Malware Analysis Report

2025-05-28 14:51

Sample ID 221219-mzjapshh5w
Target bf8c7929bc3f4fad1da578dd2b73cc0d.exe
SHA256 aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f
Tags
danabot banker discovery persistence trojan collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f

Threat Level: Known bad

The file bf8c7929bc3f4fad1da578dd2b73cc0d.exe was found to be: Known bad.

Malicious Activity Summary

danabot banker discovery persistence trojan collection spyware stealer

Danabot

Blocklisted process makes network request

Sets DLL path for service in the registry

Sets service image path in registry

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

outlook_win_path

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-19 10:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 10:54

Reported

2022-12-19 10:56

Platform

win7-20220812-en

Max time kernel

130s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\setup\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\setup\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1072 set thread context of 1992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\HLS.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\Flash.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\drvDX9.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\AUMProduct.aup C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\AcroSign.prc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\AGMGPUOptIn.ini C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\setup.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HLS.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\Adobe AIR Application Installer.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\Vdk10.rst C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1072 wrote to memory of 1992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1072 wrote to memory of 1992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1072 wrote to memory of 1992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1072 wrote to memory of 1992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1072 wrote to memory of 1992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe

"C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23979

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows media player\en-us\setup.dll",Ew0GTA==

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:23979 tcp
N/A 127.0.0.1:1312 tcp
N/A 23.236.181.126:443 tcp
N/A 47.148.244.38:443 tcp
N/A 127.0.0.1:23979 tcp

Files

memory/1092-54-0x0000000000520000-0x00000000005F6000-memory.dmp

memory/1092-55-0x0000000074C91000-0x0000000074C93000-memory.dmp

memory/1072-56-0x0000000000000000-mapping.dmp

memory/1092-57-0x0000000000520000-0x00000000005F6000-memory.dmp

memory/1092-58-0x0000000001E70000-0x0000000001F85000-memory.dmp

memory/1092-60-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/1072-63-0x0000000004340000-0x0000000004A65000-memory.dmp

memory/1072-65-0x0000000004340000-0x0000000004A65000-memory.dmp

memory/1072-67-0x0000000004A70000-0x0000000004BB0000-memory.dmp

memory/1072-66-0x0000000004A70000-0x0000000004BB0000-memory.dmp

memory/1072-68-0x0000000004A70000-0x0000000004BB0000-memory.dmp

memory/1992-69-0x0000000000280000-0x0000000000499000-memory.dmp

memory/1072-71-0x0000000004A70000-0x0000000004BB0000-memory.dmp

memory/1072-72-0x0000000004A70000-0x0000000004BB0000-memory.dmp

memory/1072-73-0x0000000004A70000-0x0000000004BB0000-memory.dmp

memory/1992-74-0x00000000FF183CEC-mapping.dmp

memory/1992-75-0x00000000023A0000-0x00000000024E0000-memory.dmp

memory/1992-76-0x00000000023A0000-0x00000000024E0000-memory.dmp

memory/1992-77-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

memory/1992-78-0x0000000000280000-0x0000000000499000-memory.dmp

memory/1992-79-0x0000000001FC0000-0x00000000021EA000-memory.dmp

memory/1072-80-0x0000000004340000-0x0000000004A65000-memory.dmp

\??\c:\program files (x86)\windows media player\en-us\setup.dll

MD5 3b8c01a632d938578eef896ccd41671e
SHA1 34fc63311001e746be782c7e5c521f6de0c06560
SHA256 0755d71814ba2bc900f80a18a843e8c90ce7e835470feed459e8aa7b7d5230b0
SHA512 6bdb9963b49f636abfb1634aa51608caa21c64eb7c6f6b88d98a8ca6184dd01714bacdb0f101e33921d271b70d34b5189a81d715ee231f15245fdbf34a0052d8

