danabot | ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13

Analysis

max time kernel
128s
max time network
144s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
21-12-2022 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13.exe
Size

1.1MB
MD5

4f8f0cab806928b5c4985da540a0040e
SHA1

ab7d7eef9e748e0fb0dae857dfb9e730b745fbfd
SHA256

ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13
SHA512

959b03e140c2af071841ba96dc9e194d78f31be019cb1f5909695bcca6fc110e0dab4047f3cc87cd17fc96834b51254e2dd9eef83e7ff696b6e3be9b60c10d7b
SSDEEP

24576:gaU4S7wNNaWFh8epb3pBe9F1xYbaoIIjX/TjV:gaU4aWzxbAF1waoIuXrjV

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

2 5116 rundll32.exe
4 5116 rundll32.exe
12 5116 rundll32.exe

flow	pid	process
2	5116	rundll32.exe
4	5116	rundll32.exe
12	5116	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\email_initiator\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\email_initiator.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\email_initiator\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5116 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 5116 set thread context of 4172 5116 rundll32.exe rundll32.exe

pid	process
5116	rundll32.exe

description	pid	process	target process
PID 5116 set thread context of 4172	5116	rundll32.exe	rundll32.exe

Drops file in Program Files directory 40 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOnNotificationInTray.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Words.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_distributed.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInTray.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_received.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\license.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.api	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009555d523100054656d7000003a0009000400efbe0c55a7899555d5232e000000000000000000000000000000000000000000000000000d73aa00540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 5116 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4172 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	5116	rundll32.exe

pid	process
4172	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13.exerundll32.exe

description	pid	process	target process
PID 3856 wrote to memory of 5116	3856	ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13.exe	rundll32.exe
PID 3856 wrote to memory of 5116	3856	ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13.exe	rundll32.exe
PID 3856 wrote to memory of 5116	3856	ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13.exe	rundll32.exe
PID 5116 wrote to memory of 4172	5116	rundll32.exe	rundll32.exe
PID 5116 wrote to memory of 4172	5116	rundll32.exe	rundll32.exe
PID 5116 wrote to memory of 4172	5116	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13.exe
"C:\Users\Admin\AppData\Local\Temp\ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14153
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4172

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2164

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:3172

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\email_initiator.dll",FgkNMlpHaQ==
2⤵
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\0__Power_Policy.provxml
Filesize
1KB

MD5
fdab2b3426d106210e616103cacf57ba

SHA1
5972f2e5dcecc133ee431ea6fd85271c22e67b3b

SHA256
e5b49aef39aba5f51a3d2724418b8848721b0e5d7459e5e9a3deec161a3ab4b1

SHA512
ec116a9370446129ad7f7c4767c213bc0a75c3bca6d1e7a2d4705f167a841b5af8e3edaad1924090d78870fa328ed773d3e45a2f2037b2c917b79dd68aa47c5e

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\140__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml
Filesize
854B

MD5
33a845790b18c71dedf533782bd55c32

SHA1
5c3b898943b813cf69d768b9a287538074da0715

SHA256
9802e6ef84fbd3713b2b1d078ace2c99b070e2f48746a08fe277f9bce0e6f5cd

SHA512
c2949704915f1963a9805b6f6937fc7926d7629b9c4b854190c97519e7c7bf04b273026b5fcf60c3dfab8b4b44ed3cb740be72f919a841864953aa608129d971

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\156__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml
Filesize
720B

MD5
15264a405422e28335cf9fa2aa24ce68

SHA1
739f3fdd567a12e9f1eab9769b65d4210308b27e

SHA256
0177694efb860024cd9607d8acec6682485f9b28af3a2eed36de179b9b7f1cad

SHA512
a8c8950f1199a3f343407b2194e9635b6188877c7f931e4c380291479f7de41222454d624e154a1cecf988f6c601a9e7f4898ab9b47bc863aeaac05a49009a13

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\159__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml
Filesize
720B

MD5
5ff6e5b0cee3dfab47675b4941267f67

SHA1
180b3dd3e08f42fe5b3516b613e4f5dac8a11798

SHA256
edff4b09159f0e0da2b2451854e735f043fe9ed5092dad3df54272e8fa19c32d

SHA512
f8422da2f779ce1dfe456905757afa2940fb85a42d421fe08ba08f7036f35ec19cf8ffa49f2fb19c788b329de5e35402ed91713f0da66b4d2fbaa82282281b2e

