Malware Analysis Report

2024-09-22 16:42

Sample ID 240114-dezyaaaghk
Target 5a17eb22c96dfbefb792493dac7618c0
SHA256 deb121bac1823d2de090b6816cbaffe8739600299b69789c109ac97a9477d5aa
Tags
babadeda darkvnc crypter discovery loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

deb121bac1823d2de090b6816cbaffe8739600299b69789c109ac97a9477d5aa

Threat Level: Known bad

The file 5a17eb22c96dfbefb792493dac7618c0 was found to be: Known bad.

Malicious Activity Summary

babadeda darkvnc crypter discovery loader rat

Babadeda Crypter

DarkVNC

Babadeda

DarkVNC payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-14 02:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-14 02:56

Reported

2024-01-14 02:58

Platform

win7-20231215-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2260 set thread context of 1272 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
PID 3048 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
PID 3048 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
PID 3048 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
PID 2260 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 2260 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 2260 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 2260 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 2260 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 2260 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe
PID 2260 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe

"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

"C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

Network

Country Destination Domain Proto
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp

Files

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\gtk-2.0\gtkrc.default

MD5 ddd31f8fc20ab0835c1e135f80d6db51
SHA1 2d598c52c17bbf076ee4c3b9e58e4fff6144ab6d
SHA256 fb749ac4812ba307bbb4c1e0b30175a88668fcb2eed702f780bd7da5987f9004
SHA512 d514da7b2f68096cd6bd258d28ac5948a594c9cca4cd9ff79364b50c85641f2e11befaf81508e42841373459647cbe7e7e7f9daa675bcdf4c93ea85dea0c1a42

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 4dce36ba494371a3120057757b9e3f11
SHA1 3725927d60997839c88749e60c4c960cf4afa15a
SHA256 bae717ec9bcef7508ec6ab7402c1f5ab33476bedf015cc6199fbf0c8c736a819
SHA512 ef5273d3131f4f22e71416fa1fb18f95f1873a672ee3cda1ea5d9ee8f6c5814e5156c7a57595bdc0c26969583aad5fed98d0588aefe55481120e1ffbabb4b37e

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 c1c2a1c49e09e126f9df930c507e01fc
SHA1 ec437fa73e7799abcb5a14dbc5f3b4941924ce29
SHA256 9c4bc0faa71c14a8d0ed1aeebe7d40876302075bdfec601e57d1089c609a6a12
SHA512 522b7f7dc9c64c658547514821185ebb17859b5d71c8776d1b74e0176fb952f58805bd421d784517957766d95fcc7845cc36774a001e958c9398f71ca864a196

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 1aa41052219b38d7f4fb200b22d3b563
SHA1 d11e55147401d9f82d8aeb47bd8cd2a7cc95b728
SHA256 5c4b6373cc4b84b41bd01bc2a8e23cab98075cc9a5a120b0a9873a2c313b947c
SHA512 51b6daa29893a251c9463f7c4d7de9bbddc4e31b9a03bbc5e04ae1f4e6fe8d39f809fd6c5aa8650f014308935b92938daebdaecc831e9f286c426d9597979024

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

MD5 c6c62b319cc39617dcae1aac19ff806b
SHA1 20009616e9bde259e698415af19af1c94a4a7fe4
SHA256 59356d54db35d3d35c011e2fe61c3f70cf037fe95cb2b82e7f584b9d193bb8af
SHA512 163b796b9269bad810334edd997ef2fd2064963f8e46ea299c58ea84fef20a1fcdee5e9014eb37e31d25de6a8644fafc53050b9cf4f1a17f343b9728f41ed9ce

memory/3048-495-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\base.xml

MD5 68750acdc6fa011af6da9095a56c477c
SHA1 43a0bea369153bb6e3433fef3833e2086f1086a8
SHA256 9274c8f3bb7ec81bdd65a25e95959319fa7cf2b740908a3968281feff6452b84
SHA512 f084ce886f3dbb8cabb63be665cef6558da485ecd5d8e896792cf964bd7bed3dca65c79c222601a47bebc4513fb88d9df944f9ca0ba40caedaa4131d53804f34

\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

MD5 c919f00320d4951c01e921c7664afe82
SHA1 dc09711796b949433ff0b8e81d08ea528da47049
SHA256 01883bde5c5c9c76a381c30b3188a7b6b67a0bced475008b37595a66b91f561a
SHA512 8214960327317328df89e006cd2af059b8982bd2f49af3babadfcf7f060a5971dcea62c1feab8ecd0323f3baf7c6e8720e96c08cd9d075d315c1c5a3c13205f9

memory/3048-499-0x00000000032E0000-0x0000000003B16000-memory.dmp

memory/2260-500-0x0000000000140000-0x0000000000976000-memory.dmp

memory/1272-502-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/1272-503-0x0000000001B10000-0x0000000001BDA000-memory.dmp

memory/1272-506-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1272-508-0x0000000001B10000-0x0000000001BDA000-memory.dmp

memory/1272-509-0x0000000001B10000-0x0000000001BDA000-memory.dmp

memory/1272-510-0x0000000001B10000-0x0000000001BDA000-memory.dmp

memory/1272-511-0x0000000001B10000-0x0000000001BDA000-memory.dmp

memory/2260-512-0x0000000000140000-0x0000000000976000-memory.dmp

memory/1272-513-0x0000000001B10000-0x0000000001BDA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-14 02:56

