e03516de1aab13ea5b79ebac1b513fef8c9a3ba849bda21a5c211dd33e15eeab

Analysis

max time kernel
94s
max time network
90s
platform
windows7_x64
resource
win7v20201028
submitted
22-01-2021 08:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

DashlaneInst.exe
Size

806KB
MD5

8131f7277245dd4c502f43a161f8cc43
SHA1

6edcb79a37408bc4fac095e27ef21ec590d90a3a
SHA256

e03516de1aab13ea5b79ebac1b513fef8c9a3ba849bda21a5c211dd33e15eeab
SHA512

56b949a0274761546723bbbeed8bf078a6d82a97355b79020c8b0041668779574b30546dec0d1ac228edaf7558cd28ab64a842827ff21c940293774b1c848803

Score

9^/10

discovery persistence ransomware spyware upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\version_1.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

Dashlane.exe

pid process

1708 Dashlane.exe

pid	process
1708	Dashlane.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	upx
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	upx
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	upx
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	upx
behavioral1/memory/2028-14-0x00000000003E0000-0x00000000003E1000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	upx
behavioral1/memory/2028-17-0x00000000003E0000-0x00000000003E1000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	upx
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll	upx
behavioral1/memory/2028-26-0x00000000003E0000-0x00000000003E1000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\version_1.dll	upx
behavioral1/memory/2028-29-0x00000000003E0000-0x00000000003E1000-memory.dmp	upx

Loads dropped DLL 150 IoCs

Processes:

DashlaneInst.exeDashlane.exe

pid	process
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DashlaneInst.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	DashlaneInst.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dashlane = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dashlane\\Dashlane.exe\" autoLaunchAtStartup"	DashlaneInst.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DashlanePlugin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dashlane\\DashlanePlugin.exe\" ws"	DashlaneInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Drops file in Program Files directory 1 IoCs

Processes:

DashlaneInst.exe

description ioc process

File created C:\Program Files (x86)\Dashlane\Dashlane_launcher.exe DashlaneInst.exe

description	ioc	process
File created	C:\Program Files (x86)\Dashlane\Dashlane_launcher.exe	DashlaneInst.exe

Modifies registry class 6 IoCs

Processes:

Dashlane.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\dashlane\shell\open\command	Dashlane.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\dashlane\shell	Dashlane.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\dashlane\shell\open	Dashlane.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\dashlane\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Dashlane\\Dashlane.exe %1"	Dashlane.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\dashlane	Dashlane.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\dashlane\URL Protocol	Dashlane.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DashlaneInst.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	DashlaneInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	DashlaneInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	DashlaneInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	DashlaneInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	DashlaneInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	DashlaneInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DashlaneInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	DashlaneInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	DashlaneInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	DashlaneInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DashlaneInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DashlaneInst.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Dashlane.exe

pid process

1708 Dashlane.exe

pid	process
1708	Dashlane.exe

Suspicious behavior: EnumeratesProcesses 68 IoCs

Processes:

DashlaneInst.exeDashlane.exe

pid	process
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
2028	DashlaneInst.exe
1708	Dashlane.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1580	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1580	AUDIODG.EXE
Token: 33	1580	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1580	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

DashlaneInst.exeDashlane.exe

pid process

2028 DashlaneInst.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

Dashlane.exe

pid process

1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Dashlane.exe

pid process

1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe
1708 Dashlane.exe

pid	process
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe

pid	process
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe
1708	Dashlane.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

DashlaneInst.exeexplorer.exe

description	pid	process	target process
PID 2028 wrote to memory of 1964	2028	DashlaneInst.exe	explorer.exe
PID 2028 wrote to memory of 1964	2028	DashlaneInst.exe	explorer.exe
PID 2028 wrote to memory of 1964	2028	DashlaneInst.exe	explorer.exe
PID 2028 wrote to memory of 1964	2028	DashlaneInst.exe	explorer.exe
PID 328 wrote to memory of 1708	328	explorer.exe	Dashlane.exe
PID 328 wrote to memory of 1708	328	explorer.exe	Dashlane.exe
PID 328 wrote to memory of 1708	328	explorer.exe	Dashlane.exe
PID 328 wrote to memory of 1708	328	explorer.exe	Dashlane.exe

C:\Users\Admin\AppData\Local\Temp\DashlaneInst.exe
"C:\Users\Admin\AppData\Local\Temp\DashlaneInst.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "C:\Users\Admin\AppData\Roaming\Dashlane\Dashlane.exe"
2⤵
PID:1964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Users\Admin\AppData\Roaming\Dashlane\Dashlane.exe
"C:\Users\Admin\AppData\Roaming\Dashlane\Dashlane.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dashlane\Dashlane.exe
MD5
2209d1766718c58b9ccf13cbc9decb6d

