Malware Analysis Report

2024-09-22 16:44

Sample ID 231226-hd31rsfgdn
Target 5a17eb22c96dfbefb792493dac7618c0
SHA256 deb121bac1823d2de090b6816cbaffe8739600299b69789c109ac97a9477d5aa
Tags
babadeda darkvnc crypter discovery loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

deb121bac1823d2de090b6816cbaffe8739600299b69789c109ac97a9477d5aa

Threat Level: Known bad

The file 5a17eb22c96dfbefb792493dac7618c0 was found to be: Known bad.

Malicious Activity Summary

babadeda darkvnc crypter discovery loader rat

Babadeda Crypter

Babadeda

DarkVNC

DarkVNC payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-26 06:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 06:38

Reported

2023-12-27 10:51

Platform

win7-20231215-en

Max time kernel

173s

Max time network

208s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1728 set thread context of 816 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
PID 2788 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
PID 2788 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
PID 2788 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
PID 1728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 1728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 1728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 1728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 1728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 1728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 1728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe

"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

"C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

Network

Country Destination Domain Proto
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp

Files

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\gtk-2.0\gtkrc.default

MD5 ddd31f8fc20ab0835c1e135f80d6db51
SHA1 2d598c52c17bbf076ee4c3b9e58e4fff6144ab6d
SHA256 fb749ac4812ba307bbb4c1e0b30175a88668fcb2eed702f780bd7da5987f9004
SHA512 d514da7b2f68096cd6bd258d28ac5948a594c9cca4cd9ff79364b50c85641f2e11befaf81508e42841373459647cbe7e7e7f9daa675bcdf4c93ea85dea0c1a42

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 3ef8dbd491817f18ddf5747cd7480abd
SHA1 48ff4ac1ed283d689365cae47f1c89c14fe03f4f
SHA256 afab6e0479bf8f0a5e9c3bae5978bab546bccab841e90a42261498e2e2ad7528
SHA512 c72c90104db1159160f3d7279e9547464d4bac8e5ae11dc7541e67393a81eb07dc265077e12965bedbcb7a0010110fd731628d76d05235493b83c1656e135299

memory/2788-494-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 f3fc32fb2b08da41962750825fa79eeb
SHA1 69a25923917c41662e7a4023b2b1ddef68324246
SHA256 6973c3db338a2960072e08b5b5d44bba07231bdf0c08461816b6d0048fc9a048
SHA512 cc26d61b3fbfaa790565fa1b13b594a2f10ca544bed8b19898ac5230e4a89d87b4f3c31df5c620a77f20e9871c83f1c6859039f4f84b4e7e1affe98644533c74

memory/2788-497-0x0000000003220000-0x0000000003A56000-memory.dmp

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

MD5 7fdcb015518bb4e0418f7b320a77c89f
SHA1 034d2bc09c09bb8be4a1bb04a3dbe2595b0d9c07
SHA256 395530da14ce2d58b7907560dc650716e8b1a4ff8f2a121bbcdcc8f724967a14
SHA512 132d37ed4dd98a2f6eb3c263806e17d0063abbc5e74b0f1c63bb6ffd6d4c027a624f19f9a0ef53769a7ee40f1e85176a4403f7c4a87a888699e231afd27f4133

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 bf4c00b49346792d6bdc397085b94842
SHA1 9f1dbebe27df4159e4cb76f25f4bbd485fbf8967
SHA256 28d383ea679bbb7c70ed5d563cc831e993f2381c619ede9bc15cec93d7e4cd17
SHA512 1ef37752f9913b964eccd14971432ddfb165a4383b3ca846f86aa06aa36240f9c7ebd9c968c2b7a7d9f8d49232b4d948c248e41830210b08f2231c897859e01a

memory/1728-500-0x00000000009C0000-0x00000000011F6000-memory.dmp

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\base.xml

MD5 3e727c84e0f78f84ec0e477e6341b6b3
SHA1 57897694f08e0cffc03dd08ca5bac1ddc35c571b
SHA256 40c1af3766f164764c52c298773c16b81969e0732f523714dcddea3a33b7caa9
SHA512 a80256ffb381cdfe782735bceb6fd75640bc0060b29dd85664d87431f36cfbcf03db260d717dde4eacb5951592d471492e98afb9d82b2f5141932405a45819b4

