Malware Analysis Report

2025-05-28 14:51

Sample ID 221219-l1qwhahg9v
Target 08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7
SHA256 08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7
Tags
danabot banker collection discovery persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7

Threat Level: Known bad

The file 08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7 was found to be: Known bad.

Malicious Activity Summary

danabot banker collection discovery persistence spyware stealer trojan

Danabot

Sets service image path in registry

Sets DLL path for service in the registry

Blocklisted process makes network request

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies system certificate store

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

outlook_office_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-19 10:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 10:00

Reported

2022-12-19 10:02

Platform

win10v2004-20221111-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeID\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AdobeID.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeID\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2668 set thread context of 3748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\application.ini C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\init.js C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\65A3FCD29309972AA2E993584A547C1B49842F26 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\65A3FCD29309972AA2E993584A547C1B49842F26\Blob = 03000000010000001400000065a3fcd29309972aa2e993584a547c1b49842f2620000000010000006e0200003082026a308201d3a0030201020208454d26b4610653bc300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f6f65204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230313231393131303232325a170d3234313231383131303232325a305a3122302006035504030c1942616c74696d6f6f65204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100b009c25363d83a3ea9dccae4f2eaf96f1aace69a872f2f8c9b6baa537ff13ddd74f079b9405ad6e9ddd6421fe7e49a0a04e207f155f8437a24caddc6ded2314041ab4152466ca53bc25270c3d047141ff9464c4028ca994b8014d689725026b1b5ccf5e3977b5a9b5f6d0c8cd42ecb6ce667b513484dbd8420ed0d02e05ef94b0203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f6f65204379626572547275737420526f6f74300d06092a864886f70d01010b05000381810040dbd87e9a91bcd996383cb38433de6a75635fb8b89787db3468d424d9cab0e0d85332eb10fab50c51b545cb979d430eab5fe1c3568b736f8953bacd6e8ec930937b8bf09f048b59fd48d8de6cff2260d8421b932f73bc62d8f1c369ab1c8f53af0c44e0bea854d46947066d716453503c9e70e20a576ac729fb9377a4010ea5 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe C:\Windows\SysWOW64\rundll32.exe
PID 3432 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe C:\Windows\SysWOW64\rundll32.exe
PID 3432 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe C:\Windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 3748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 3748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 3748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4352 wrote to memory of 1240 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 4352 wrote to memory of 1240 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 4352 wrote to memory of 1240 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 3940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 3940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 3940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2320 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2320 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2320 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe

"C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3432 -ip 3432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 556

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23973

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobeid.dll",bEUn

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:1312 tcp
N/A 20.50.80.209:443 tcp
N/A 104.80.225.205:443 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 8.247.210.254:80 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:23973 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp
N/A 127.0.0.1:23973 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23970 tcp

Files

memory/2668-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/3432-135-0x0000000002342000-0x0000000002418000-memory.dmp

memory/3432-136-0x0000000002420000-0x0000000002535000-memory.dmp

memory/3432-137-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2668-138-0x00000000047D0000-0x0000000004EF5000-memory.dmp

memory/2668-139-0x00000000047D0000-0x0000000004EF5000-memory.dmp

memory/2668-140-0x0000000004FC0000-0x0000000005100000-memory.dmp

memory/2668-141-0x0000000004FC0000-0x0000000005100000-memory.dmp

memory/2668-142-0x0000000004FC0000-0x0000000005100000-memory.dmp

memory/2668-143-0x0000000004FC0000-0x0000000005100000-memory.dmp

memory/2668-144-0x0000000004FC0000-0x0000000005100000-memory.dmp

memory/2668-145-0x0000000004FC0000-0x0000000005100000-memory.dmp

memory/3748-146-0x00007FF60E1A6890-mapping.dmp

memory/3748-147-0x0000020888270000-0x00000208883B0000-memory.dmp

memory/3748-148-0x0000020888270000-0x00000208883B0000-memory.dmp

memory/3748-149-0x00000000005F0000-0x0000000000809000-memory.dmp

memory/3748-150-0x00000208868A0000-0x0000020886ACA000-memory.dmp

memory/2668-151-0x00000000047D0000-0x0000000004EF5000-memory.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.dll

MD5 c3af683c9c6920324e495f78c375fc53
SHA1 330fb8e030e63b57919e59a2405007ed956a8206
SHA256 ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686
SHA512 baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 b3422857a7d7e642950c80522bb39ba3
SHA1 316de4d290078b0aec174a6a161c1dac654bcd01
SHA256 5fa7cac49ed9e36fc87f8ccd4cf164bb8e2487c348374a267544a1e01dd1b509
SHA512 941ec15dd866f1125181cf57d4a00337e078f3172689b996584fe103647b006953fab2059ce2c7ce8cfbf3bd4991db8a4ce7a57c5ba125347ce6209595786cb8

\??\c:\program files (x86)\windowspowershell\modules\adobeid.dll

MD5 c3af683c9c6920324e495f78c375fc53
SHA1 330fb8e030e63b57919e59a2405007ed956a8206
SHA256 ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686
SHA512 baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b

memory/4352-155-0x0000000003C30000-0x0000000004355000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

MD5 1a3168a15983b890b16390a23a89a02e
SHA1 d56ce16d88d79159a27c2d1cd3770dc56d897ebe
SHA256 334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946
SHA512 f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

memory/4352-161-0x0000000003C30000-0x0000000004355000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

MD5 a8664f5906d9060a0a87bc01e35179bb
SHA1 1bbbc9f10431d2941805907a8a6d4009f4e2938c
SHA256 a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309
SHA512 389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f

memory/1240-162-0x0000000000000000-mapping.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.privacy.json

MD5 4870433b19757ef8721b38acf2baa272
SHA1 d9def40343d41a6a80e936fc12db58ebb3e3fdb8
SHA256 cf39cf82fe54738a64f566a0f947ddabf90b7af56a899596fb34dca2a67ddfbc
SHA512 79c72e2c4d8a8538879f11c09877f78ea363ee28f70da66cae50a3372e600a1939372945dc4542a5ee649c18adb5e7d1129fc97635d48c165737193f8b682550

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml

MD5 996f11041df0526341cebbbd40a98390
SHA1 37f652515ef8c662840086d743f7f68d327cce52
SHA256 bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e
SHA512 6cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe.xml

MD5 7e913c1a399dd176eea1bb8f2be26268
SHA1 6be9a44820ffbabb10202af890da00c9aa2dfec2
SHA256 5295393602a18f301613c7160e24f88816070a41cf69b32c821b6d3858541b4a
SHA512 dc52de8489f586081c246a297a35987eb7f74e122f475df88cfdc683787fe532e609db3b43915c73f7f172e1a4fc13efacd1b52252d1041e5c8f4dd190009105

C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.dll

MD5 c3af683c9c6920324e495f78c375fc53
SHA1 330fb8e030e63b57919e59a2405007ed956a8206
SHA256 ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686
SHA512 baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 b63af1a19730beb752f7eb64812f9e9e
SHA1 6613300d11a6532284715d4d42bf954fa2f4f467
SHA256 6b0ef8c1101b0a4db4019bd38c191c645efbf2a3306c4474e202a6642d1ff7b5
SHA512 96c1db795e860e1919c31d22d74c255279b8fc85a25f187c13562267203ee889309b839880a34d28bf1e7fd16e0d2f52ccf59d0e5beca57b487ce31dd370b749

memory/1240-165-0x0000000004660000-0x0000000004D85000-memory.dmp

memory/1240-166-0x0000000004660000-0x0000000004D85000-memory.dmp

memory/3940-167-0x0000000000000000-mapping.dmp

memory/2320-168-0x0000000000000000-mapping.dmp

memory/4352-169-0x0000000003C30000-0x0000000004355000-memory.dmp