Reported

2024-01-14 02:58

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4572 set thread context of 4700 N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe C:\Windows\system32\WerFault.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe

"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

"C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4572 -ip 4572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 552

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
DE 45.147.229.254:443 tcp
DE 45.147.229.254:443 tcp

Files

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\gtk-2.0\gtkrc.default

MD5 ddd31f8fc20ab0835c1e135f80d6db51
SHA1 2d598c52c17bbf076ee4c3b9e58e4fff6144ab6d
SHA256 fb749ac4812ba307bbb4c1e0b30175a88668fcb2eed702f780bd7da5987f9004
SHA512 d514da7b2f68096cd6bd258d28ac5948a594c9cca4cd9ff79364b50c85641f2e11befaf81508e42841373459647cbe7e7e7f9daa675bcdf4c93ea85dea0c1a42

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 91d96e9aad9f40a8758ed4300695dc53
SHA1 50ddf7f958766e134bd9f90a0b3c4daec71aa5b9
SHA256 d7e250b8cbfdf16407a12bd77640bb67db698eca2015d03f02de756e5e8d8bc7
SHA512 bcac09bd834de8036ff6c51ebc2f5050e1aa5167a5765fb2f40ef47faac64028ccc97e09456b91b64b50a4f80569992f227cb6e98eaecfaf2c37cbf3643c6bb0

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 6f1a77632d71176e5861409d6c734a7e
SHA1 955ccd6f4958aae88c269ef86bc8bf7f4592bf8a
SHA256 04dd04b396efaadfd0fba5c07087b131622488d5db4fcbeb2c4c1428d1344afe
SHA512 d7752fccb762ffab622b6f0ded15b344e9c382cbc2fb2c9058ddf356f9e758436e728a41e4131f982ee10b0e1d3e060a7a74f13cfab21e7ab9dd83bdd11053a1

memory/4204-500-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

MD5 922cbda9db03264d92b763a1f56d3513
SHA1 28361496a5c0a5bcef95e3eba252a2a751cef011
SHA256 38c08cd6ab92f1ec985772028c4c86b2ed23446be256f18720c65036f8f18965
SHA512 8718358ac42c2959653b610580a63e4bf2cd97f0798ebb82f5238fefd7e683d0a17ea4c6c4103ee5610107745dfbf34717fbb8482c363d2d4aaed619b112189e

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\base.xml

MD5 e5ec46902cefd0660100572c6579d99e
SHA1 32f8085a1f929915ef2d5499986aa78a9714aab8
SHA256 c4dcc2efea6830ff42324c0036fd42ff63570c2ac5ef1eb165b1f6e8d9b7f6f7
SHA512 f5e3bd515a963e9994ec073f680e598e32b67effcf02c7b0dd105d3e1118b92bfc8a911329205a89a9e3d28b16d774305344e360724423ef62e04fbd290e1022

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

MD5 064fd0c14fcdc05fd21b8865897c61f0
SHA1 5351a1247c3a4c2736f948300116330cdc0e9071
SHA256 4cdd4644908bc246a337e6a2d7456cd785864ba8d67d948eb3f1706d06955889
SHA512 e7c564cdd21b48722cecf7a9448aa305697c18b024e3d38a9d822cab9a9d3b6463d8a7bfdf80a70a0e9c757126725693d3738b09a365c3cf98c770698aaf2bef

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

MD5 d80eb5893062c5dc7a733643e41265f8
SHA1 7700adf6d7f8a4c51b72eed49f2a7361c66b600d
SHA256 4da2d6e573a6694bcdd9dd830a13f0afa88781448920ba1702291591868450a4
SHA512 2fef0f8c5fa7666003fd23fca5628637258a52eabcf82a829ad8325ad14a662d4dea680a2cdb4725664f57ebb14cde06b54779c4f2bff9131d742717109bc266

memory/4572-504-0x0000000000DC0000-0x00000000015F6000-memory.dmp

memory/4700-507-0x000001F7DFBF0000-0x000001F7DFBF1000-memory.dmp

memory/4700-509-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

memory/4700-508-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

memory/4700-513-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

memory/4700-516-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

memory/4700-515-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

memory/4700-514-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

memory/4572-517-0x0000000000DC0000-0x00000000015F6000-memory.dmp

memory/4700-518-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp