danabot | ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549

Analysis

max time kernel
129s
max time network
145s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20-12-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe
Size

3.6MB
MD5

2d5452372ed89a637202f5c4311d6b83
SHA1

70f812ddb79efec13fb89c30d29ac9abbc17d623
SHA256

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549
SHA512

4ad38958af05f101fa07c90a78857af24f641e299315d039596af0c4669095ba68838b0f5a2ba78bf070e143ada84b2a82e25ba004791ee696d9491470bbaba7
SSDEEP

49152:zjvWrU4VyUHA3iRYoySMbSsigAh14tKS2lw4I0LGAEJxQGV3O:3wU4VyUHpRYoESsigAlyG

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
441E5BED90741C6DFD4FEF6E2A308D47
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

3 328 rundll32.exe
5 328 rundll32.exe
9 328 rundll32.exe

flow	pid	process
3	328	rundll32.exe
5	328	rundll32.exe
9	328	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CourierStd-BoldOblique\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\CourierStd-BoldOblique.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CourierStd-BoldOblique\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exesvchost.exe

pid process

328 rundll32.exe
328 rundll32.exe
328 rundll32.exe
328 rundll32.exe
288 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 328 set thread context of 1000 328 rundll32.exe rundll32.exe

pid	process
328	rundll32.exe
328	rundll32.exe
328	rundll32.exe
328	rundll32.exe
288	svchost.exe

description	pid	process	target process
PID 328 set thread context of 1000	328	rundll32.exe	rundll32.exe

Drops file in Program Files directory 32 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\submission_history.gif	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Accessibility.api	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\vdk150.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CP1257.TXT	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\MyriadPro-BoldIt.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\AdobePiStd.otf	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\drvDX9.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\BIB.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\airappinstaller.exe	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Spelling.api	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\icudt36.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\BIBUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\VDK10.STP	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\DWTRIG20.EXE	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\nppdf32.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

840 1080 WerFault.exe ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

pid	pid_target	process	target process
840	1080	WerFault.exe	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 328 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1000 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	328	rundll32.exe

pid	process
1000	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exerundll32.exe

description	pid	process	target process
PID 1080 wrote to memory of 328	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1080 wrote to memory of 328	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1080 wrote to memory of 328	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1080 wrote to memory of 328	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1080 wrote to memory of 328	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1080 wrote to memory of 328	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1080 wrote to memory of 328	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	rundll32.exe
PID 1080 wrote to memory of 840	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	WerFault.exe
PID 1080 wrote to memory of 840	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	WerFault.exe
PID 1080 wrote to memory of 840	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	WerFault.exe
PID 1080 wrote to memory of 840	1080	ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe	WerFault.exe
PID 328 wrote to memory of 1000	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 1000	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 1000	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 1000	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 1000	328	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe
"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20224
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1000

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 208
2⤵
- Program crash
PID:840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
PID:288

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\microsoft sync framework\v1.0\courierstd-boldoblique.dll",YgReMg==
2⤵
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\AdobeESDGlobalApps.xml

Filesize
279B

MD5
08a872b713c4f7f847de6f9c1d7d3457

SHA1
d819edc8b277f736d4a8c71c4986955b66ebf820

SHA256
13f545fe6bb8251d84518c8261df0bae28f8dbab3ecd3ebd25a89c7da5a75e54

SHA512
1555355aa76bae5dada97e66483767dd8fa1e7047646bef3553c5720ee0390660c313a27559ec3571dcc3d3c4ffdde4c91346591abbca22257206277ff589c0a

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

Filesize
2.3MB

MD5
ec6b65facf9337606521a1ba1f4e83b1

SHA1
9f9e7d63fe11d6839be435f4a1e8035a59946e71

SHA256
fbeb91f0f2898adc827a0a42c6089a1845294be224e69e04169497d46ba7651a

SHA512
e5d23f6cbdd0a590532e31789264b4a0dacf480a47b5b4dad67eff800f2cef824345881c7e08d631bfe52cff6e0019d791c7b28bf2324380b9e3f66c5fde9698

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_CValidator.H1D

Filesize
11KB

MD5
02ecb08e05bbd6fc17c3a5dcf53957ce

SHA1
6ed9a6936071eb90ece53f4eded8d5544704306e

SHA256
e088a33f93b425b768ae3a6341d99ecdb118329a00d7e04f92c673b91c5ace89

SHA512
fdfc65878a4271b1bab12dd290a975be0b207d880afe2543ffe42c1873c3175f2256e64cf7a239a921dd46e14b91b96d7fbe62be96b836f0c61044f4e4236c53