\Program Files (x86)\Windows Media Player\en-US\setup.dll

MD5 3b8c01a632d938578eef896ccd41671e
SHA1 34fc63311001e746be782c7e5c521f6de0c06560
SHA256 0755d71814ba2bc900f80a18a843e8c90ce7e835470feed459e8aa7b7d5230b0
SHA512 6bdb9963b49f636abfb1634aa51608caa21c64eb7c6f6b88d98a8ca6184dd01714bacdb0f101e33921d271b70d34b5189a81d715ee231f15245fdbf34a0052d8

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 869690458a216453e8e0f5910159799d
SHA1 14091af8fdafe57ec3cf0d5d81c0efdb6865c00e
SHA256 0ca76cf72c870d595aff7768b547a6ea286753cc1316247fb1ceb3a8df629200
SHA512 3346eb6d71b31644517a7308d26db7ed877f23d0935b4d0f2d0bcf523e4abe338bc1b2a646e23f15e4417a1914a877d473adfaa5fe902057f48bc7b14800e8a1

memory/1424-85-0x00000000039B0000-0x00000000040D5000-memory.dmp

memory/1424-87-0x00000000039B0000-0x00000000040D5000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\PUB6INTL.DLL.trx_dll

MD5 353eade55c876d2a702479ae98081e2c
SHA1 2c9f4d58599c1289346f86a9a7df7d41b4deb61a
SHA256 c1312960877c626a07f1df8de16796c14a4399a8a0c97499d1f8978164769e4e
SHA512 36185b3645797322084970b0359c6120a41b06dc3bcd5ad9974188b8cbbde4f59e22a928d3f5c946819237b5f2b6fca8677b03a4b005d0ddcfa381c57ce3bb22

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile40.bmp

MD5 8850c1f63d9932bb2d8e957ed72d8fdf
SHA1 44271a436bed981ced2c5f3839733bbaa54dc8e3
SHA256 419b5f32629b747ac897aa66acf77ef2320d4f066470d616e21fd248a4a55f29
SHA512 8a33601de5ae88e7dc7aac1325514f68c5e8e40fc7514fa1d1542e78fddeb6612b26a04bd109e40efc36efb591f5bef48693a918219b9e56598677cb26e1978f

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 3fa23a5b3f10859d6230631e09bc56e8
SHA1 c2c0226a2228311235212d4213b1d62df0122166
SHA256 76a3ee0605b98817ff15952ab249bd6f9239a5ba71b785c8d57cba815221d1a1
SHA512 0faf762cdb08670aa39fc9206f9fd39c364099321564d3ee3a3b73ca348ad6614cca41c278546fb2ab2f0a5afa48c5e424efbb4cce46aa024a83aa279c863281

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Ringtone 06.wma

MD5 39cbaeceb3ba026de6ec8befece06bfe
SHA1 1d12b18db90554a9aad06b7da9c010fe1761ce4a
SHA256 a087efb43da9d3ea0c93d976ec790c5faf4a2cd6de70af89f837b185b260eba3
SHA512 849d64d97127c28b79f05d4f675f296901965a08884b46d2d2ba1341e93d9c8f01fa9b8bef06fa44b62142fa2a1a6c93b02566294f635edb9dce7d8645942571

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile16.bmp

MD5 d342c2b5f3d16dc992db22cb737ad617
SHA1 615a98744fb22809454b706174597a4d6b6d128b
SHA256 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA512 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ONINTL.DLL.trx_dll

MD5 1fb695309ab96119794ebf365c78bd17
SHA1 f49f3f1f8ae2ecd33891ec2a186b9ff1d2d335d3
SHA256 7e0893d720e500c139f8cf09dc40c7ef336651954378867b382af32ee0960a3e
SHA512 301b579a135e97a95882d53128f4ac66cd039bf57d55f6e41c2421ed9c03820eb05a5a3717b6d553207c028a883900fa46851f7de65ae1fbb39aa949f3c33adf

