Malware Analysis Report

2025-05-28 14:51

Sample ID 221219-j8htraee94
Target 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97
SHA256 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97
Tags
danabot banker collection discovery persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97

Threat Level: Known bad

The file 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97 was found to be: Known bad.

Malicious Activity Summary

danabot banker collection discovery persistence spyware stealer trojan

Danabot

Sets DLL path for service in the registry

Blocklisted process makes network request

Sets service image path in registry

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

Checks processor information in registry

outlook_win_path

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-19 08:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 08:20

Reported

2022-12-19 08:22

Platform

win10-20220812-en

Max time kernel

133s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_same_reviewers\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\review_same_reviewers.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_same_reviewers\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_same_reviewers\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3476 set thread context of 3680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AXSLE.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\IA32.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Review_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_joined.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\stop_collection_data.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355944a100054656d7000003a0009000400efbe0c55a7899355944a2e000000000000000000000000000000000000000000000000002ef12801540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe C:\Windows\SysWOW64\rundll32.exe
PID 2780 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe C:\Windows\SysWOW64\rundll32.exe
PID 2780 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 3680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3476 wrote to memory of 3680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3476 wrote to memory of 3680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3476 wrote to memory of 4112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3476 wrote to memory of 4112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3476 wrote to memory of 4112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3476 wrote to memory of 4944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3476 wrote to memory of 4944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3476 wrote to memory of 4944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3476 wrote to memory of 200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3476 wrote to memory of 200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3476 wrote to memory of 200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe

"C:\Users\Admin\AppData\Local\Temp\9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24002

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\review_same_reviewers.dll",VjkdbldPeQ==

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 20.50.201.195:443 tcp
N/A 127.0.0.1:24002 tcp
N/A 95.101.78.106:80 tcp
N/A 127.0.0.1:1312 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:24002 tcp
N/A 25.213.243.125:443 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24002 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/2780-120-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-121-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-122-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-123-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-124-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-125-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-126-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-128-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-127-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-129-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-130-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-131-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-132-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-133-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-134-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-136-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-137-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-138-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-139-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-140-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-141-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-142-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-143-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-144-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-145-0x0000000002270000-0x000000000234F000-memory.dmp

memory/2780-146-0x0000000002460000-0x0000000002575000-memory.dmp

memory/2780-148-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2780-147-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-149-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-150-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-151-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-152-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-153-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-154-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-155-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-156-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-158-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-157-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-159-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-160-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-161-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-162-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-163-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-164-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-165-0x0000000000000000-mapping.dmp

memory/3476-166-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-167-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-169-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2780-168-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3476-170-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-171-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-172-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-173-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-174-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-175-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-176-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-177-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-178-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-179-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-180-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-181-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-182-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-184-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-185-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-183-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-187-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-186-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-188-0x0000000077710000-0x000000007789E000-memory.dmp

memory/3476-189-0x0000000077710000-0x000000007789E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/3476-265-0x0000000006B80000-0x00000000072A5000-memory.dmp

memory/3680-282-0x00007FF7B53A5FD0-mapping.dmp

memory/3680-287-0x0000000000E00000-0x0000000001019000-memory.dmp

memory/3680-288-0x00000184922B0000-0x00000184924DA000-memory.dmp

memory/4112-312-0x0000000000000000-mapping.dmp

memory/3476-330-0x0000000006B80000-0x00000000072A5000-memory.dmp

memory/4944-331-0x0000000000000000-mapping.dmp

memory/200-364-0x0000000000000000-mapping.dmp

\??\c:\program files (x86)\windowspowershell\modules\review_same_reviewers.dll

MD5 cafb18c5a32c85ebe846d736c7497d3c
SHA1 860101785982c3877e7cfbcebfd2a78fd40e6491
SHA256 927c9e152fe94e83223e7adc97c754a7ff2bb837e88e5379b7f940ab8926cf85
SHA512 8c2ae056a5605cc30bca76cd783bd66f75184a00cb261163ae74c247fc79ee454660aa8b22b26db0c39836c582b8b3e7b09b4c68aef4ffe2e1d9495dd555d2be

\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.dll

MD5 cafb18c5a32c85ebe846d736c7497d3c
SHA1 860101785982c3877e7cfbcebfd2a78fd40e6491
SHA256 927c9e152fe94e83223e7adc97c754a7ff2bb837e88e5379b7f940ab8926cf85
SHA512 8c2ae056a5605cc30bca76cd783bd66f75184a00cb261163ae74c247fc79ee454660aa8b22b26db0c39836c582b8b3e7b09b4c68aef4ffe2e1d9495dd555d2be

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 f7e0d6c9f7a4b410025dcb43c9c4e9ea
SHA1 562bb160a37659628ee22916e34b2d5ac3036985
SHA256 2de836b400284fba52a8dedf08e34e1f55f6779e16f01a8debef343521d405dd
SHA512 451c0bd3e3f5a8bfef4169fdf01bee92cf260239945585dbd59e88fb3a0050a88630c67e8760cd164ff2082aa03d9c02624e44efa4e1a55020696df85ff5e00f

memory/4800-426-0x0000000004E50000-0x0000000005575000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\scan_.ico

MD5 a161b3f9fd62c3931fbd79512810cffa
SHA1 a63f1d8945b983356b66819b3aa5b0bd409995e4
SHA256 d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7
SHA512 f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\116__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml

MD5 94de53673235e5f020beae2e9cd5f524
SHA1 3eac9d16162ec495b5e17897a6455c6efb255fd9
SHA256 f6206b943399614c8c08daa015fd9ba01c8bfd61e47188c573affafdcf5f3525
SHA512 4d89a2326f4ffabdbe7f28ffad7b7d30dd3f26c234d99efd399c0250456d5395f19dad285dffa5f3a4197af35369af473a090fc5aa1c48c1fbb3e2117353fba8

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\s640.hash

MD5 bef40d5a19278ca19b56fbcdde7e26ef
SHA1 4f01d5b8de038e120c64bd7cc22cf150af1452fb
SHA256 7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d
SHA512 5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MasterDatastore.xml

MD5 d6650e3886f3c95fb42d4f0762b04173
SHA1 1da4b8bb6bb45d576616ad843cf6e4c2e9d4784b
SHA256 9101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9
SHA512 1f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\0__Power_Policy.provxml

MD5 fdab2b3426d106210e616103cacf57ba
SHA1 5972f2e5dcecc133ee431ea6fd85271c22e67b3b
SHA256 e5b49aef39aba5f51a3d2724418b8848721b0e5d7459e5e9a3deec161a3ab4b1
SHA512 ec116a9370446129ad7f7c4767c213bc0a75c3bca6d1e7a2d4705f167a841b5af8e3edaad1924090d78870fa328ed773d3e45a2f2037b2c917b79dd68aa47c5e

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml

MD5 8a660378169f2615d70683a49d6540c9
SHA1 4e78f156eb4b8766568071e81b793f05b9ea7658
SHA256 f288b4ffdb060471a51dcea18c8e104c62cfcd8c37d7a41ee343145b4953cf46
SHA512 754bc1a9c90e4c4ea6cf1881d26c1afbb049870f41ff71c7c943726a1706f6b0b44a2f32742065f9d5eacc54d21cb54b76f5f17315af04614612f9cc58e46648

memory/1960-444-0x0000000000000000-mapping.dmp

memory/2912-443-0x0000000000000000-mapping.dmp

\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.dll

MD5 cafb18c5a32c85ebe846d736c7497d3c
SHA1 860101785982c3877e7cfbcebfd2a78fd40e6491
SHA256 927c9e152fe94e83223e7adc97c754a7ff2bb837e88e5379b7f940ab8926cf85
SHA512 8c2ae056a5605cc30bca76cd783bd66f75184a00cb261163ae74c247fc79ee454660aa8b22b26db0c39836c582b8b3e7b09b4c68aef4ffe2e1d9495dd555d2be

memory/2912-528-0x0000000005C80000-0x00000000063A5000-memory.dmp

memory/2912-540-0x0000000005C80000-0x00000000063A5000-memory.dmp

memory/3952-541-0x0000000000000000-mapping.dmp

memory/3392-559-0x0000000000000000-mapping.dmp

memory/4800-577-0x0000000004E50000-0x0000000005575000-memory.dmp