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
a0d29da03fdb4614faf7b35f0be73131

SHA1
d3fd5834ac69dbaec848ca412c9c59c5a3e527ff

SHA256
831264ec6d831611eede23f12a689c126b91e07098b62039a22366d7a5f7c3cc

SHA512
9b36bc2f2f3133345e046b974901bd96c968f87e8d937ce81d962cfa606e69464c8d7e9e752585050520a9875f2b05b3702450f5460db93642327e89c9616a3f

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MTOC_help.H1H

Filesize
531KB

MD5
70a8954491b0490ac132577d6e021029

SHA1
3b17404ebcc80f0921accdce983aba3d61fbae3f

SHA256
076deb93c9daf262e90d7944c54c8abc621ecfdd63563bb794e5c82721280579

SHA512
e205fba7f7f2ce82b28d5f4137433628c5f8ec4d8b47a7b8d0ee098c40eb6658e0e5f4004985fae6493a503d2f572d987956d194b76b3676f685f265a3812f2a

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MValidator.Lck

Filesize
4B

MD5
b485167c5b0e59d47009a16f90fe2659

SHA1
891ebccd5baa32daed16fb5a0825ca7a4464931f

SHA256
db44b8db4f05d720ef1a57abadeed0c164d47b17416c7dd7d136d8f10fba91c9

SHA512
665e3fcbd83b7876dd1dc7f34fadd8669debdfab8962bdce3b72b08139a75ef157c4f4c3b90ea9c1f20637bb4f2a29091d9186987d22c7d23428a2e7ccf80bd4

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\INDEX.000

Filesize
240B

MD5
023d87454619d85a090724584853cc2e

SHA1
b110e30707b43c7b56250d763aa9d26b50681078

SHA256
3af0202ed8f8df6099e006dc65dbc1d9cbb289231e15a61deae096761e9c3670

SHA512
dd5ffea28b3fdf22216a426f893d61fef083b55f9d31574e205307b342822e6ab1307396c22f37279f1f33e4fd6536395a0518b8b20392424141e9147dbc70d8

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MAPIR.DLL.trx_dll

Filesize
295KB

MD5
6160f8c93afc05e003587e6ca882fe45

SHA1
0254cbfac12f7d90f2ef4f6310420653c63d7e42

SHA256
229e4cbf919ed25ea98a528867d5869352d9e06cda2fdc295976be6b6987445e

SHA512
15ddd1efc78f28d8072d8eb33e8fb74500978323e8730aef035d6847748c4f70b6c156cec24d2ff40a880eb9b49248c3b04388bc74485366b923bf710b71b56b

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MOR6INT.REST.trx_dll

Filesize
48KB

MD5
b22a432ea8c671f119cf8285d1021671

SHA1
3346593a9adb233233509247b1df059742f6aa3e

SHA256
bfd9148c099dfd9477204806df55034d06c9aacf3a4241ab97c4e4acb0349b17

SHA512
361badcd731f078d1bd64e61709f183e73163a1a09e1ed543e56a9c57b2bd28c930111797692c6be4ce4bea17a5e8283fec6ac27db7bd078047552dc51e5dece

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\VISINTL.DLL.trx_dll

Filesize
477KB

MD5
e65fc0a920e01aaf99b281b726570ea2

SHA1
529ce2fca4eb44d3dd2d4fa7914c51cb00d5687d

SHA256
ea3ecf627216c3a322dbc47c5921276270546a0f687cae02bc0d3254c0fd5c87

SHA512
13e070f7db78a318b1aa40dc0d561c4b92cb95c91ca782c6ce35bbda33fde495a0473c59437d0c8c5105c15c194994b9ad59e28d20699c9841e7437ab169915a

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\background.png

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\directories.acrodata

Filesize
479B

MD5
874cefb76c681117882796730d3edfca

SHA1
49dc3745d5ee5a3328a3f1e08b08d126ea570580

SHA256
75bdd6932cbb98d11710f1c6738f2f00a5439e4c100f9eb4cb7809c730ad8eb6

SHA512
c4ed39dd3857642c1e0949a7cbee674f9a264e911681763f4319b7e23d9fb3887708fffce41d0dd5b3dd7f3408f05be0052c55b0a93668ef26cfa30c160c9d65

