danabot | 15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2022 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe
Size

2.4MB
MD5

b493001ef6bf98292b0b89900f66f489
SHA1

a11333fc3d44993631089092cbc2a9cfb015bb20
SHA256

15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc
SHA512

64b9423246dc01761bea88dd381773cab864c6dabd7c2c17b7b7ffe0c066c78ecbc6eed892f83a5b1efd30cd1036c4cc9b0f5950beef2887d6443688141fb23f
SSDEEP

49152:mcMdEeQrxPGoSMoeYirnUfm8X67MDfL/EV5V4:mU94o3Lng5XKMDDy5V

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

17 2072 rundll32.exe
23 2072 rundll32.exe
89 2072 rundll32.exe
91 2072 rundll32.exe

flow	pid	process
17	2072	rundll32.exe
23	2072	rundll32.exe
89	2072	rundll32.exe
91	2072	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\review_browser.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2072 rundll32.exe
4920 svchost.exe
4920 svchost.exe
4524 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2072	rundll32.exe
4920	svchost.exe
4920	svchost.exe
4524	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2072 set thread context of 4648 2072 rundll32.exe rundll32.exe

description	pid	process	target process
PID 2072 set thread context of 4648	2072	rundll32.exe	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\Microsoft\main-cef-ui-theme.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\manifest.json	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\aic_file_icons_hiContrast_bow.png	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\index.html	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\s_filetype_psd.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\stop_collection_data.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\ReadOutLoud.api	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Checkers.api	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\export.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\create_form.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\review_browser.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\ExtendScript.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3196 2540 WerFault.exe 15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe

pid	pid_target	process	target process
3196	2540	WerFault.exe	15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DCC5575346E7BA409DD688CA9A00FF5BE5A1EDC9	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DCC5575346E7BA409DD688CA9A00FF5BE5A1EDC9\Blob = 030000000100000014000000dcc5575346e7ba409dd688ca9a00ff5be5a1edc92000000001000000230200003082021f30820188a003020102020868003c4315a5798d300d06092a864886f70d01010b0500302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361747020417574686f72697479301e170d3230313231383137313233335a170d3234313231373137313233335a302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361747020417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100d3150e92760f3d76bfe37cedf5889f5c8ef3b8f7c0416e0734a7294ea2176b9efda8e1c03c1a5f50ff57c295f8d0c40a780d25490805ea82c2934503a66fb801336dd53c18d8ec98540dcda4c73379cdc2c821061e27891807c11f573372de55735b80c3696984ad7e0a0e108d29f11ca67ed4da1e521c9895dca95aabc5e5090203010001a3443042300f0603551d130101ff040530030101ff302f0603551d110428302682244d6963726f736f667420526f6f7420436572746966696361747020417574686f72697479300d06092a864886f70d01010b05000381810080e1bd93939a4fe1fcc22ac93044ad4a3e378ac8a336c87daf11402d4036e4bae9bb23200e708fa99aca71167d73c2f245e579957d12450266a81822d72df7a482f2bfd5a3120ece692e336ae523f234cd639cdfef1c1c278690c3f816845cbd933cb6cfc72ffd2ea9fc52fee3829b51cf87529e71a666bda2f57c450353c808	rundll32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

svchost.exerundll32.exe

pid	process
4920	svchost.exe
4920	svchost.exe
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2072 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4648 rundll32.exe
2072 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2072	rundll32.exe

pid	process
4648	rundll32.exe
2072	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2540 wrote to memory of 2072	2540	15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe	rundll32.exe
PID 2540 wrote to memory of 2072	2540	15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe	rundll32.exe
PID 2540 wrote to memory of 2072	2540	15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe	rundll32.exe
PID 2072 wrote to memory of 4648	2072	rundll32.exe	rundll32.exe
PID 2072 wrote to memory of 4648	2072	rundll32.exe	rundll32.exe
PID 2072 wrote to memory of 4648	2072	rundll32.exe	rundll32.exe
PID 4920 wrote to memory of 4524	4920	svchost.exe	rundll32.exe
PID 4920 wrote to memory of 4524	4920	svchost.exe	rundll32.exe
PID 4920 wrote to memory of 4524	4920	svchost.exe	rundll32.exe
PID 2072 wrote to memory of 4412	2072	rundll32.exe	schtasks.exe
PID 2072 wrote to memory of 4412	2072	rundll32.exe	schtasks.exe
PID 2072 wrote to memory of 4412	2072	rundll32.exe	schtasks.exe
PID 2072 wrote to memory of 4832	2072	rundll32.exe	schtasks.exe
PID 2072 wrote to memory of 4832	2072	rundll32.exe	schtasks.exe
PID 2072 wrote to memory of 4832	2072	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe
"C:\Users\Admin\AppData\Local\Temp\15a2fb61538cecd91d79b1e0520e786313149fd99555796f81aa2d559ac0a5bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2072