\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

MD5 0fe43849709adc3a846f83d3389ef90a
SHA1 153e238922f71cc89222dd7bbd204332b452fe55
SHA256 189dcc7b0ef4e9cd344a081485218d483e8967be6fc872a7bde95433ef12dede
SHA512 ed95add653cc3440b30168e5609e2ed05c861f841e0f9ae63a34c88525094cee418004ee3b55a2647ee01d0715b9478f5be30ba6281bb574c83cf779779c4928

memory/816-502-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

memory/816-505-0x0000000000170000-0x0000000000171000-memory.dmp

memory/816-503-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

memory/816-508-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

memory/816-509-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

memory/816-510-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

memory/816-511-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

memory/1728-512-0x00000000009C0000-0x00000000011F6000-memory.dmp

memory/816-513-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 06:38

Reported

2023-12-27 10:51

Platform

win10v2004-20231222-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe

"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

"C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4176 -ip 4176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\gtk-2.0\gtkrc.default

MD5 ddd31f8fc20ab0835c1e135f80d6db51
SHA1 2d598c52c17bbf076ee4c3b9e58e4fff6144ab6d
SHA256 fb749ac4812ba307bbb4c1e0b30175a88668fcb2eed702f780bd7da5987f9004
SHA512 d514da7b2f68096cd6bd258d28ac5948a594c9cca4cd9ff79364b50c85641f2e11befaf81508e42841373459647cbe7e7e7f9daa675bcdf4c93ea85dea0c1a42

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 9c67bb60b81ccc0139f267b1f17b29fd
SHA1 b3a76231743272b4a6283eb2710a693f69aa962b
SHA256 63c98166db3fe058bc66e4e5b7ca394020fb0076ef734bc421752db44787951b
SHA512 58af91c4c49fa3b765ad39934daf761dec657986eeb1385cecdac93b0b27428b4ab8b32905533277c2ef4a2f876fc3e335b68d775d8c5756984accf937194f32

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 cb98158d27fbe060631c70386b0b5490
SHA1 fab5c89a9deb8136e42abb5e3b4d2c1c5afdd484
SHA256 7c5f627de878a070975ef1d30470854a5ce11fca740f17ec03dc9ec7dbf27ecc
SHA512 a00dff1b01296523e4a28f1dd237b4667182bb00f4147282751648457109c4ce859b9ee212395977fc529adb1f49a3ccc30fb3dddc3d3abe181260f7dffb6ba4

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

MD5 4984ca2b2e9a66ade8e9ab1c86ea5bab
SHA1 a431e646d4ed8510e8b075eb80485e9aa22878dd
SHA256 270d742b44fe68dd69f4e38663c3bd126850c2f182d69b26a4ddb06ebb1282dd
SHA512 7bc528a67b513754954dc5895ea50c743ac01d38298b91ab6548e44e5a77f7e43ee79d65c1b71f7bd25ac8b5e8276453f5fa8bfc7e685a17fc2d7e5af951c526

memory/4176-504-0x0000000000D30000-0x0000000001566000-memory.dmp

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\base.xml

MD5 ac3f84252f3fa8de88d4b866da8c3ca0
SHA1 500d8e0895260170c0b42f709475acae59c75a54
SHA256 e5443769ed182e5498302b1ce58180a2e91f6adbcf39f9b0dc1491f81103954e
SHA512 326f4e5ad9175bb2a666043e28f82e54102c5fee7d924505b69040c64b8fe46fff9a3e9712e5383649d8c579f641578fcf47d1c7f8d64994f7d3833bb52fe584

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

MD5 e593fa0807201c5af62377f1ad060ed4
SHA1 35c535a9ef86316565f4a97022b044af639cd0a3
SHA256 6661b8ffeaeb9793ef6aea3b23d2e8feb270b348841843cfb7c7b7bdbabdaf11
SHA512 e88744fa48d1451f4768a57efd6b4347477017f193efe691ed796698c3976dce6acc7f4c07769cd96e1ded555150b2af45ef2c95f6ecbd374b112a21b5c5b5e2

memory/1988-500-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 cbfe87da4d20b996964a7c977f944362
SHA1 3866c950142a1782455203142334b440369d3992
SHA256 85e6094dc100bd9eff06b40c09d6607edb36c405e19b25f16f56ff6f50df34f9
SHA512 44e47cb1bc319d562008c6d7486fae287f7a44a9490ef5332ef285c079d42f68791b763cf936522bb74d481d1b8790a21cfc194e083337ec3e80a443a77c7c5b

memory/4176-506-0x0000000000D30000-0x0000000001566000-memory.dmp