Malware Analysis Report

2025-05-28 14:51

Sample ID 221219-ns6cbseh54
Target c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA256 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
Tags
danabot banker collection discovery persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029

Threat Level: Known bad

The file c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029 was found to be: Known bad.

Malicious Activity Summary

danabot banker collection discovery persistence spyware stealer trojan

Danabot

Sets DLL path for service in the registry

Blocklisted process makes network request

Sets service image path in registry

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of FindShellTrayWindow

outlook_win_path

Modifies system certificate store

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-19 11:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 11:40

Reported

2022-12-19 11:43

Platform

win10v2004-20221111-en

Max time kernel

148s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\close_x.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\close_x.dll܀" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService搀" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService輀" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\ue800" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService䐀" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3324 set thread context of 1664 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Search.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\info.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Close2x.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\ACE.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions2x.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\application.ini C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pages_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\SaveAsRTF.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3D05943EB8D18FA5315E1FB33F02E63247EB567E C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3D05943EB8D18FA5315E1FB33F02E63247EB567E\Blob = 0300000001000000140000003d05943eb8d18fa5315e1fb33f02e63247eb567e20000000010000007a02000030820276308201dfa0030201020208189d6e7779f93e61300d06092a864886f70d01010b050030613120301e06035504030c174469676943656b7420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313231393132343234325a170d3234313231383132343234325a30613120301e06035504030c174469676943656b7420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b095eec8fa0ed6072e274b14a69f190da0b70a16de65bebb13f6704bb9f1181415fc515e3994212661444e59e021a3a8ddb2b578d033d6c61bca608d4760d905f260ab083e3d1225fc1f4be436767ca9f0c3279036ceb32d5a46df67f8f35d25e29e6b74919ed9c9111cdb64e6c8e0cff6f05daf8e771ea12dac54dd0982a00b0203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b301982174469676943656b7420476c6f62616c20526f6f74204732300d06092a864886f70d01010b05000381810052dfcbe3ca2453399bbebdf5018f91008d41a252523a68271a99842ad4d4d6488a93912dd24ef48b08012be45ebc7853f3abe7615ed8e3c1c3a6a4fefdafedddf32bd20d94e45593008ee24472928d237190df8d4129703c713582b83895436f2cad2aad4ae9f4593ebe37846613582a553f95493f51cc61faaa7d71fae08984 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe C:\Windows\SysWOW64\rundll32.exe
PID 4712 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe C:\Windows\SysWOW64\rundll32.exe
PID 4712 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe C:\Windows\SysWOW64\rundll32.exe
PID 3324 wrote to memory of 1664 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3324 wrote to memory of 1664 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3324 wrote to memory of 1664 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3172 wrote to memory of 3660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3172 wrote to memory of 3660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3172 wrote to memory of 3660 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3324 wrote to memory of 2140 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 2140 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 2140 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 1616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 1616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 1616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe

"C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4712 -ip 4712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 536

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23949

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\close_x.dll",QgU9RQ==

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:23949 tcp
N/A 127.0.0.1:1312 tcp
N/A 52.182.143.208:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:23949 tcp
N/A 98.10.150.98:443 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:23946 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23946 tcp
N/A 127.0.0.1:23949 tcp
N/A 127.0.0.1:23946 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23949 tcp
N/A 127.0.0.1:23946 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23946 tcp
N/A 127.0.0.1:23949 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23946 tcp
N/A 127.0.0.1:23949 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:23946 tcp
N/A 127.0.0.1:23949 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/3324-132-0x0000000000000000-mapping.dmp

memory/4712-133-0x000000000229B000-0x0000000002371000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/4712-136-0x0000000002380000-0x0000000002495000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/4712-137-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3324-138-0x0000000004010000-0x0000000004735000-memory.dmp

memory/3324-139-0x0000000004010000-0x0000000004735000-memory.dmp

memory/3324-140-0x00000000048E0000-0x0000000004A20000-memory.dmp

memory/3324-141-0x00000000048E0000-0x0000000004A20000-memory.dmp

memory/3324-142-0x00000000048E0000-0x0000000004A20000-memory.dmp

memory/3324-143-0x00000000048E0000-0x0000000004A20000-memory.dmp

memory/3324-144-0x00000000048E0000-0x0000000004A20000-memory.dmp

memory/3324-145-0x00000000048E0000-0x0000000004A20000-memory.dmp

memory/1664-146-0x00007FF62E8E6890-mapping.dmp

memory/1664-147-0x000001F6CBE00000-0x000001F6CBF40000-memory.dmp

memory/1664-148-0x000001F6CBE00000-0x000001F6CBF40000-memory.dmp

memory/1664-149-0x00000000000A0000-0x00000000002B9000-memory.dmp

memory/1664-150-0x000001F6CA5C0000-0x000001F6CA7EA000-memory.dmp

memory/3324-151-0x0000000004010000-0x0000000004735000-memory.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.dll

MD5 b9ee2129ea48aabb9c3d65b5e0b864db
SHA1 8c831d7b63a83af40c8d01e51243679d40dc6726
SHA256 6752148c44e9204a63cc22d560a954aceafdccdabd18f61b588ef9fdcfeaa899
SHA512 e8309cb674f4bb73f4bc8b1b87684b8491587872f3751f08312658d70fd34bb8b93f0baf1b6e466a2c11873c6e5bfd71154ebb9187c6950a15935309d085f119

\??\c:\program files (x86)\windowspowershell\modules\close_x.dll

MD5 b9ee2129ea48aabb9c3d65b5e0b864db
SHA1 8c831d7b63a83af40c8d01e51243679d40dc6726
SHA256 6752148c44e9204a63cc22d560a954aceafdccdabd18f61b588ef9fdcfeaa899
SHA512 e8309cb674f4bb73f4bc8b1b87684b8491587872f3751f08312658d70fd34bb8b93f0baf1b6e466a2c11873c6e5bfd71154ebb9187c6950a15935309d085f119

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 fbdd6a9ef07c99e35a1c8e5db6b4cfc7
SHA1 6af5ca47ff3ccf080cd2ccd7f95697660edccfb3
SHA256 f66ceb064373b3cdac7da9bb32b15622d03b17ca9d658950d50435358e394cd9
SHA512 c84d726d7e5ec609913c2e58c4b75528f80466ab614aa16167b0f91f48e4102c1a5943ff68b6b2cd6229d30ef95ae82a028ab1b5036d1410dd1e485f6dcab10c

memory/3172-155-0x0000000003960000-0x0000000004085000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe.xml

MD5 f4b603547f83e5cb97e4ad4538aac812
SHA1 c225c8c582ad9fdd9e81291fcb4af711deb92508
SHA256 268d79fcfc4de72faeb0433e371176fedcfc0c33b0c9484b02c9936c3c6d4218
SHA512 d285740008ed9e6dbfc4284dfb5418e130f1eb4b2fb758fb2f8e86e0c5c557e050b415eaa66858c37cd95ddfd4ed6a40be77a333f254ec142982d2e3f3cc37cf

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml

MD5 37cde9afb1540513bd564d71867021e0
SHA1 e319abb6093025dccc55618fb407c1182ccdafe7
SHA256 516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f
SHA512 6746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.proofing.msi.16.en-us.xml

MD5 d23cf0da0462ecbb77509f23f26edc57
SHA1 b0a3353089a1c174a092e7a791d286bb28bb764c
SHA256 9fc823530ff0f81c7064fb67d0f6932ad735897a2f5479a8f1d298075b04817f
SHA512 a113d35757e4abebede230ca695b2163f44910bdca6253ad65d3649ab1cdaa16da966f01dc1c85d782ed775757915c130e39d6aa008ff5b926674ac353d23dff

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_11_11_13_34_6.etl

MD5 1fe0d68375877cabfccb619d9d4ab43f
SHA1 cf193c9d2867df41dcccb8f6aabf425dffb509eb
SHA256 0cb5476c09391a9aa162dab319070f54ad3befb8cb202acfd274613985912aea
SHA512 51370046f065ae8b86afe3cc5f0ec7e71b13d6bc3272db4bf16924cbdfdc126e5b10399055756234e776a44a0449d2d1554ca0097e7d72790713ca618fdc7ec1

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.powerpointmui.msi.16.en-us.xml

MD5 e9ed7134ebf28fea3f7aa5691a28438a
SHA1 ea1e55c279ed9f8dae333ae436204d8d67d46adf
SHA256 8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28
SHA512 535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

memory/3660-166-0x0000000000000000-mapping.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOutlook2016CAWin64.xml

MD5 4b6a6960b925c7bd5b83d8a4196e24e4
SHA1 f1bb8a50ffb8cce0804db90d2e3ecdbbbe3f460b
SHA256 5f45e2be37f33052a97235462325f5ae32d3713bdaa6eeeea49e92f0e9fc6ed0
SHA512 21f420212c86df357ad83079876d969bab0d089ac506d3dcfb1cfcb134f118a741491454e79538bf5c8d4d2b2ab1fc14d07d0cc3f263874396bd9546bf3b71b1

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

MD5 1600f66ce0d9c342eb6a49155a2f8c14
SHA1 e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07
SHA256 8dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27
SHA512 ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\wmp.ico

MD5 589ff0b7d4d0d3fced65c3eae6559657
SHA1 4be3e4221a429b347888bbe3635e377271974c7f
SHA256 0e96c027d23a57e95103d1b64e4c5b8a153402f05b756dfcb737459476aaae35
SHA512 4a12bac3f61964d6c5608bbb9067d7673cd5e5a22463f6d16f402954045692f43ef1ea32d405f452d415c859c30b217e9d250a1c5c85cfd629bd393824b6523b

C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.dll

MD5 b9ee2129ea48aabb9c3d65b5e0b864db
SHA1 8c831d7b63a83af40c8d01e51243679d40dc6726
SHA256 6752148c44e9204a63cc22d560a954aceafdccdabd18f61b588ef9fdcfeaa899
SHA512 e8309cb674f4bb73f4bc8b1b87684b8491587872f3751f08312658d70fd34bb8b93f0baf1b6e466a2c11873c6e5bfd71154ebb9187c6950a15935309d085f119

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.ASM-WindowsDefault.json

MD5 d054101b077a5d6ee42f48bbe0a98033
SHA1 e27de6db98d496419be668cdbb0d63693353a08a
SHA256 b44915e8ebc59eb07e1571de5dfe8e7ae87aca64b2aa64bd5aaf3ebfe06f72a8
SHA512 364a15229a7563af5657355b3ec6838f1367f89163fa43cf835756d5b3ae7df1fbd6b577d31f275b5030f00255c2a1958c6d88b43e84b283a602931c9af1921b

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.dcfmui.msi.16.en-us.xml

MD5 2693cb4d0d47298d60c5b4210d567e56
SHA1 20b67bce8310a93c5756d83d13febdcaff5f3b39
SHA256 d98dec16b13c3e4a23823be0bcd45f685c6dc690ae28954c0c18075e77898f20
SHA512 034cb9620ea7f9aa793ad8e0c8e30b11244e7952d871d1f8cbb1ff6daa765fd9afc2a54f221f0a323511f4aa7b985ff61c2f0b983668c7e390f3f99699dc89c9

memory/3172-168-0x0000000003960000-0x0000000004085000-memory.dmp

memory/3660-169-0x0000000004880000-0x0000000004FA5000-memory.dmp

memory/3660-170-0x0000000004880000-0x0000000004FA5000-memory.dmp

memory/2140-171-0x0000000000000000-mapping.dmp

memory/1616-172-0x0000000000000000-mapping.dmp

memory/3172-173-0x0000000003960000-0x0000000004085000-memory.dmp