SHA1
22c85932ae10f225f677a3d56b6217efb0d946fa

SHA256
c8f81b31d02b847abc9ba0ea9c5bc507f018ecd3699fe2d2d33215e566d21769

SHA512
bfa6f3fae64fbf3f9826bc5c44b9b7690b45bd98d6e7c7038654813084a03beba29b5fac1e8e5aeb4ebf8db23061ac19937222ab2954336f1c785030903b0049

Download Submit
C:\Users\Admin\AppData\Roaming\Dashlane\Dashlane.exe
MD5
2209d1766718c58b9ccf13cbc9decb6d

SHA1
22c85932ae10f225f677a3d56b6217efb0d946fa

SHA256
c8f81b31d02b847abc9ba0ea9c5bc507f018ecd3699fe2d2d33215e566d21769

SHA512
bfa6f3fae64fbf3f9826bc5c44b9b7690b45bd98d6e7c7038654813084a03beba29b5fac1e8e5aeb4ebf8db23061ac19937222ab2954336f1c785030903b0049

Download Submit
C:\Users\Admin\AppData\Roaming\Dashlane\MSVCP140.dll
MD5
1fb93933fd087215a3c7b0800e6bb703

SHA1
a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb

SHA256
2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01

SHA512
79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

Download Submit
C:\Users\Admin\AppData\Roaming\Dashlane\VCRUNTIME140.dll
MD5
1b171f9a428c44acf85f89989007c328

SHA1
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae

SHA256
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c

SHA512
99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

Download Submit
C:\Users\Admin\AppData\Roaming\Dashlane\api-ms-win-crt-runtime-l1-1-0.dll
MD5
fb0ca6cbfff46be87ad729a1c4fde138

SHA1
2c302d1c535d5c40f31c3a75393118b40e1b2af9

SHA256
1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df

SHA512
99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\AccessControl_2.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\AccessControl_2.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\AccessControl_2.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\CheckInstalledKB_15-02-17_3_1.dll
MD5
d2098d2c2d7d35c0d3c396ef6206b867

SHA1
10d7bcdf07c9b3fb784dc0d6a6983d6846422e9d

SHA256
92d2e4031540c2db9938f257e4c25fd61f3d8fce9397a6a7a83a6604a40c0c8c

SHA512
61a2b45382feaae5ac75f2a9a250d2c2098918c2f89f53eb0ecfedcb63f7db87b72d27ab3c3602e62f6ec7a8bddce287cd49fa74688eeb6387ca4cbdc796436f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\CheckInstalledKB_15-02-17_3_2.dll
MD5
d2098d2c2d7d35c0d3c396ef6206b867

SHA1
10d7bcdf07c9b3fb784dc0d6a6983d6846422e9d

SHA256
92d2e4031540c2db9938f257e4c25fd61f3d8fce9397a6a7a83a6604a40c0c8c

SHA512
61a2b45382feaae5ac75f2a9a250d2c2098918c2f89f53eb0ecfedcb63f7db87b72d27ab3c3602e62f6ec7a8bddce287cd49fa74688eeb6387ca4cbdc796436f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\CheckInstalledKB_15-02-17_3_2.dll
MD5
d2098d2c2d7d35c0d3c396ef6206b867

SHA1
10d7bcdf07c9b3fb784dc0d6a6983d6846422e9d

SHA256
92d2e4031540c2db9938f257e4c25fd61f3d8fce9397a6a7a83a6604a40c0c8c

SHA512
61a2b45382feaae5ac75f2a9a250d2c2098918c2f89f53eb0ecfedcb63f7db87b72d27ab3c3602e62f6ec7a8bddce287cd49fa74688eeb6387ca4cbdc796436f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\Processes_2015_02_11_2_1.dll
MD5
0dc4361cc10bf4609baae53cca018a58

SHA1
b69e3ddb534f4ad10b6a532c9125b372ac73abc9

SHA256
d8d618d75d0c01c39bfc0827d1414c2aeed299cf541d3387322d0fd91bfd06a7

SHA512
1745d39ebcdb898fa752e2015356131e53bc064e79dad04c9b2917aa237088110291d8ca813e67ea71aa6c03614194a9c52285bfe7f18abe5c8b862b8520c293

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\System.dll
MD5
5bc871689eab0c9726d71dd0e5921d9b

