Malware Analysis Report

2025-05-05 21:44

Sample ID 221220-rvl81saa35
Target ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549
SHA256 ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549
Tags
danabot banker trojan discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549

Threat Level: Known bad

The file ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549 was found to be: Known bad.

Malicious Activity Summary

danabot banker trojan discovery persistence

Danabot

Danabot family

Blocklisted process makes network request

Sets service image path in registry

Sets DLL path for service in the registry

Loads dropped DLL

Drops desktop.ini file(s)

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 14:30

Signatures

Danabot family

danabot

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-20 14:30

Reported

2022-12-20 14:33

Platform

win10v2004-20220812-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4956 set thread context of 4312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 496

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20223

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 123.253.35.251:443 tcp
N/A 40.125.122.151:443 tcp
N/A 66.85.173.3:443 tcp
N/A 13.69.239.72:443 tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/4956-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 7f626c8031509f0139c9681d5c93b9e6
SHA1 d063f670cf869ac576dc56f468a6d60a8ccf10a2
SHA256 a49ff803e4a69069f4a8ed446a23b1fe61bc0546d36a5f8101aa1b4c723383e1
SHA512 68e247910d0a3b0b85824aaa12d7203493f27159bd71bd2e498a49d714a63e616172fbd79d324b85e9c2542429880d8973e38b1ba9f3c350141a79f4e8065065

memory/4956-136-0x00000000024A0000-0x0000000002711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 7f626c8031509f0139c9681d5c93b9e6
SHA1 d063f670cf869ac576dc56f468a6d60a8ccf10a2
SHA256 a49ff803e4a69069f4a8ed446a23b1fe61bc0546d36a5f8101aa1b4c723383e1
SHA512 68e247910d0a3b0b85824aaa12d7203493f27159bd71bd2e498a49d714a63e616172fbd79d324b85e9c2542429880d8973e38b1ba9f3c350141a79f4e8065065

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 7f626c8031509f0139c9681d5c93b9e6
SHA1 d063f670cf869ac576dc56f468a6d60a8ccf10a2
SHA256 a49ff803e4a69069f4a8ed446a23b1fe61bc0546d36a5f8101aa1b4c723383e1
SHA512 68e247910d0a3b0b85824aaa12d7203493f27159bd71bd2e498a49d714a63e616172fbd79d324b85e9c2542429880d8973e38b1ba9f3c350141a79f4e8065065

memory/4956-137-0x00000000024A0000-0x0000000002711000-memory.dmp

memory/4956-138-0x00000000024A0000-0x0000000002711000-memory.dmp

memory/4956-139-0x00000000037B0000-0x0000000003ED5000-memory.dmp

memory/4956-140-0x00000000037B0000-0x0000000003ED5000-memory.dmp

memory/4956-141-0x00000000037B0000-0x0000000003ED5000-memory.dmp

memory/4956-142-0x0000000003F60000-0x00000000040A0000-memory.dmp

memory/4956-143-0x0000000003F60000-0x00000000040A0000-memory.dmp

memory/4956-144-0x0000000003F60000-0x00000000040A0000-memory.dmp

memory/4956-145-0x0000000003F60000-0x00000000040A0000-memory.dmp

memory/4956-146-0x0000000003F60000-0x00000000040A0000-memory.dmp

memory/4956-147-0x0000000003F60000-0x00000000040A0000-memory.dmp

memory/4312-148-0x00007FF746646890-mapping.dmp

memory/4312-150-0x0000000000C70000-0x0000000000E89000-memory.dmp

memory/4312-152-0x0000021F8A0D0000-0x0000021F8A2FA000-memory.dmp

memory/4312-149-0x0000021F8B910000-0x0000021F8BA50000-memory.dmp

memory/4312-151-0x0000021F8B910000-0x0000021F8BA50000-memory.dmp

memory/4956-153-0x00000000037B0000-0x0000000003ED5000-memory.dmp

memory/4312-154-0x0000021F8A0D0000-0x0000021F8A2FA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 14:30