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\displayswitch.lnk

Filesize
1KB

MD5
b162ba26a0d11df9e1f5463b514ba776

SHA1
74cb2c98f2b2303e36c85f5eea34f5d6201e3335

SHA256
e9811a91b8de13d57fecd535ff7da6ca9adf8390a5ae0501c8f2fa4aea120517

SHA512
574cb468547de495851fbb6857e4c8e0d3d7784df67237ac06495be514c416ed60695ef807f93a11e33ead304edba451f974601fd8045f952fdf94c889eee07e

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\ppcrlconfig.dll

Filesize
15KB

MD5
9e7d79c6d1c464e17f43dbac83e10208

SHA1
88b3b958b4340650876b233b5b7e4f06ef4decaa

SHA256
2d15906df93e4505cdcc57f4347102d737d837332c1e56920696af4709920e90

SHA512
25359c4fda30bb68fc97f3eaa82da056241766c8a97a201c97e5712225776bb2b59b431534adf9e485f68237e2015e9f4ad55570397c05221c54b45af709c2e4

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\usertile39.bmp

Filesize
48KB

MD5
65bfce337e2c25ad0b890ebe3a1a1a0c

SHA1
4d0c963426990fd6a1332f050c1cd72722409cf2

SHA256
45f0957a66fcb8fba8485a9adc0d65b79a8b4733c616c943bb22bd2d3c218ffa

SHA512
9e9299e90c91ccb009e82e7e9d8d9f67c103b6c2972a9d9d85e7a185e6c60f7eda9d53e6dbcbab31c4bc0dccf00e486c6bb2dcd412f06e34198c167d32e1c677

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
2509ce535012c3369025c465cd0ce8d3

SHA1
689d0fd00ef209dceacf13a6cb8c44b0307f3354

SHA256
1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9

SHA512
dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

Download Submit
\??\c:\program files (x86)\microsoft sync framework\v1.0\courierstd-boldoblique.dll

Filesize
2.4MB

MD5
eea4a32ae17ab95ec1512168aea4ee49

SHA1
9d4a325d67300b81d943c329c40915b2496ecaa8

SHA256
750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf

SHA512
227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

Filesize
2.4MB

MD5
eea4a32ae17ab95ec1512168aea4ee49

SHA1
9d4a325d67300b81d943c329c40915b2496ecaa8

SHA256
750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf

SHA512
227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

Filesize
2.4MB

MD5
eea4a32ae17ab95ec1512168aea4ee49

SHA1
9d4a325d67300b81d943c329c40915b2496ecaa8

SHA256
750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf

SHA512
227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

Filesize
2.4MB

MD5
eea4a32ae17ab95ec1512168aea4ee49

SHA1
9d4a325d67300b81d943c329c40915b2496ecaa8

SHA256
750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf

SHA512
227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

Filesize
2.4MB

MD5
eea4a32ae17ab95ec1512168aea4ee49

SHA1
9d4a325d67300b81d943c329c40915b2496ecaa8

SHA256
750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf

SHA512
227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

Download Submit
\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

Filesize
2.4MB

MD5
eea4a32ae17ab95ec1512168aea4ee49

SHA1
9d4a325d67300b81d943c329c40915b2496ecaa8

SHA256
750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf

SHA512
227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
2509ce535012c3369025c465cd0ce8d3

SHA1
689d0fd00ef209dceacf13a6cb8c44b0307f3354

SHA256
1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9

SHA512
dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
2509ce535012c3369025c465cd0ce8d3

SHA1
689d0fd00ef209dceacf13a6cb8c44b0307f3354

SHA256
1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9

SHA512
dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
2509ce535012c3369025c465cd0ce8d3

SHA1
689d0fd00ef209dceacf13a6cb8c44b0307f3354

SHA256
1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9

SHA512
dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
2509ce535012c3369025c465cd0ce8d3

