Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-qk7xascg5s
Target e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a
SHA256 e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a
Tags
danabot banker discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a

Threat Level: Known bad

The file e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a was found to be: Known bad.

Malicious Activity Summary

danabot banker discovery persistence trojan

Danabot

Sets DLL path for service in the registry

Sets service image path in registry

Blocklisted process makes network request

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 13:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 13:20

Reported

2022-12-20 13:22

Platform

win10-20220812-en

Max time kernel

128s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Stamp.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Stamp..dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Stamp.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Stamp..dll\uff00" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Stamp.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService騀" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4684 set thread context of 1344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\MyriadCAD.otf C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\remove.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\RTC.der C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\init.js C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\reflow.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_super.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int_2x.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-high-contrast.css C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-mac.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\editpdf.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AcroLayoutRecognizer.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Stamp..dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\rename.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\forms_distributed.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094559572100054656d7000003a0009000400efbe0c555388945595722e0000000000000000000000000000000000000000000000000041f74f00540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a.exe

"C:\Users\Admin\AppData\Local\Temp\e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14132

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\stamp..dll",JSAFTTdRTA==

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:14132 tcp
N/A 127.0.0.1:1312 tcp
N/A 20.42.73.25:443 tcp
N/A 93.184.221.240:80 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:14132 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/3500-115-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-116-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-117-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-118-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-119-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-120-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-121-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-122-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-123-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-124-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-125-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-126-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-127-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-128-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-129-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-131-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-132-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-133-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-134-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-135-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-137-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-139-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-138-0x0000000002460000-0x0000000002590000-memory.dmp

memory/3500-136-0x0000000002290000-0x0000000002385000-memory.dmp

memory/3500-141-0x0000000000400000-0x000000000053E000-memory.dmp

memory/3500-142-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-140-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-143-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-144-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-145-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-146-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-147-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-148-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-149-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-150-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-151-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-152-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-153-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-154-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-155-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-156-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-157-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-158-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-159-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-160-0x0000000000000000-mapping.dmp

memory/4684-161-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-162-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-164-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-165-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/3500-163-0x0000000000400000-0x000000000053E000-memory.dmp

memory/4684-166-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-167-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-168-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-169-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-171-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-170-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-172-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-173-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-174-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-175-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-177-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-176-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-178-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-179-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-180-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-181-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-182-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-183-0x00000000776C0000-0x000000007784E000-memory.dmp

memory/4684-184-0x00000000776C0000-0x000000007784E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

memory/4684-262-0x0000000007130000-0x0000000007855000-memory.dmp

memory/1344-271-0x00007FF6CFD15FD0-mapping.dmp

memory/4684-276-0x0000000008019000-0x000000000801B000-memory.dmp

memory/1344-277-0x0000000000890000-0x0000000000AA9000-memory.dmp

memory/1344-278-0x000001F7E2CB0000-0x000001F7E2EDA000-memory.dmp

memory/4684-279-0x0000000007130000-0x0000000007855000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\stamp..dll

MD5 a97d3e6fa16a53acff13492b8c43fc2f
SHA1 e5fb95a75b82ec28bbcf991d52c314ab3eacb418
SHA256 28ba85af33677aab4bcfb6260d5b21bed86537adcfc644f8e094c69ae4cedfc9
SHA512 308748d4c7ff1e22812be18ed994f2fc6b573025fe2d26c8c1c752a0215e70d640bd27dc3c1b3c55c420bbcb20252e9ad7dabfb26b92cbda7598f136351917c8

\Program Files (x86)\WindowsPowerShell\Modules\Stamp..dll

MD5 a97d3e6fa16a53acff13492b8c43fc2f
SHA1 e5fb95a75b82ec28bbcf991d52c314ab3eacb418
SHA256 28ba85af33677aab4bcfb6260d5b21bed86537adcfc644f8e094c69ae4cedfc9
SHA512 308748d4c7ff1e22812be18ed994f2fc6b573025fe2d26c8c1c752a0215e70d640bd27dc3c1b3c55c420bbcb20252e9ad7dabfb26b92cbda7598f136351917c8

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 0375296ca1c7583dda33d81cb92890b2
SHA1 7e7054d9c4b5c19d5bf7a8ad2ec71d0a3943b379
SHA256 c01f62ef4903f43f28546d7d036074d0e27989e9bd4df59bd4dfc69026f4769d
SHA512 c1a63543401924230b92fa3ff7062be601509cc8aadd11392c97dcbf31338ec929abc877d84129770c2b870c1221db36124d4b125c2fb3faf177520cfab6cfe2

memory/5036-363-0x0000000005530000-0x0000000005C55000-memory.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml

MD5 9e3d2d6830eba41e31e8558da30ddccd
SHA1 f5fbe0dfef87a30a9898cd6e1e7691c7dd9a9b99
SHA256 50ce5d2f9497955246143e7bb7d7584f221c15574a910c7cc11af87537711d25
SHA512 d1f3774e8c2bdfb6acbb8b9429f59fce5048b5adc4ddc7ecacf7bf52862715db35aee04884a24a8e329e8d10aa5fd06cac5360aad9dd296582453fadadf4d7ee

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.powerpointmui.msi.16.en-us.xml

MD5 e9ed7134ebf28fea3f7aa5691a28438a
SHA1 ea1e55c279ed9f8dae333ae436204d8d67d46adf
SHA256 8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28
SHA512 535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\155__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml

MD5 bfbff89c7d2533270a97429879704295
SHA1 61fe4d0adfcbc0400bb7408d053efdd1dac7f207
SHA256 939f86c8e33354025c9231816294414658f82a6f3f1fc4bda17e603aa9f0b584
SHA512 83ee9190296fbdd5ae465e9f35b93f9d7051f94db983e01c413e201f58bf5e99cfac2a9b2236acf0694fa0958df6643df3b0e36981c269e92c839118a4ac7c6a

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\RunTime.xml

MD5 6b3cbeda670a51bdefda7d43de1a3b7a
SHA1 8e9222b2e808f9103ad9c661d095fcd1e41fbdca
SHA256 82b589daa821aeabec394044f442f0380058e646cae0e6dcb120d22180e882bc
SHA512 dafb7412d376e0d7b5eb9ed01b6a570e3ed41ba7849eb5e408cc3b3c864374717d45b588a44bc518fa978562e99a7010d14939119bb4a08c6ee09d9d2b8b8f51

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml

MD5 95fdba87a0835dce3d259c38ed7f9371
SHA1 cb539d0d5cf31d38ec78c1325ea4c1710b8ec89c
SHA256 f84ae8cef222f02e3fc7d05f76eb8bedc767de9310e8674eda522ae7c45bdd64
SHA512 ce0e66eb46fc6c97d1e05258e38fc58272989101c4f99c5e836a9600d2969f4a256c097da8c3ea6a8b7ee0b9471c3b674cdb88ff6281e7b4eb9e7f439465b96b

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\104__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml

MD5 04970638ae1734f40c4062108b07e8e4
SHA1 064eb5c516dfe3e59715f71a65f2dbf5ac066ed6
SHA256 5cb4e12d8b6b7b4213b706a5143c436d316e0cc18a260e96921749e4a15f19ad
SHA512 0e7013c16c5846f27a8f68db6e81c4e7e80def4d9579578bf44b9d887171c6d97597f20e99b6caa0be3062deacae9efe9780351406793ca96a9686ec00b00e2c

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft_Office_Office Feature Updates Logon.xml

MD5 9663230fbff7b7ea27acf7cb5b2eb224
SHA1 c9061dc5a74944235155461a761456af38ec7de5
SHA256 189d7c143926ab4402258ecf47d9b4a6a2b55aa7564b853ddd81bbfcd2113bdb
SHA512 b96f74946a99d9cca64f7727dd0664fafd16a6a1242af773b36c5f531c071dbf1b91ff873962be2cd160bdcc128b3aaa5715a38f997e5cfa1b78863ab146493d

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\120__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml

MD5 4a0b3d1da2f40dac62ca663af5509136
SHA1 bc6c403efae8d56f56cdc670f207f7de1c58fa57
SHA256 c55473046557eb904780d27044462c0c31b1d189aafa15bc2fc90e3f3afc2ed4
SHA512 bd5becb34953d49b29c3076f4a9a05f66a65200d31a7068e092569349aa35d76bb27207ed0e2fb0806622b4b69d1fb0f8cffeb4eb4fa0a130444fbd6ff40e7cc

memory/4560-379-0x0000000000000000-mapping.dmp

\Program Files (x86)\WindowsPowerShell\Modules\Stamp..dll

MD5 a97d3e6fa16a53acff13492b8c43fc2f
SHA1 e5fb95a75b82ec28bbcf991d52c314ab3eacb418
SHA256 28ba85af33677aab4bcfb6260d5b21bed86537adcfc644f8e094c69ae4cedfc9
SHA512 308748d4c7ff1e22812be18ed994f2fc6b573025fe2d26c8c1c752a0215e70d640bd27dc3c1b3c55c420bbcb20252e9ad7dabfb26b92cbda7598f136351917c8

memory/4560-465-0x0000000006900000-0x0000000007025000-memory.dmp

memory/3320-466-0x0000000000000000-mapping.dmp

memory/1456-484-0x0000000000000000-mapping.dmp

memory/5036-502-0x0000000005530000-0x0000000005C55000-memory.dmp