Reported

2022-12-20 14:33

Platform

win7-20220901-en

Max time kernel

121s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SY______\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\SY______.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SY______\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 968 set thread context of 1032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CP1253.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\brt32.clx C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\UKRAINE.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\drvDX8.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\DWTRIG20.EXE C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\MTEXTRA.TTF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\A3DUtility.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\license.html C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\VDK10.SYX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\brt55.ths C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CENTEURO.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\drvSOFT.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\AXSLE.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\JP2KLib.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\ReadMe.htm C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1064 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1064 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1064 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1064 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1064 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1064 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1064 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\WerFault.exe
PID 1064 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\WerFault.exe
PID 1064 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\WerFault.exe
PID 1064 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\WerFault.exe
PID 968 wrote to memory of 1032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 968 wrote to memory of 1032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 968 wrote to memory of 1032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 968 wrote to memory of 1032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 968 wrote to memory of 1032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 208

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20224

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\microsoft sync framework\v1.0\sy______.dll",f0Q7STRRUQ==

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:20224 tcp
N/A 127.0.0.1:1312 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:20224 tcp
N/A 44.96.43.94:443 tcp

Files

memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

memory/968-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 c889ec269e74696582449d20dedbbc9a
SHA1 2c1938fcaf61e3be1865645d159910e827850b8e
SHA256 f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e
SHA512 1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 c889ec269e74696582449d20dedbbc9a
SHA1 2c1938fcaf61e3be1865645d159910e827850b8e
SHA256 f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e
SHA512 1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 c889ec269e74696582449d20dedbbc9a
SHA1 2c1938fcaf61e3be1865645d159910e827850b8e
SHA256 f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e
SHA512 1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 c889ec269e74696582449d20dedbbc9a
SHA1 2c1938fcaf61e3be1865645d159910e827850b8e
SHA256 f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e
SHA512 1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 c889ec269e74696582449d20dedbbc9a
SHA1 2c1938fcaf61e3be1865645d159910e827850b8e
SHA256 f523be394b9dfc8e7a0aba77e71964a3292c76219a97b59bd560a0f6dd14ef1e
SHA512 1f594f04e3fc60eb31e7f38eeadb718789a7dd4ef8b8c174fe5879952bd057157905a5a1c4eb981803b92a484ffee22110ecccd95be9a8aca397eb5c724f96a7

memory/1372-63-0x0000000000000000-mapping.dmp

memory/968-62-0x0000000001CD0000-0x0000000001F41000-memory.dmp

memory/968-64-0x0000000001CD0000-0x0000000001F41000-memory.dmp

memory/968-65-0x0000000001CD0000-0x0000000001F41000-memory.dmp

memory/968-66-0x0000000003370000-0x0000000003A95000-memory.dmp

memory/968-67-0x0000000003370000-0x0000000003A95000-memory.dmp

memory/968-69-0x0000000003370000-0x0000000003A95000-memory.dmp

memory/968-71-0x0000000003AA0000-0x0000000003BE0000-memory.dmp

memory/968-70-0x0000000003AA0000-0x0000000003BE0000-memory.dmp

memory/968-72-0x0000000003C50000-0x0000000003D90000-memory.dmp

memory/1032-73-0x0000000000230000-0x0000000000449000-memory.dmp

memory/968-75-0x0000000003C50000-0x0000000003D90000-memory.dmp

memory/968-76-0x0000000003AA0000-0x0000000003BE0000-memory.dmp

memory/1032-78-0x00000000FFFB3CEC-mapping.dmp

memory/968-77-0x0000000003AA0000-0x0000000003BE0000-memory.dmp

memory/1032-79-0x00000000022B0000-0x00000000023F0000-memory.dmp

memory/1032-80-0x00000000022B0000-0x00000000023F0000-memory.dmp

memory/1032-82-0x0000000000230000-0x0000000000449000-memory.dmp

memory/1032-81-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

memory/1032-83-0x0000000002080000-0x00000000022AA000-memory.dmp

memory/968-84-0x0000000003370000-0x0000000003A95000-memory.dmp

\??\c:\program files (x86)\microsoft sync framework\v1.0\sy______.dll

MD5 b54e57b5158cb76e5a1f5ee46f29f7f4
SHA1 482882b104f7ce86642ce5e4eea5005ca0d3cd2d
SHA256 2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c
SHA512 4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll

MD5 b54e57b5158cb76e5a1f5ee46f29f7f4
SHA1 482882b104f7ce86642ce5e4eea5005ca0d3cd2d
SHA256 2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c
SHA512 4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

memory/1096-87-0x00000000022B0000-0x0000000002521000-memory.dmp

memory/1096-89-0x00000000022B0000-0x0000000002521000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\background.png

MD5 9adaf3a844ce0ce36bfed07fa2d7ef66
SHA1 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256 d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512 e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

MD5 5dfc58d07c91a283b23533b0e16507e0
SHA1 1d676639bc43d2a5ab3c2c029de956017c9c0579
SHA256 20c60035ef56520689d5403950def07449b2a037583f994c93cffe69243f186f
SHA512 8748376326a3aa158a6afbffd1c2d3285c385b86e97187296f0828109008fee4c9daca10120c802db92b73e4328e19fe2af5ef21d2aa6250e06260c864640e4c

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MKWD_AssetId.H1W

MD5 e0bbbc43fada1cb3a1e4ed3aa1280ec7
SHA1 d1d8e0dc3123e3c9b53befe742e8e102ca4bf56c
SHA256 03114b5cdbfb0692a71385c08eea9be49822656f9845ec654a0c6f5240df04ed
SHA512 e7acacbab46c1b69ca2f86a9ef393fa1fbd8870dd1555d1f374d230df357a90fd4953ed89d66b5a634f852a996653428fbb6368335bb3ab18e5cb84555335aec

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\VISINTL.DLL.trx_dll

MD5 13097a116f09601935ab89fdbb604402
SHA1 6da82026200b90dde4dd61359cf559e2c3c77863
SHA256 bc65e3c6f0ca6ffffcf885836f3b9372a8774c47c2bd260158619804cd8b8c5f
SHA512 ff60810d07c76badb62fa074d49addd40ab8fb936c4c2a24bf2d1a78f0e9395bbc4de19e5aa4d8e7e5d0234ec3dbc6cd49788f83fa94e1bdf9d933c8d4ab19fd

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MTOC_help.H1H

MD5 aa7cd98925d3360470d9ad55d17d0cad
SHA1 46c0bf202c8edc55e958a072cc0ddf24bd5cbb69
SHA256 7db90dc486a9b61cc88344f87ed9db717ffcc946cb94399a093e7f45607ecf3b
SHA512 726590cde89a1706f3130ed178b1dffedc98003b502d73af588e8e72cc8ef58fdc1012790966254283ccd0f691af06cdfb8b8cbc39de74cf7bdd147a7490b689

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Desktop.ini

MD5 6ce9bf045d627596d601b3f3794c7fe0
SHA1 c512e26a135a199e276c2a75cdb2651b55d61e8a
SHA256 d9de8d9582912455294bd1f34618fde6b366e4d31b003078c85eb4401b99cfdd
SHA512 08cc7b04e458144ee1b55a3c42b7a1d4f6eb4d9c68b22da2375247e03ed1e599203d27f9cf27e0fdc57f6e28b8eb307cccb2e2126ab7414c36355477089b81f6

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\folder.ico

MD5 bbf9dbdc079c0cd95f78d728aa3912d4
SHA1 051f76cc8c6520768bac9559bb329abeebd70d7c
SHA256 bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2
SHA512 af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\print_queue.ico

MD5 0f3c6d90637f0fdc57b1d303cf8d76cd
SHA1 91cef4325b363b31e4555302a70321a2110b51cf
SHA256 4858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261
SHA512 6f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\overlay.png

MD5 1f93b502e78190a2f496c2d9558e069d
SHA1 6ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA256 5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512 cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\superbar.png

MD5 45b3b7ada6575d1623bd52d029d7cf96
SHA1 ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4
SHA256 0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca
SHA512 c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Mobility Center.lnk

MD5 ba40e2f08ca68f25103da982c8c83e9e
SHA1 fc31171eb5edf879c9690f2fe022add29ea92246
SHA256 53da45e07b8c6517a37a11f24c7d670d9cfa69ee581940b211b4ce7bcd5ed92a
SHA512 0a1cbeaf53760b85f9c3be4054ef7a11aad6d66756b4c04255ab0b71786b9b88bae8d9f555064f8e7285654c7ba00b97cdb53cd16123ea81c8645afd89d3c6d2

memory/1096-101-0x0000000002550000-0x0000000002C75000-memory.dmp

memory/1096-102-0x0000000002550000-0x0000000002C75000-memory.dmp

memory/1096-104-0x0000000002550000-0x0000000002C75000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\ppcrlui.dll

MD5 046a9363a58f8c4105e5871a514b63cc
SHA1 2656816adb38ea616506b8b5f7db49e53a3ba28c
SHA256 c1f80d9e281441239c5f40d8ae18a867b2d517385d16fd05c122a0b2716cba56
SHA512 0d12c72d6f7cd9652afdde3e9e10e678c31e11a5f37991d5c7e73617f361d7636b76e8579ec7c8e32caa5d35271224dc182833378b9d63f90b6019a1aefa160c

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\resource.xml

MD5 0e190f6bbc7898c31d4eae77c6abebfe
SHA1 fb6673c8116b650f0536d56be09eb188d7bdc930
SHA256 f7f461d92f4a45d1232e7e5ad76cffbbb7b83abd69df864387c757051494d118
SHA512 faaf0699ddb7e4e152afaf54bed0794c9e816cb762454c277f5d52acf88a44535cc3a44797c73393fc50db8afe2566bcaf9a4f93d945c6b0b3d8458d16ae5312

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_CValidator.H1D

MD5 78f3883f7874696dcd58786ee1d13bea
SHA1 8162c11cbe06fd3106707c3a8bbc284cb4229ab1
SHA256 8aa4719ed70a2f56d42a40943325093c09fc3cdd265dae176fa9e3905d7fed3d
SHA512 4913ed573bafcc9b4e9e8b43cbf91b18a1e2c0c9451ab1ef2a1b64f1c6f994fa17eb13f9e9885fcc1b450cd0122273f255bc6d8e8101514877ce2f217b01343b

memory/1180-108-0x0000000000000000-mapping.dmp

\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll

MD5 b54e57b5158cb76e5a1f5ee46f29f7f4
SHA1 482882b104f7ce86642ce5e4eea5005ca0d3cd2d
SHA256 2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c
SHA512 4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll

MD5 b54e57b5158cb76e5a1f5ee46f29f7f4
SHA1 482882b104f7ce86642ce5e4eea5005ca0d3cd2d
SHA256 2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c
SHA512 4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll

MD5 b54e57b5158cb76e5a1f5ee46f29f7f4
SHA1 482882b104f7ce86642ce5e4eea5005ca0d3cd2d
SHA256 2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c
SHA512 4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

\Program Files (x86)\Microsoft Sync Framework\v1.0\SY______.dll

MD5 b54e57b5158cb76e5a1f5ee46f29f7f4
SHA1 482882b104f7ce86642ce5e4eea5005ca0d3cd2d
SHA256 2872caf8631265cd942c47ef083b947a7592d93fa9f3bea012f6797df6efe35c
SHA512 4c583a16aa143d7db9c23d33c5d7645bd9e92a0d6a50fc6860f0d52e5b5cf5f23f58fadfc186d618074c21c7ef0b54df09e2636bf1da71233f6222a553ca994c

memory/1180-114-0x0000000001C40000-0x0000000001EB1000-memory.dmp

memory/1180-115-0x0000000001C40000-0x0000000001EB1000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MySharePoints.ico

MD5 1f24dae5e9da4d6e021683d7d03fb528
SHA1 c986d8e34f84c7b2e931a7ff61eb307ef8789f0d
SHA256 241b42c7911a7c36ae89c45366397384f91145fe39308352f0242c357505e06b
SHA512 b1e6e9d4e2ff4cd1b452de1ae14b40e436cc82f22251cbc87788742145000d650b522544bba9085ba36f5cab43d9e4481a7b8ef46acb280da6bd83ab0441b58d

memory/1180-117-0x0000000002730000-0x0000000002E55000-memory.dmp

memory/1180-118-0x0000000002730000-0x0000000002E55000-memory.dmp

memory/1180-120-0x0000000002730000-0x0000000002E55000-memory.dmp

memory/1180-121-0x0000000001C40000-0x0000000001EB1000-memory.dmp

memory/1180-122-0x0000000002730000-0x0000000002E55000-memory.dmp

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

memory/1264-127-0x0000000000000000-mapping.dmp

memory/1096-128-0x00000000022B0000-0x0000000002521000-memory.dmp

memory/1096-129-0x0000000002550000-0x0000000002C75000-memory.dmp