danabot | 5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7

Analysis

max time kernel
126s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20-12-2022 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7.exe
Size

1.1MB
MD5

bc20d690de78a10ef14a6bdcaa1c1005
SHA1

5db5e26825af57337387bd4d87217133e024d397
SHA256

5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7
SHA512

a5dba857447d194035f76c6cd1ce4cc334b620552e033988121aa938c5fb964f8cd0227940505ed310b95e688f22f486f62e4468c36b0bad921b79c6ef230949
SSDEEP

24576:F7qpXq7PdV3kRMRKNZpgdmCCr020z4APZTNOwXBz9ka/s8A:kXSPT2MmZSdmCCr6zhP9NOwX5/0

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

1 2920 rundll32.exe
3 2920 rundll32.exe
12 2920 rundll32.exe

flow	pid	process
1	2920	rundll32.exe
3	2920	rundll32.exe
12	2920	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cef_200_percent\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\cef_200_percent.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cef_200_percent\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2920 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2920 set thread context of 4604 2920 rundll32.exe rundll32.exe

pid	process
2920	rundll32.exe

description	pid	process	target process
PID 2920 set thread context of 4604	2920	rundll32.exe	rundll32.exe

Drops file in Program Files directory 47 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-focus.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\COPYING.LGPLv2.1.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icucnv40.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\pmd.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Close.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ExtendScript.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adc_logo.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions2x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cef_200_percent.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QRCode.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_sent.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LICENSE.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009455db93100054656d7000003a0009000400efbe0c55a7899455db932e00000000000000000000000000000000000000000000000000ba8e0001540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2920 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4604 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2920	rundll32.exe

pid	process
4604	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7.exerundll32.exe

description	pid	process	target process
PID 2208 wrote to memory of 2920	2208	5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7.exe	rundll32.exe
PID 2208 wrote to memory of 2920	2208	5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7.exe	rundll32.exe
PID 2208 wrote to memory of 2920	2208	5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7.exe	rundll32.exe
PID 2920 wrote to memory of 4604	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 4604	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 4604	2920	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7.exe
"C:\Users\Admin\AppData\Local\Temp\5b18b1a015f97f0a10588dc878decc6ce3647775a72fba603faa634991e344a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14153
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4604

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2224

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4732

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\cef_200_percent.dll",PhEtUw==
2⤵
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\0__Power_EnergyEstimationEngine.provxml
Filesize
463B

MD5
2cf4ea4d03f8a1f424c2db46789ed2e3

SHA1
50bb43d2589bc86115baac9fcdfcabadeff70c6d

SHA256
41d62ac11f8cc15391010f53a7262df090149355b07021fe648d15c24fb45090

SHA512
c2dd7c30856006f8eec73402284c86ab35c9daf824f81a33aefa1502d881be0a066da75441bdba97236f6bf3586b77d9e244cc94ccfac8e28fba06c61e9b78e6

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\106__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml
Filesize
864B

MD5
b1f7d45f5c1751cba827052d3de46863

SHA1
4da0d22c13a272f668c996dbf8f787b8743cf376

SHA256
0f57b3900ddc2363698c653f8c0be08798420fb8521b714eb97472fa74ed5c1b

SHA512
9b5bf13632e133bf2825d7b2d2442c2872944d299a8b721dd9a8706d21f4d60b9d33dd37f89ebc81ffa37fb778881cd640c06a3092d090599d4607e9b1401f23

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\154__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml
Filesize
715B

MD5
bcfabd458dd39f82c634fafaa3faceea

SHA1
aa03ec80ee33eaa8790d134f947d0e95d9edb167

SHA256
6f4a90ee3559b700984c02c6ed7c8bd57b9894a1869038fed2296bbf432a81d0

SHA512
0b15d30cb385b37b82f7ce19a9b3dfc4ce4433c5e82be14d366525b1da007c4f9c6fb583e8e727a0da400d6c771d03586688e7ac5d71698d3c38447bb979699a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\157__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml
Filesize
644B

MD5
beee98e9af75ae9a66fe47bd48698e16

SHA1
67a172a59e6034b291df083a9d6f26520bb8e311

SHA256
7010392499be8e72321ad4500c4cd3cdad3e59615b7f445f8a2c57f31e8af047

SHA512
6c7e1fa87fc156aa0251c5bc6451996356529f230a859b08153caefbd67017c19d1dc8bed69da4f83506f7442e7b9f03a87578592d778b1b0a470e595e1d5437

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
4ca85d8b34cc59094a3b538122b853b2

SHA1
e6803a2f1f458a41d75920d295120b790317548a

SHA256
202e381d1dd687e16b51a85c3ebc7691b9b16731d3b3d8b148e0701e81137bb4

SHA512
107e801c41cea9f7b597f675c2cdb4f4db7fca3fffa3e90117339824a0428af67a332a198c4a60e52ce35c3f8d6bbbe3fdb7c45443124fc65ee310af9785d5c6

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MasterDatastore.xml
Filesize
271B

MD5
d6650e3886f3c95fb42d4f0762b04173

SHA1
1da4b8bb6bb45d576616ad843cf6e4c2e9d4784b

SHA256
9101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9

SHA512
1f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\RunTime.xml
Filesize
251B

MD5
585e0da2ec87617422335cce20b25a3c

SHA1
1532c38218dbea8af9c2dde70c2f9dd1f51e96d2

SHA256
4fedaaf9a06af2a055bb68ccc3d81a6ba0de24c0d6a302ca713b4571d17eb5e6

SHA512
dcbc187fb097b74b3ccfefa7cfd8ce270bdfdfff94e86108799a329a82a015ce5711eb3f80b5880b32f680ac83c017e8503bee673d90ea52fbd74c3bff8fddc5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\scan_.ico
Filesize
59KB

MD5
a161b3f9fd62c3931fbd79512810cffa

SHA1
a63f1d8945b983356b66819b3aa5b0bd409995e4

SHA256
d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7

SHA512
f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\cef_200_percent.dll
Filesize
797KB

MD5
6ef4936326289c60b94f43b59759f060

SHA1
1f5b3502effcb3fc0ff9a0e3d5a0ef7fedf5b61e

SHA256
6d6bc6165c05d84b80712ce4db7765b970dfc9da4e37c33e87b9e67fe662ba1c

SHA512
75332f02031d86a6d1a5857ab559d9ade9691ccaee0c54bf9de9f6bc89910eb3c22b1887d0d222b76e2ad7320ff525e2162dce386fba8e70f6f4ae0a8fc2b9a4

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\cef_200_percent.dll
Filesize
797KB

MD5
6ef4936326289c60b94f43b59759f060

SHA1
1f5b3502effcb3fc0ff9a0e3d5a0ef7fedf5b61e

SHA256
6d6bc6165c05d84b80712ce4db7765b970dfc9da4e37c33e87b9e67fe662ba1c

SHA512
75332f02031d86a6d1a5857ab559d9ade9691ccaee0c54bf9de9f6bc89910eb3c22b1887d0d222b76e2ad7320ff525e2162dce386fba8e70f6f4ae0a8fc2b9a4

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\cef_200_percent.dll
Filesize
797KB

MD5
6ef4936326289c60b94f43b59759f060

SHA1
1f5b3502effcb3fc0ff9a0e3d5a0ef7fedf5b61e

SHA256
6d6bc6165c05d84b80712ce4db7765b970dfc9da4e37c33e87b9e67fe662ba1c

SHA512
75332f02031d86a6d1a5857ab559d9ade9691ccaee0c54bf9de9f6bc89910eb3c22b1887d0d222b76e2ad7320ff525e2162dce386fba8e70f6f4ae0a8fc2b9a4

Download Submit
\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
memory/536-382-0x0000000000000000-mapping.dmp

Download
memory/536-456-0x0000000006AE0000-0x0000000007205000-memory.dmp

Filesize
7.1MB

Download
memory/536-468-0x0000000006AE0000-0x0000000007205000-memory.dmp

Filesize
7.1MB

Download
memory/2208-144-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-160-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-139-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-140-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-142-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-141-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-143-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-120-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-145-0x00000000006F0000-0x00000000007E4000-memory.dmp

Filesize
976KB

Download
memory/2208-146-0x0000000002350000-0x0000000002480000-memory.dmp

Filesize
1.2MB

Download
memory/2208-147-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2208-148-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-149-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-150-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-151-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-152-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-153-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-154-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-155-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-156-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-157-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-158-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-159-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-137-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-161-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-162-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-163-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-164-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-136-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-135-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-121-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-122-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-123-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-124-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-125-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-126-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-128-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-129-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-130-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-138-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-131-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-132-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-133-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-168-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2208-134-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2224-470-0x0000000000000000-mapping.dmp

Download
memory/2908-488-0x0000000000000000-mapping.dmp

Download
memory/2920-180-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-173-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-186-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-187-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-188-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-189-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-184-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-165-0x0000000000000000-mapping.dmp

Download
memory/2920-267-0x00000000068B0000-0x0000000006FD5000-memory.dmp

Filesize
7.1MB

Download
memory/2920-169-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-170-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-171-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-283-0x00000000068B0000-0x0000000006FD5000-memory.dmp

Filesize
7.1MB

Download
memory/2920-166-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-167-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-185-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-172-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-174-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-177-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-182-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-183-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-181-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-179-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-178-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-176-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-175-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/4604-282-0x000001CD0E250000-0x000001CD0E47A000-memory.dmp

Filesize
2.2MB

Download
memory/4604-281-0x0000000000E90000-0x00000000010A9000-memory.dmp

Filesize
2.1MB

Download
memory/4604-276-0x00007FF60FBA5FD0-mapping.dmp

Download
memory/4732-363-0x0000000005570000-0x0000000005C95000-memory.dmp

Filesize
7.1MB

Download
memory/4732-506-0x0000000005570000-0x0000000005C95000-memory.dmp

Filesize
7.1MB

Download