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\folder.ico

MD5 bbf9dbdc079c0cd95f78d728aa3912d4
SHA1 051f76cc8c6520768bac9559bb329abeebd70d7c
SHA256 bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2
SHA512 af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_MKWD_AssetId.H1W

MD5 c0ff478794c0e0e95c04332036782234
SHA1 05187b9381ac1df0ae1ab4a8746f3a4d8ed8f06a
SHA256 a206d8c382ef5fc79f1cc6e542d4cb8cb0f81d494d3b69a21cca5e203d342ceb
SHA512 f9e18b2cbe45eb31c9a13253dbd730791ec35c823a227bb5067cba45c19e205e65238d97ce1683536271bf7e320744b88b33ff8134c9cd832535e43cc845f36c

memory/1164-96-0x0000000000000000-mapping.dmp

memory/1424-97-0x00000000039B0000-0x00000000040D5000-memory.dmp

\Program Files (x86)\Windows Media Player\en-US\setup.dll

MD5 3b8c01a632d938578eef896ccd41671e
SHA1 34fc63311001e746be782c7e5c521f6de0c06560
SHA256 0755d71814ba2bc900f80a18a843e8c90ce7e835470feed459e8aa7b7d5230b0
SHA512 6bdb9963b49f636abfb1634aa51608caa21c64eb7c6f6b88d98a8ca6184dd01714bacdb0f101e33921d271b70d34b5189a81d715ee231f15245fdbf34a0052d8

\Program Files (x86)\Windows Media Player\en-US\setup.dll

MD5 3b8c01a632d938578eef896ccd41671e
SHA1 34fc63311001e746be782c7e5c521f6de0c06560
SHA256 0755d71814ba2bc900f80a18a843e8c90ce7e835470feed459e8aa7b7d5230b0
SHA512 6bdb9963b49f636abfb1634aa51608caa21c64eb7c6f6b88d98a8ca6184dd01714bacdb0f101e33921d271b70d34b5189a81d715ee231f15245fdbf34a0052d8

\Program Files (x86)\Windows Media Player\en-US\setup.dll

MD5 3b8c01a632d938578eef896ccd41671e
SHA1 34fc63311001e746be782c7e5c521f6de0c06560
SHA256 0755d71814ba2bc900f80a18a843e8c90ce7e835470feed459e8aa7b7d5230b0
SHA512 6bdb9963b49f636abfb1634aa51608caa21c64eb7c6f6b88d98a8ca6184dd01714bacdb0f101e33921d271b70d34b5189a81d715ee231f15245fdbf34a0052d8

\Program Files (x86)\Windows Media Player\en-US\setup.dll

MD5 3b8c01a632d938578eef896ccd41671e
SHA1 34fc63311001e746be782c7e5c521f6de0c06560
SHA256 0755d71814ba2bc900f80a18a843e8c90ce7e835470feed459e8aa7b7d5230b0
SHA512 6bdb9963b49f636abfb1634aa51608caa21c64eb7c6f6b88d98a8ca6184dd01714bacdb0f101e33921d271b70d34b5189a81d715ee231f15245fdbf34a0052d8

memory/1164-103-0x0000000003910000-0x0000000004035000-memory.dmp

memory/1164-105-0x0000000003910000-0x0000000004035000-memory.dmp

memory/1164-106-0x0000000003910000-0x0000000004035000-memory.dmp

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-19 10:54

Reported

2022-12-19 10:56

Platform

win10v2004-20220812-en

Max time kernel

126s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CPDF_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\CPDF_RHP..dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CPDF_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5040 set thread context of 224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_bow.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP..dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\bl.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\fillandsign.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\IA32.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\main.css C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int_2x.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\BIB.dll C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe

"C:\Users\Admin\AppData\Local\Temp\bf8c7929bc3f4fad1da578dd2b73cc0d.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 556

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23986

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\cpdf_rhp..dll",f1coTVZHMg==

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 127.0.0.1:23986 tcp
N/A 127.0.0.1:1312 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 23.236.181.126:443 tcp
N/A 65.40.213.67:443 tcp
N/A 127.0.0.1:23986 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23983 tcp
N/A 127.0.0.1:23983 tcp
N/A 127.0.0.1:23986 tcp

Files

memory/4436-132-0x0000000002280000-0x0000000002356000-memory.dmp

memory/4436-134-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4436-133-0x00000000023F0000-0x0000000002505000-memory.dmp

memory/5040-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/4436-138-0x0000000000400000-0x0000000000517000-memory.dmp

memory/5040-139-0x00000000041A0000-0x00000000048C5000-memory.dmp

memory/5040-140-0x00000000041A0000-0x00000000048C5000-memory.dmp

memory/5040-141-0x0000000004AF0000-0x0000000004C30000-memory.dmp

memory/5040-142-0x0000000004AF0000-0x0000000004C30000-memory.dmp

memory/5040-143-0x0000000004AF0000-0x0000000004C30000-memory.dmp

memory/5040-144-0x0000000004AF0000-0x0000000004C30000-memory.dmp

memory/5040-145-0x0000000004AF0000-0x0000000004C30000-memory.dmp

memory/5040-146-0x0000000004AF0000-0x0000000004C30000-memory.dmp

memory/224-147-0x00007FF67A5C6890-mapping.dmp

memory/224-149-0x00000143516D0000-0x0000014351810000-memory.dmp

memory/5040-148-0x0000000004B69000-0x0000000004B6B000-memory.dmp

memory/224-150-0x00000143516D0000-0x0000014351810000-memory.dmp

memory/224-151-0x000001434FE90000-0x00000143500BA000-memory.dmp

memory/224-152-0x0000000000A30000-0x0000000000C49000-memory.dmp

memory/5040-153-0x00000000041A0000-0x00000000048C5000-memory.dmp

memory/224-154-0x000001434FE90000-0x00000143500BA000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\cpdf_rhp..dll

MD5 880da7026523afdebf6a98e74fd307ff
SHA1 8b747e37a942136a6e5c53deacc5ed60dea6e15c
SHA256 7c465ca42e5c8a89040d012d2986e2b76856e2ca9c6898dddb7821c11460b815
SHA512 92d51a54140630648d536322bd429e67d2a48cfad66b7c2e407dc75a43f55fd3e5e6207684845a5bcdfd2d9418dd28f5b550ab5228bca3d15a8bae789e39fc6d

C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP..dll

MD5 880da7026523afdebf6a98e74fd307ff
SHA1 8b747e37a942136a6e5c53deacc5ed60dea6e15c
SHA256 7c465ca42e5c8a89040d012d2986e2b76856e2ca9c6898dddb7821c11460b815
SHA512 92d51a54140630648d536322bd429e67d2a48cfad66b7c2e407dc75a43f55fd3e5e6207684845a5bcdfd2d9418dd28f5b550ab5228bca3d15a8bae789e39fc6d

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 9fe39627a8722a7a447a50db5af2fad7
SHA1 11f71c56bbc752f65aae9029ea2f896b7d27c1d3
SHA256 65c5873d5f2342b4bd23691667578d14ea059e7c81ca0129aca6e05441adfde5
SHA512 bb4838b79dca928ceae04bb045ef8869a4d2acf87b3fd28477b437a3af15accb661b1ae87182a340742d0a28f62b37b44e2b15ac3f69f086886b1038415188ab

memory/4460-158-0x0000000003970000-0x0000000004095000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xml

MD5 c8d6f0d26db52746e243b785c269cacd
SHA1 b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1
SHA256 d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21
SHA512 c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe.xml

MD5 ca7452f3c00cc3083d549346e3726b1c
SHA1 64c6e09bffa49ef36ab0ac3a7a0d98ff944eb89a
SHA256 a8736abe4c9f3715f7f737db3437af332373204263e458978f653a1c860f088b
SHA512 1a307069368230702b9d397640e4ae16cad64958aea87437b9d0c443a43242d0e72bab932be1a5fa294138c792cdbd0752edb783afe51d253cb7502fa0bc719d

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MasterDescriptor.x-none.xml

MD5 82c3ab31834272e4118e925922249240
SHA1 a116ca5af39e39b7d4234c2c0cd6a91bff6727af
SHA256 25b87fbabbec1d49eae7cf47c3d659cb6c99eb82203e90eee6035b21b425b5ef
SHA512 4d3eaec898ef47e9b6039bcd481a06001263e7fcbc9303974423f90058a4d91494392427ca35dced5db642e8692580f24cb761b27a60e3288f15aefd8dbdb647

memory/4460-166-0x0000000003970000-0x0000000004095000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\RoamingCredentialSettings.xml

MD5 a186bfcab0d099811bf38b4c09102755
SHA1 9aadb653c69a0009f39d187a76ba51c0869ff9f2
SHA256 88b885c0292640fbbde80bbe0764b23e4d9621b89b9077056c0e12bc2deb7e2f
SHA512 c0e7cc96ee60aa8abe6e9ddbb3eef76561ff332f32fcc1acc950fcd4a03e958eab40590bb5e6912771950c8110838831f265199b040934e1aa3e5224bd33443f

memory/1852-167-0x0000000000000000-mapping.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SystemIndex.1.gthr

MD5 5d8e3f0dee1f1dcc69de24d4a01ea0dd
SHA1 54a4b7be8e07f172c366da7a25d56814512ffa2f
SHA256 beb289a769e447be982476cbb39e5fc628f8048b91c44af36ec4d43362ab0b2f
SHA512 d14e7c1893229188d8fd5d7eac1552be82f5b81c4c9ab6a908db49d4ffc0022601f5b1d2aaf1939c33aaba25e4a8c3b1cb8dd9715898bda1c90c3aa5db96c2ff

C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP..dll

MD5 880da7026523afdebf6a98e74fd307ff
SHA1 8b747e37a942136a6e5c53deacc5ed60dea6e15c
SHA256 7c465ca42e5c8a89040d012d2986e2b76856e2ca9c6898dddb7821c11460b815
SHA512 92d51a54140630648d536322bd429e67d2a48cfad66b7c2e407dc75a43f55fd3e5e6207684845a5bcdfd2d9418dd28f5b550ab5228bca3d15a8bae789e39fc6d

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SmsInterceptStore.db

MD5 7d2d2f04320584e023a549be0319e601
SHA1 d76db1f1a9aec376cc9b518ea1ef35ccc93d0e65
SHA256 9b1d9752ffaff1f6b931a2c43d03033591aad5f9c6afb7387ee6ce4d0986be5c
SHA512 9f4c3cbeccb1904687f7c6096eb3898c6ede187ed072b7ddb5ec3daafbe7c0ac56a94722395ce6e04ae8d520215f62ca33d0453505ec8f0eca460e50cf3f29cc

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftSkypeForBusiness2016Win64.xml

MD5 bd044f090776619270e4e49b20dd006f
SHA1 8279e5b49f7322f11364ff10d694578b56fafcd2
SHA256 40ad82a3af39ac5ecca299f7d0c57a8de41c75c96e2c0fa49c0dcb5b442f14cf
SHA512 19214b4e046c1146ca1e06a35f69daaccf604b7fb42f6d6050794874e4bab03c6bbff66e68e7d9243265c246126d9231fe24ff633a6adcbcffd7a0831f91deaf

memory/1852-169-0x0000000004710000-0x0000000004E35000-memory.dmp

memory/1852-170-0x0000000004710000-0x0000000004E35000-memory.dmp

memory/1852-171-0x0000000004710000-0x0000000004E35000-memory.dmp

memory/1376-172-0x0000000000000000-mapping.dmp

memory/3908-173-0x0000000000000000-mapping.dmp

memory/4460-174-0x0000000003970000-0x0000000004095000-memory.dmp