Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-q48ypshf93
Target 39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7
SHA256 39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7
Tags
danabot banker collection discovery persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7

Threat Level: Known bad

The file 39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7 was found to be: Known bad.

Malicious Activity Summary

danabot banker collection discovery persistence spyware stealer trojan

Danabot

Blocklisted process makes network request

Sets DLL path for service in the registry

Sets service image path in registry

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

outlook_win_path

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 13:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 13:50

Reported

2022-12-20 13:52

Platform

win10-20220901-en

Max time kernel

127s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ini\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\ini.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ini\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4680 set thread context of 4784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\init.js C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\form_responses.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\ini.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\favicon.ico C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\BIB.dll C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094554b6e100054656d7000003a0009000400efbe2155a88494554b6e2e00000000000000000000000000000000000000000000000000e8b01a00540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7.exe

"C:\Users\Admin\AppData\Local\Temp\39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14138

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\ini.dll",a2EK

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:14138 tcp
N/A 127.0.0.1:1312 tcp
N/A 52.182.143.210:443 tcp
N/A 87.248.202.1:80 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:14138 tcp
N/A 59.235.155.96:443 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14138 tcp
N/A 127.0.0.1:14135 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/4740-120-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-121-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-122-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-123-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-124-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-125-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-126-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-127-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-128-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-129-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-131-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-130-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-132-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-133-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-134-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-136-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-137-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-138-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-139-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-140-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-141-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-142-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-143-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-144-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-148-0x00000000023B0000-0x00000000024E0000-memory.dmp

memory/4740-146-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-145-0x0000000002290000-0x0000000002381000-memory.dmp

memory/4740-147-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-149-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4740-150-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-151-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-152-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-153-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-154-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-155-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-156-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-157-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-158-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-159-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-160-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-161-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-162-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-163-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-164-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-165-0x0000000000000000-mapping.dmp

memory/4680-166-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-170-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-171-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-169-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-167-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4740-168-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4680-173-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-172-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-175-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-176-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-177-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-178-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-179-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-180-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-181-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-182-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-183-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-184-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-174-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-186-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-188-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-189-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-187-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4680-185-0x0000000077850000-0x00000000779DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

memory/4680-267-0x0000000007750000-0x0000000007E75000-memory.dmp

memory/4784-276-0x00007FF6AAC55FD0-mapping.dmp

memory/4680-281-0x0000000008639000-0x000000000863B000-memory.dmp

memory/4784-282-0x00000000005D0000-0x00000000007E9000-memory.dmp

memory/4784-283-0x00000274A38A0000-0x00000274A3ACA000-memory.dmp

memory/4680-284-0x0000000007750000-0x0000000007E75000-memory.dmp

\Program Files (x86)\WindowsPowerShell\Modules\ini.dll

MD5 8ff4b4d90f83b7ccd45ab862139969d8
SHA1 0578182ef7af13dd42e7af5142f5c1ec279a38cd
SHA256 c201c035f0496ebae3a2ea765cbbb86c354294a7936029a6f00268ff93a66839
SHA512 2ef77189416aedbb5eca32fd0938e395a1c864217c7b70eccbb8af8231374436e7883fa5ff7822946609b17d84df07b5712ef84c2b1008514a0fa4ca689e8ae8

\??\c:\program files (x86)\windowspowershell\modules\ini.dll

MD5 8ff4b4d90f83b7ccd45ab862139969d8
SHA1 0578182ef7af13dd42e7af5142f5c1ec279a38cd
SHA256 c201c035f0496ebae3a2ea765cbbb86c354294a7936029a6f00268ff93a66839
SHA512 2ef77189416aedbb5eca32fd0938e395a1c864217c7b70eccbb8af8231374436e7883fa5ff7822946609b17d84df07b5712ef84c2b1008514a0fa4ca689e8ae8

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 c1afb726245d36026dd3ca97928bc7d6
SHA1 73974a1a5b85e9d2798c90b40c4563fadfea576b
SHA256 7df47943d504e8b12f95e8b792dcc1abc5b2ac220395f1e1441ea98ad5d0853e
SHA512 868522331450230514c94fa852733c8f19d3b00c0c624b729e45a313ea15eb07bac60dc391c31dd280596307f0cf0859a602ebedab26e538e88c1401774a424d

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.office32ww.msi.16.x-none.xml

MD5 b5cf5d15a8e6c6f2eb99a5645a2c2336
SHA1 7efe1b634ce1253a6761eb0c54f79dd42b79325f
SHA256 f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c
SHA512 83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\131__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml

MD5 10a8b787ad21dec6a500a119ddcad593
SHA1 3e519643358b158cf11ce8be5ba92a8673e2f401
SHA256 c860723fbaa28599dba8c909c8b2caddd38fc725f780abc81a4afed7f13d6f68
SHA512 ba3d813d2849718bf323ab63d1c562fc2e32472ab59f9822b3260f5a2757f24806fed193b35285e7fca94fd06b12594a498aa127d9252aa356f63c4e44cbc6f6

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\0__Power_EnergyEstimationEngine.provxml

MD5 2cf4ea4d03f8a1f424c2db46789ed2e3
SHA1 50bb43d2589bc86115baac9fcdfcabadeff70c6d
SHA256 41d62ac11f8cc15391010f53a7262df090149355b07021fe648d15c24fb45090
SHA512 c2dd7c30856006f8eec73402284c86ab35c9daf824f81a33aefa1502d881be0a066da75441bdba97236f6bf3586b77d9e244cc94ccfac8e28fba06c61e9b78e6

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\setup.ini

MD5 d8b2e1bfe12db863bdccdd49a5e1c8b5
SHA1 9c979907f03887b270d4e87b0cdd5377cff3692c
SHA256 00b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301
SHA512 3bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41

memory/2236-379-0x0000000000000000-mapping.dmp

memory/8-417-0x0000000005DE0000-0x0000000006505000-memory.dmp

\Program Files (x86)\WindowsPowerShell\Modules\ini.dll

MD5 8ff4b4d90f83b7ccd45ab862139969d8
SHA1 0578182ef7af13dd42e7af5142f5c1ec279a38cd
SHA256 c201c035f0496ebae3a2ea765cbbb86c354294a7936029a6f00268ff93a66839
SHA512 2ef77189416aedbb5eca32fd0938e395a1c864217c7b70eccbb8af8231374436e7883fa5ff7822946609b17d84df07b5712ef84c2b1008514a0fa4ca689e8ae8

memory/2236-458-0x0000000005FF0000-0x0000000006715000-memory.dmp

memory/4636-467-0x0000000000000000-mapping.dmp

memory/5004-485-0x0000000000000000-mapping.dmp

memory/8-503-0x0000000005DE0000-0x0000000006505000-memory.dmp

memory/2236-504-0x0000000005FF0000-0x0000000006715000-memory.dmp