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20188
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4648

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4412

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 508
2⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2540 -ip 2540
1⤵
PID:4644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\review_browser.dll",KCgAak1rM3RX
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\review_browser.dll
Filesize
2.4MB

MD5
33b51d9e1b31fe451fea753a85f9a16c

SHA1
80b0eeb933ae089cc3e88ae9413f9fef66633bad

SHA256
af091d7c04379a3a932da2e84f619753dd9be6900b5c9ac75761f1798b1f00a3

SHA512
4c1100fbb5b5ce85d2280941598b06150b1b6897cd6b88a0afca7511cd3d2bfa8837e199577ee5fe266a0c4c64911f3bf94ca4e11604c8784c3cf42df053299f

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\review_browser.dll
Filesize
2.4MB

MD5
33b51d9e1b31fe451fea753a85f9a16c

SHA1
80b0eeb933ae089cc3e88ae9413f9fef66633bad

SHA256
af091d7c04379a3a932da2e84f619753dd9be6900b5c9ac75761f1798b1f00a3

SHA512
4c1100fbb5b5ce85d2280941598b06150b1b6897cd6b88a0afca7511cd3d2bfa8837e199577ee5fe266a0c4c64911f3bf94ca4e11604c8784c3cf42df053299f

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\review_browser.dll
Filesize
2.4MB

MD5
33b51d9e1b31fe451fea753a85f9a16c

SHA1
80b0eeb933ae089cc3e88ae9413f9fef66633bad

SHA256
af091d7c04379a3a932da2e84f619753dd9be6900b5c9ac75761f1798b1f00a3

SHA512
4c1100fbb5b5ce85d2280941598b06150b1b6897cd6b88a0afca7511cd3d2bfa8837e199577ee5fe266a0c4c64911f3bf94ca4e11604c8784c3cf42df053299f

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.dcfmui.msi.16.en-us.xml
Filesize
9KB

MD5
2693cb4d0d47298d60c5b4210d567e56

SHA1
20b67bce8310a93c5756d83d13febdcaff5f3b39

SHA256
d98dec16b13c3e4a23823be0bcd45f685c6dc690ae28954c0c18075e77898f20

SHA512
034cb9620ea7f9aa793ad8e0c8e30b11244e7952d871d1f8cbb1ff6daa765fd9afc2a54f221f0a323511f4aa7b985ff61c2f0b983668c7e390f3f99699dc89c9

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml
Filesize
719KB

MD5
e9f03f8b71cac83b7d16ef685cabd0d0

SHA1
c5057520e0a65340360219618632037e7c0c474a

SHA256
fff80dc60d751bc2ff8c3085b5c338bc3f149a0e71976c3d82f30a0d43d284db

SHA512
1703ea88d9e8cd768308c246812cdd0d2a733a28e0beb039d019c1efd190ee05f9d045e280de7a75578d4282c161e768a48aebf8d97e58bfc7357cadbd5f208a

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp
Filesize
2.3MB

MD5
79be1992fb39e729c8d6c15b21efd6a0

SHA1
e3bd7e7d4c7d2a8594e30aa744f3ec6f267ab242

SHA256
efe79daf25c849c5a539f2c04c8fc3287a479653ab918672aa1fd7fe075fc2cb

SHA512
89ce9f510153e3ce7f4f8aba7d860c2a916043761389dd0de2a8159460e81585f9379651e49fe8132e7e021176cefc4d67edb34b398a18a5f59d3e82ac4f913a

