002730000-0x0000000002E55000-memory.dmp

Filesize
7.1MB

Download
memory/1180-108-0x0000000000000000-mapping.dmp

Download
memory/1180-115-0x0000000001C40000-0x0000000001EB1000-memory.dmp

Filesize
2.4MB

Download
memory/1180-114-0x0000000001C40000-0x0000000001EB1000-memory.dmp

Filesize
2.4MB

Download
memory/1264-127-0x0000000000000000-mapping.dmp

Download
memory/1372-63-0x0000000000000000-mapping.dmp

Download