SHA1
689d0fd00ef209dceacf13a6cb8c44b0307f3354

SHA256
1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9

SHA512
dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

Download Submit
memory/288-92-0x0000000002180000-0x00000000023F1000-memory.dmp

Filesize
2.4MB

Download
memory/288-135-0x0000000002700000-0x0000000002E25000-memory.dmp

Filesize
7.1MB

Download
memory/288-113-0x0000000002700000-0x0000000002E25000-memory.dmp

Filesize
7.1MB

Download
memory/288-90-0x0000000002180000-0x00000000023F1000-memory.dmp

Filesize
2.4MB

Download
memory/288-111-0x0000000002700000-0x0000000002E25000-memory.dmp

Filesize
7.1MB

Download
memory/288-109-0x0000000002700000-0x0000000002E25000-memory.dmp

Filesize
7.1MB

Download
memory/288-108-0x0000000002700000-0x0000000002E25000-memory.dmp

Filesize
7.1MB

Download
memory/288-134-0x0000000002180000-0x00000000023F1000-memory.dmp

Filesize
2.4MB

Download
memory/328-73-0x0000000003B80000-0x0000000003CC0000-memory.dmp

Filesize
1.2MB

Download
memory/328-87-0x0000000003450000-0x0000000003B75000-memory.dmp

Filesize
7.1MB

Download
memory/328-66-0x0000000003450000-0x0000000003B75000-memory.dmp

Filesize
7.1MB

Download
memory/328-65-0x0000000000B50000-0x0000000000DC1000-memory.dmp

Filesize
2.4MB

Download
memory/328-64-0x0000000000B50000-0x0000000000DC1000-memory.dmp

Filesize
2.4MB

Download
memory/328-69-0x0000000003450000-0x0000000003B75000-memory.dmp

Filesize
7.1MB

Download
memory/328-63-0x0000000000B50000-0x0000000000DC1000-memory.dmp

Filesize
2.4MB

Download
memory/328-67-0x0000000003450000-0x0000000003B75000-memory.dmp

Filesize
7.1MB

Download
memory/328-70-0x0000000003450000-0x0000000003B75000-memory.dmp

Filesize
7.1MB

Download
memory/328-79-0x0000000003B80000-0x0000000003CC0000-memory.dmp

Filesize
1.2MB

Download
memory/328-55-0x0000000000000000-mapping.dmp

Download
memory/328-72-0x0000000003B80000-0x0000000003CC0000-memory.dmp

Filesize
1.2MB

Download
memory/328-75-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/328-93-0x0000000000ED0000-0x0000000000EFE000-memory.dmp

Filesize
184KB

Download
memory/328-78-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/328-80-0x0000000003B80000-0x0000000003CC0000-memory.dmp

Filesize
1.2MB

Download
memory/840-58-0x0000000000000000-mapping.dmp

Download
memory/1000-82-0x0000000001D70000-0x0000000001EB0000-memory.dmp

Filesize
1.2MB

Download
memory/1000-84-0x000007FEFB691000-0x000007FEFB693000-memory.dmp

Filesize
8KB

Download
memory/1000-83-0x0000000001D70000-0x0000000001EB0000-memory.dmp

Filesize
1.2MB

Download
memory/1000-76-0x0000000000290000-0x00000000004A9000-memory.dmp

Filesize
2.1MB

Download
memory/1000-86-0x0000000001FD0000-0x00000000021FA000-memory.dmp

Filesize
2.2MB

Download
memory/1000-85-0x0000000000290000-0x00000000004A9000-memory.dmp

Filesize
2.1MB

Download
memory/1000-81-0x00000000FF1C3CEC-mapping.dmp

Download
memory/1052-121-0x0000000000930000-0x0000000000BA1000-memory.dmp

Filesize
2.4MB

Download
memory/1052-125-0x00000000025E0000-0x0000000002D05000-memory.dmp

Filesize
7.1MB

Download
memory/1052-128-0x00000000025E0000-0x0000000002D05000-memory.dmp

Filesize
7.1MB

Download
memory/1052-127-0x0000000000930000-0x0000000000BA1000-memory.dmp

Filesize
2.4MB

Download
memory/1052-126-0x00000000025E0000-0x0000000002D05000-memory.dmp

Filesize
7.1MB

Download
memory/1052-123-0x00000000025E0000-0x0000000002D05000-memory.dmp

Filesize
7.1MB

Download
memory/1052-114-0x0000000000000000-mapping.dmp

Download
memory/1052-122-0x00000000025E0000-0x0000000002D05000-memory.dmp

Filesize
7.1MB

Download
memory/1052-120-0x0000000000930000-0x0000000000BA1000-memory.dmp

Filesize
2.4MB

Download
memory/1080-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/1212-133-0x0000000000000000-mapping.dmp

Download