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\DeploymentConfiguration.xml
Filesize
614B

MD5
54cec4437128f703c259efb3dc734386

SHA1
9b15ebe33a771a7e12cd966fd8b583da06914015

SHA256
d44d8ffc6e0261e32c4b5c77573a0daa0b4066d4e160c2cd5b5728199f63dfb4

SHA512
c1793acc8f6dc9997fd0261d501ffed200f3c039c9b77e554a031262925878b56727bd84cf5fbeeccb481c1d4511f37e940a8f8436054c8f08adb8e5f46773ea

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
db0acdbf49f80d3f3b0fb65a71b39341

SHA1
12c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae

SHA256
f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f

SHA512
3d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xml
Filesize
2KB

MD5
c8d6f0d26db52746e243b785c269cacd

SHA1
b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1

SHA256
d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21

SHA512
c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
28KB

MD5
b8c1eec848c415eea04839ad0af75950

SHA1
652ccb0f39fcb73b3fe31a231e490bbdb2a1d0bc

SHA256
694699e06fa830a2fb3b79d472b9d2560686e5ebd752022fd902ff2d1e82c162

SHA512
24f5629b1947690ee9fa911f1620a311db6f9433e77f8db67b468fb8624c3adcbfb21138c591a51d4e2e5f595ce9a5684203543890165fd2e88092cf303fe563

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
827B

MD5
cf7d0dd53bde6261338a343a4a92c3f5

SHA1
f5326546a46c8a7d2400d743fca320a166331757

SHA256
df0af4b8242dcab107aab8d00add27b9797c00002669ff953667869abb6c77c6

SHA512
9cf52da12c7e703fefff7a5295b7475d95a568d050b210a7b53470dad257793257a4242c89fb00fa22c7319c8be96144b193ec1e51c4d3a751af6765a6935148

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
26KB

MD5
26b4cb86e7313855e188214dfee0abe4

SHA1
c4488e4c3c91bb6bd49cc3e68d9fce83c59f8422

SHA256
d182821a1030c629318d6e379cba49ac00db7a2b6aab70a3d245f7418ef490bc

SHA512
78dd7247c0fd372bc146562f46dd453aaa9fc3e4a49fb669240f76bd90249534bf6ca660058bf854eb4c05170a2e2ddabc0813223b61f09f0673fb3939f6f2b1

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xml
Filesize
15KB

MD5
2f71d0396b93381c1fd86bf822612868

SHA1
d0801700dd00a51276f32c6ed19f5b713b5db825

SHA256
0543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026

SHA512
67022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
27KB

MD5
1cef1a17af19cd221b168384320770e5

SHA1
1b694f2e2c2f87becfd9d4d1b271843c928dbfc4

SHA256
cf103015c20fbe6aebd3b83104eb034f2ff6e40187296a5a7e71a9f77013294b

SHA512
61a7f84dc4970a564056407549bc3664bf67d18a93f86a2be73ea39d8fb5d7007bb7531d881e516196c5139c1c5f67d7b602d0b26dfd1f13ebba7e90e3b8c377

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftInternetExplorer2013Backup.xml
Filesize
2KB

MD5
16fa6bd16573d544916a2cb3335a1f13

SHA1
479c5b9375b5b351d7dc217deb159fe92da03f75

SHA256
37e639679abd36b5b59324eea7aa1d602ff9c287e5c07dfd335ee1a85b68fc50

SHA512
9a871284356b2217fc8dbd568c6731def7781cac4550e77824f5c683b29313cd46e444760413ec730e8f70669ff08b62ab9b73c8099115a71eb84d7d728e2873

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftLync2013Win64.xml
Filesize
2KB

MD5
e3a68bbd204d36868c6f5570e4576675

SHA1
bc5c44144e8e962c62f7febabdb3d0ba20a8162a

SHA256
11031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac

SHA512
7c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftOffice2013Win64.xml
Filesize
66KB

MD5
c08e2d9084398ad29bb453183bb2155d

SHA1
285b0d897ff73444a74bf9e253d30f7cb1f4f2be

SHA256
9ddc306cee7a71d98fe59c39ce5fb74cc7e36c54a55cc46f2e8136c12e890418

SHA512
d032acce3071bb26d688aa4a816d09b6852c3ccb179f66a0001038b94f556a4b04401e02a4dc3b8eb7f4c4aa0fb74aa009a5db786972c56cb08d5dbeeaefad83

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SystemIndex.1.Crwl
Filesize
1KB

MD5
da957d0d371d2f731d0031bfeaf0568a

SHA1
bc1dc9f7072a99df29b899b3ce91cd1641983c01

SHA256
5c2d3c152573048917c9f92305dacac9874d54833253692cd43e3fe294c1cc11

SHA512
d25ed75c26f7d061f7cae535c39942fc12a7558f227244b2024168c94b9ead6d1202de2b4e1d005fc26a96a8365b415378165e58cafcf119832e9e000b713e8c

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\edbres00001.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\resource.xml
Filesize
1KB

MD5
93a100713ff56b66e15f984d3100aab7

SHA1
4ffb9e5c0d7687a38cc9b9f767bd4b9d4a325656

SHA256
0c80edf0d6699061728f917d731ea29e7ad3c7f2ea067d4510a01369255cbd26

SHA512
df8b5e56e9dcf0c3e4737e8ab878a4182c757d731f8e893c0285fa5e5d89faec75f4f1f0e8fbf2d502a28632410198ae6dfed82ac5a593d23cf5c2bd59c3c4fc

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\sync.ico
Filesize
48KB

MD5
d1c012ba7049a4525a89b26c846ce0d3

SHA1
769fccd1ed39b3b6ce1ec6e44f096107b4375c58

SHA256
fce3d2b3ca14bbb41fcb8956ef80af38976f4c32787cc1ac3cc1e465ce0453cc

SHA512
538b3c161e3192d3cb8b78f0fb5f863ae84d04a9f236a876e5002a90189cb4b5beea496aefb444de2dd9ea45d1f530359b38d6a45f3260d1d14924bd31918dc9

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\tasks.xml
Filesize
11KB

MD5
6ab160b8998020e6d4373c003e9879d4

SHA1
efa87d3fb95a73a892ed88b08651c44fe03c150f

SHA256
faf021b3c06abc41a9fb8e021171fd0ea41684b732a8e77433e447af8e527516

SHA512
c923c48b0b5c741777666ca161864879defd50c299ae76d9f093ffb846d144600c99d281d879f9328509061f3ae6784a706f15248e0fed7bfd7a595b389aae1b

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\user-32.png
Filesize
441B

MD5
a60e1edd0e806500b9247ebc886d1ecd

SHA1
bb96af6a28162ea763117b838534829bf3dc632e

SHA256
0e73d224603c23ae46c24341826dc6bdcfc9bda04b2ebd261537f439ed229de9

SHA512
fdd37f5da650f99f7657285a5f062f19caa99f969676f1b426f1c0a928eed6fe1698d4ba515ba6245e8a24e3ddf02ee6e5f6a3bade221cfc09444b43839b7070

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
733d25a59258bfe67114108835b911cc

SHA1
29dce79233a81e032fd0d95c4f3895572ef9bd22

SHA256
1b876c32b66fbee9831328076d7d7bef88cdd672d2caf70b4e5965db34642d9f

SHA512
61ed9c6ef45a52bb840834766fb1d6170a2bc70dd4ae5eb68d816eb37844a6d4702412a4a21b5990dc03e6a90239c1c8da6ad2a28cb3fcd2dc715c69cd6e11d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
733d25a59258bfe67114108835b911cc

SHA1
29dce79233a81e032fd0d95c4f3895572ef9bd22

SHA256
1b876c32b66fbee9831328076d7d7bef88cdd672d2caf70b4e5965db34642d9f

SHA512
61ed9c6ef45a52bb840834766fb1d6170a2bc70dd4ae5eb68d816eb37844a6d4702412a4a21b5990dc03e6a90239c1c8da6ad2a28cb3fcd2dc715c69cd6e11d7

Download Submit
\??\c:\program files (x86)\msbuild\microsoft\review_browser.dll
Filesize
2.4MB

MD5
33b51d9e1b31fe451fea753a85f9a16c

SHA1
80b0eeb933ae089cc3e88ae9413f9fef66633bad

SHA256
af091d7c04379a3a932da2e84f619753dd9be6900b5c9ac75761f1798b1f00a3

SHA512
4c1100fbb5b5ce85d2280941598b06150b1b6897cd6b88a0afca7511cd3d2bfa8837e199577ee5fe266a0c4c64911f3bf94ca4e11604c8784c3cf42df053299f

Download Submit
memory/2072-143-0x00000000036B0000-0x0000000003DD5000-memory.dmp

Filesize
7.1MB

Download
memory/2072-141-0x00000000036B0000-0x0000000003DD5000-memory.dmp

Filesize
7.1MB

Download
memory/2072-151-0x0000000003F19000-0x0000000003F1B000-memory.dmp

Filesize
8KB

Download
memory/2072-134-0x0000000000000000-mapping.dmp

Download
memory/2072-148-0x0000000003EA0000-0x0000000003FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2072-149-0x0000000003EA0000-0x0000000003FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2072-147-0x0000000003EA0000-0x0000000003FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2072-156-0x00000000036B0000-0x0000000003DD5000-memory.dmp

Filesize
7.1MB

Download
memory/2072-146-0x0000000003EA0000-0x0000000003FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2072-145-0x0000000003EA0000-0x0000000003FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2072-144-0x0000000003EA0000-0x0000000003FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2072-138-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2072-142-0x00000000036B0000-0x0000000003DD5000-memory.dmp

Filesize
7.1MB

Download
memory/2072-140-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2540-132-0x00000000009E3000-0x0000000000C2E000-memory.dmp

Filesize
2.3MB

Download
memory/2540-136-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2540-133-0x0000000002610000-0x0000000002995000-memory.dmp

Filesize
3.5MB

Download
memory/2540-139-0x0000000002610000-0x0000000002995000-memory.dmp

Filesize
3.5MB

Download
memory/4412-197-0x0000000000000000-mapping.dmp

Download
memory/4524-190-0x00000000033F0000-0x0000000003B15000-memory.dmp

Filesize
7.1MB

Download
memory/4524-195-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/4524-184-0x0000000000000000-mapping.dmp

Download
memory/4524-196-0x00000000033F0000-0x0000000003B15000-memory.dmp

Filesize
7.1MB

Download
memory/4524-188-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/4524-189-0x00000000033F0000-0x0000000003B15000-memory.dmp

Filesize
7.1MB

Download
memory/4648-157-0x0000015D0C6D0000-0x0000015D0C8FA000-memory.dmp

Filesize
2.2MB

Download
memory/4648-155-0x0000015D0C6D0000-0x0000015D0C8FA000-memory.dmp

Filesize
2.2MB

Download
memory/4648-152-0x0000015D0E0A0000-0x0000015D0E1E0000-memory.dmp

Filesize
1.2MB

Download
memory/4648-154-0x0000015D0E0A0000-0x0000015D0E1E0000-memory.dmp

Filesize
1.2MB

Download
memory/4648-153-0x0000000000370000-0x0000000000589000-memory.dmp

Filesize
2.1MB

Download
memory/4648-150-0x00007FF6E7566890-mapping.dmp

Download
memory/4832-198-0x0000000000000000-mapping.dmp

Download
memory/4920-162-0x0000000001140000-0x00000000013B1000-memory.dmp

Filesize
2.4MB

Download
memory/4920-173-0x0000000001AE0000-0x0000000002205000-memory.dmp

Filesize
7.1MB

Download
memory/4920-172-0x0000000001AE0000-0x0000000002205000-memory.dmp

Filesize
7.1MB

Download
memory/4920-171-0x0000000001AE0000-0x0000000002205000-memory.dmp

Filesize
7.1MB

Download
memory/4920-161-0x0000000001140000-0x00000000013B1000-memory.dmp

Filesize
2.4MB

Download
memory/4920-199-0x0000000001140000-0x00000000013B1000-memory.dmp

Filesize
2.4MB

Download
memory/4920-200-0x0000000001AE0000-0x0000000002205000-memory.dmp

Filesize
7.1MB

Download