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml
Filesize
149KB

MD5
95fdba87a0835dce3d259c38ed7f9371

SHA1
cb539d0d5cf31d38ec78c1325ea4c1710b8ec89c

SHA256
f84ae8cef222f02e3fc7d05f76eb8bedc767de9310e8674eda522ae7c45bdd64

SHA512
ce0e66eb46fc6c97d1e05258e38fc58272989101c4f99c5e836a9600d2969f4a256c097da8c3ea6a8b7ee0b9471c3b674cdb88ff6281e7b4eb9e7f439465b96b

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml
Filesize
1KB

MD5
c37e4631cac9c6fa2115119130d34fee

SHA1
664383d10910b76f9ab7bcb78a1e8893ca4d70f9

SHA256
cb1e437488402db0a3e03ca37dd6ef28d4fac99030caa31a17951d06ede7d4db

SHA512
d27d93122f2d372b4c0b5e8a7e51383a761e7cc94d78e9b64bbbc9ff847d72a6bc2b0e6ed948be194d02ad034b4cc6e0f0eb3448f0a3227374888f7e0725adaf

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
b766680df362d4639416ae8dccf7c943

SHA1
bf89a9960e5cf4cec2d94d2220d5214f819bb77f

SHA256
5f79d23dea65b80332c592677fd22e84a4b15fcf34d10adee338383250e9b9ff

SHA512
7fc982621c60476e4c799fe6077eed9287e7b2ee954363e0f0c8ccfb034644c2193958d3d7dcdf13a987274aa6a5960d526b5c4851ec46d13b3853c02bd61262

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MasterDatastore.xml
Filesize
271B

MD5
d6650e3886f3c95fb42d4f0762b04173

SHA1
1da4b8bb6bb45d576616ad843cf6e4c2e9d4784b

SHA256
9101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9

SHA512
1f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\RunTime.xml
Filesize
428B

MD5
1cd8a1ae48901b241427c28416e641b2

SHA1
1a058ec2a0714873bd787b092eadd8013dfd981f

SHA256
826fa3b4eae31841415527648cb192f50e753b8d31572748536116a5bd5c7a92

SHA512
5c0422c5cfebc199b34ce93c8b7f0238008fdcaedf928636e256c456e126ae7c1f59764b7f84275b9f8fee6430d5fc2225f79cef746166108842f1d312e2b5b3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\behavior.xml
Filesize
1KB

MD5
6c23b0f54e5c427ff8f3db170b62616f

SHA1
44f1d0f71cbab0e05d9a563bf9e92759898ca4e9

SHA256
7cfdc107f1bc076ca39ee36960bbb1d64a6c9faac9ba73a106f6e85224da4a1b

SHA512
f511e1aa2f7dcac52ad5452ef8e9e403a77b55a6e9c7bf8248db00e85cee61f1e28ebe6470084a1f22cf64664b8a9ec84975afda1e26e348b4948de4583313a6

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\customizations.xml
Filesize
2KB

MD5
923094628f5beb49bfd4ef7e88e396a1

SHA1
6c618d7d58eab9ea4d442d269596205fd0199277

SHA256
1271cfef64de7d7aa1eb7524b91e426d5cb9afe8abfb05fcd33ab2f466082b0b

SHA512
575fa16f7a1d87fea9df41201a2d6221997a29ed5f7c91fe8e468e01096088e10febfa7e89c27c98e8511e1b11864d6a22b540bfc1e1ffaf2acd328f996c25df

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\device.png
Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\ppcrlconfig600.dll
Filesize
24KB

MD5
69c7c4319ba97a38d0e31191b30519d2

SHA1
ad275efa3b2a38c015185fcd2eac895832edeee6

SHA256
9e82f05bf8eddec7bb449021960ef85ff7aa917e11afa0d2e4596dd24405744b

SHA512
e1af3021d172c37548ad1e944620012f8d901624d78fe1100c6a6c895b9bdf904af27026ef21474e0d56f55afe8212c4081a4a43e58cf80d45e36b6a87fa9004

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\print_pref.ico
Filesize
56KB

MD5
a52a082f2b18811deaf3138d27c57af8

SHA1
317bf685e50de705818bff26f032e7f593830509

SHA256
6b4b668a30271d7853257b5752dc429b39c7b264e77ff3533196e6fd03fbeb88

SHA512
0d6f4bbb993b4e9a0069ddd0503ceb45d8a1cc6f6453cc2faf91cb137fa49e15eeaa3d77cb9954cc07701153932da51977d467c54b1e0fcfe74b6670cac47d99

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\stream.x64.x-none.hash
Filesize
128B

MD5
2b4d6d3b95916f9810449019372fbbde

SHA1
2c9f59c51fc6b290f758aed25a899dba37459fc6

SHA256
cea19b915390806a9677165794194c66b19e3198a342d51e5a880e7b55768ac7

SHA512
5cbb012b89989d53a7814dcb9f0391a761ebea6a7c9d1dcaae0efb476e61b30ce678387c4ff6fcebea0643f96d2f3bf126cff9511a75c1780ec89b51ba79c8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\email_initiator.dll
Filesize
797KB

MD5
8f4a4bc46ccd68ecf3af7795c8751f5c

SHA1
6dbe14f7b2d2f432b7f1b54f2e0ddd7bfb4e2366

SHA256
86872941b1cc479e9faf2489ce0c68c9a86746763d0c205da2789658f501cc53

SHA512
ec7668f7e5c7d76147c5e36b14d39d53440e2ac3282b4ad187a028ecf2b631d3a959b02ec0b1902282a04eae26e37af6798896ac7d846619d568175e30e16423

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.dll
Filesize
797KB

MD5
8f4a4bc46ccd68ecf3af7795c8751f5c

SHA1
6dbe14f7b2d2f432b7f1b54f2e0ddd7bfb4e2366

SHA256
86872941b1cc479e9faf2489ce0c68c9a86746763d0c205da2789658f501cc53

SHA512
ec7668f7e5c7d76147c5e36b14d39d53440e2ac3282b4ad187a028ecf2b631d3a959b02ec0b1902282a04eae26e37af6798896ac7d846619d568175e30e16423

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.dll
Filesize
797KB

MD5
8f4a4bc46ccd68ecf3af7795c8751f5c

SHA1
6dbe14f7b2d2f432b7f1b54f2e0ddd7bfb4e2366

SHA256
86872941b1cc479e9faf2489ce0c68c9a86746763d0c205da2789658f501cc53

SHA512
ec7668f7e5c7d76147c5e36b14d39d53440e2ac3282b4ad187a028ecf2b631d3a959b02ec0b1902282a04eae26e37af6798896ac7d846619d568175e30e16423

Download Submit
\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
memory/320-390-0x0000000000000000-mapping.dmp

Download
memory/320-474-0x00000000068E0000-0x0000000007005000-memory.dmp

Filesize
7.1MB

Download
memory/2164-477-0x0000000000000000-mapping.dmp

Download
memory/3172-513-0x00000000058A0000-0x0000000005FC5000-memory.dmp

Filesize
7.1MB

Download
memory/3172-370-0x00000000058A0000-0x0000000005FC5000-memory.dmp

Filesize
7.1MB

Download
memory/3856-138-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-142-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-148-0x0000000002350000-0x0000000002480000-memory.dmp

Filesize
1.2MB

Download
memory/3856-149-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/3856-150-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-151-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-152-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-153-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-154-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-155-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-156-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-157-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-158-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-159-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-160-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-161-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-162-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-163-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-164-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-146-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-145-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-144-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-143-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-147-0x00000000006C0000-0x00000000007B8000-memory.dmp

Filesize
992KB

Download
memory/3856-169-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/3856-141-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-140-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-139-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-137-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-136-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-135-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-134-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-133-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-132-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-131-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-130-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-129-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-128-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-126-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-125-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-124-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-123-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-122-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-120-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-121-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4172-283-0x000001A1046E0000-0x000001A10490A000-memory.dmp

Filesize
2.2MB

Download
memory/4172-282-0x0000000000290000-0x00000000004A9000-memory.dmp

Filesize
2.1MB

Download
memory/4172-276-0x00007FF6B2AE5FD0-mapping.dmp

Download
memory/4188-495-0x0000000000000000-mapping.dmp

Download
memory/5116-181-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-178-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-284-0x00000000066A0000-0x0000000006DC5000-memory.dmp

Filesize
7.1MB

Download
memory/5116-188-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-187-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-186-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-179-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-185-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-184-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-183-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-182-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-265-0x00000000066A0000-0x0000000006DC5000-memory.dmp

Filesize
7.1MB

Download
memory/5116-180-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-189-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-177-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-176-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-175-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-174-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-173-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-172-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-171-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-170-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-168-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-167-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-166-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-281-0x0000000007589000-0x000000000758B000-memory.dmp

Filesize
8KB

Download
memory/5116-165-0x0000000000000000-mapping.dmp

Download