SHA1
966ed460b74fb98b4fbab6bac29f9649eaed0b58

SHA256
0bccf2d9fcae0f2746e52db6d3da99c1ab21cbe81fd8d115157d31afaba4601e

SHA512
ce90a7ba82f32bdf4a39baf599cae10c8f526391a9137c07b5a6067aa0cc374e7c8c4f5ee9907d5606b0a3b4b1429ba6250cb3579d06cb9dd1df1592b21bc863

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\System_1.dll
MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\System_2.dll
MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\UAC.dll
MD5
4814167aa1c7ec892e84907094646faa

SHA1
a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee

SHA256
32dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822

SHA512
fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\UserInfo_1.dll
MD5
d1e37112390e6bcca8362788d61becf5

SHA1
d97888f0f69d34de202e7c68b8ff5b2c2fec4c5f

SHA256
77b40d42606d48f817b901f1e5abea114b4288b344b8c193bf3e3c52e469a926

SHA512
04121e5241ad14890095a6cf5e698979820fa97d911918b9b77f2064a713e20f4827f72c057d5da1789bc340d63f391872fe5dfbb79e6c33d3995f82c37fa51f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\UserInfo_1.dll
MD5
d1e37112390e6bcca8362788d61becf5

SHA1
d97888f0f69d34de202e7c68b8ff5b2c2fec4c5f

SHA256
77b40d42606d48f817b901f1e5abea114b4288b344b8c193bf3e3c52e469a926

SHA512
04121e5241ad14890095a6cf5e698979820fa97d911918b9b77f2064a713e20f4827f72c057d5da1789bc340d63f391872fe5dfbb79e6c33d3995f82c37fa51f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_1.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\inetc_17-05-09_2.dll
MD5
51843d1334d3d9e751622541bbc76131

SHA1
a900d1d1ce76187ebc5b743c08de7f77a6a2ce7e

SHA256
af1bc66bcf117b5ba88ed3be3676928eb527c98c50156405ddebe73db1f26e82

SHA512
db2326f56811efb67b2c1a7855a2fdf4145bdacaa1cc3bdadfc586eba4b39eaef4ea95ea4e67fe0d3659dc37ce74da7f18479b016bfa4b602649ef5b61f90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll
MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll
MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll
MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll
MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll
MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll
MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsRandom_1.dll
MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\nsis7z_2.dll
MD5
46e29660c591067e77276fa960625f57

SHA1
3c3206ec4415de4f09a2066a658fa12621e2ed74

SHA256
51f3274fcaf2ef42860f97bed95f407abc60ab31f81a42b38fb2ea1d9b0a434f

SHA512
ed7f9babcaa6244eb8f42350a522f75b5078b2854919e281215a4a4ef62ec4bb731a457f5da3a615419a575986eb96517a6c5238f65b2173138c7fd4ff122d83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\version_1.dll
MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
\Users\Admin\AppData\Roaming\Dashlane\Dashlane.exe
MD5
2209d1766718c58b9ccf13cbc9decb6d

SHA1
22c85932ae10f225f677a3d56b6217efb0d946fa

SHA256
c8f81b31d02b847abc9ba0ea9c5bc507f018ecd3699fe2d2d33215e566d21769

SHA512
bfa6f3fae64fbf3f9826bc5c44b9b7690b45bd98d6e7c7038654813084a03beba29b5fac1e8e5aeb4ebf8db23061ac19937222ab2954336f1c785030903b0049

Download Submit
\Users\Admin\AppData\Roaming\Dashlane\Dashlane.exe
MD5
2209d1766718c58b9ccf13cbc9decb6d

SHA1
22c85932ae10f225f677a3d56b6217efb0d946fa

SHA256
c8f81b31d02b847abc9ba0ea9c5bc507f018ecd3699fe2d2d33215e566d21769

SHA512
bfa6f3fae64fbf3f9826bc5c44b9b7690b45bd98d6e7c7038654813084a03beba29b5fac1e8e5aeb4ebf8db23061ac19937222ab2954336f1c785030903b0049

Download Submit
\Users\Admin\AppData\Roaming\Dashlane\msvcp140.dll
MD5
1fb93933fd087215a3c7b0800e6bb703

SHA1
a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb

SHA256
2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01

SHA512
79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

Download Submit
\Users\Admin\AppData\Roaming\Dashlane\vcruntime140.dll
MD5
1b171f9a428c44acf85f89989007c328

SHA1
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae

SHA256
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c

SHA512
99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

Download Submit
memory/872-88-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1032-90-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1676-33-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

Filesize
2.5MB

Download
memory/1708-79-0x0000000000000000-mapping.dmp

Download
memory/1964-75-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1964-73-0x0000000000000000-mapping.dmp

Download
memory/2028-26-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2028-29-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2028-17-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2028-30-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2028-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2028-2-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads