Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-mjzmracd8s
Target 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912
SHA256 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912
Tags
danabot banker collection discovery persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912

Threat Level: Known bad

The file 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912 was found to be: Known bad.

Malicious Activity Summary

danabot banker collection discovery persistence spyware stealer trojan

Danabot

Sets service image path in registry

Blocklisted process makes network request

Sets DLL path for service in the registry

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies registry class

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 10:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 10:30

Reported

2022-12-20 10:32

Platform

win10v2004-20221111-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Certificates_R..dllȀ" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Certificates_R..dll\u2000" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Certificates_R..dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 736 set thread context of 4052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\reader_sl.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\MoreTools.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.pmp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R..dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\sendforcomments.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Spelling.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\LICENSE.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AppCenter_R.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\44F436AE0002C0761CC5EDF3E1C0B46FD4DB2B46 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\44F436AE0002C0761CC5EDF3E1C0B46FD4DB2B46\Blob = 03000000010000001400000044f436ae0002c0761cc5edf3e1c0b46fd4db2b462000000001000000d1020000308202cd30820236a00302010202085b08a5d71d18dfbe300d06092a864886f70d01010b0500307e313d303b06035504030c344d6163726f736f66742054696d65205374616d7020526f6f7420436572746966696361746520417574686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232303131333232385a170d3234313231393131333232385a307e313d303b06035504030c344d6163726f736f66742054696d65205374616d7020526f6f7420436572746966696361746520417574686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100da9cdf2aa294750260624a7bfacfe8d4ad365248b2769992d54f4c245cb61a08be3f1ea184e76b2522e327204996a28a5345193158abb05334714e06b4b789114e52450abcd8f90128f113a103588744340aefffd90fc38e380b05230493bfcac563d9b55602e7400ed72c6bc040cb671920c2e83c24136ba4a5d1941a452ac90203010001a3543052300f0603551d130101ff040530030101ff303f0603551d110438303682344d6163726f736f66742054696d65205374616d7020526f6f7420436572746966696361746520417574686f726974792032303134300d06092a864886f70d01010b050003818100202181123caa1d3b6174eb171d999f2cf8cb48e8a284e01a43c4d4eb4e98236a7068ff00cb9b2ae7fe1ffcca90566e42491b0a8993f9ba2d3e11cadd414bdbee78ed5ca10b0baed4a099f18d4bbca280eabc3f5167ad5f7c60dc6f917576949f319a19e44cfa03208695b6000e55b9831c6b33c4e2270db299e9d7367dd11beb C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe C:\Windows\SysWOW64\rundll32.exe
PID 736 wrote to memory of 4052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 736 wrote to memory of 4052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 736 wrote to memory of 4052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4652 wrote to memory of 4348 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 4652 wrote to memory of 4348 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 4652 wrote to memory of 4348 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 736 wrote to memory of 4736 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 4736 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 4736 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 4600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 4600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 4600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe

"C:\Users\Admin\AppData\Local\Temp\4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2124 -ip 2124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 528

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\certificates_r..dll",rWFMT3AyQg==

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:1312 tcp
N/A 104.80.225.205:443 tcp
N/A 52.168.117.170:443 tcp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:14124 tcp
N/A 60.186.179.56:443 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp

Files

memory/736-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

memory/2124-135-0x0000000002341000-0x0000000002430000-memory.dmp

memory/2124-136-0x0000000002440000-0x0000000002570000-memory.dmp

memory/2124-137-0x0000000000400000-0x000000000053E000-memory.dmp

memory/736-138-0x0000000004BB0000-0x00000000052D5000-memory.dmp

memory/736-139-0x0000000004BB0000-0x00000000052D5000-memory.dmp

memory/736-141-0x00000000054F0000-0x0000000005630000-memory.dmp

memory/736-140-0x00000000054F0000-0x0000000005630000-memory.dmp

memory/736-142-0x00000000054F0000-0x0000000005630000-memory.dmp

memory/736-143-0x00000000054F0000-0x0000000005630000-memory.dmp

memory/736-144-0x00000000054F0000-0x0000000005630000-memory.dmp

memory/736-145-0x00000000054F0000-0x0000000005630000-memory.dmp

memory/4052-146-0x00007FF610BD6890-mapping.dmp

memory/4052-147-0x0000027DFCBF0000-0x0000027DFCD30000-memory.dmp

memory/4052-148-0x0000027DFCBF0000-0x0000027DFCD30000-memory.dmp

memory/736-149-0x0000000005569000-0x000000000556B000-memory.dmp

memory/4052-150-0x0000000000E10000-0x0000000001029000-memory.dmp

memory/4052-151-0x0000027DFB220000-0x0000027DFB44A000-memory.dmp

memory/736-152-0x0000000004BB0000-0x00000000052D5000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\certificates_r..dll

MD5 63fdacce53633c0023a65b9557f837b4
SHA1 6475a5b1050166bbaa40e4ea665093da32b46073
SHA256 702a7269c90cec81ff1c548109e4b3274463c9d58940c88e1bb63c933f13c003
SHA512 878cb01b7433dfe579dfee9146754fa4bdbdd72e7ba0dcb883ede588dd8fe73aeffbc16ca46e227b62489363328c3c03f39ccad7123fa33db725d6a311236549

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 945f0c08be6f3fca2469775218ca24ee
SHA1 1c7ebb81f10582b539a80db91042ebe9c57697f9
SHA256 10964c29f39f6cc0745b737fcf1a41298b93b3ea15cbadf80a26bd63486e7f46
SHA512 1937b18659657b38edc7c12ac374b491f1448daf9c24e204a64acfb61d53748aacc1e592c890920f66a048a51a2250c84d3d2527ffddf27b27b28eef3b8f40ad

C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R..dll

MD5 63fdacce53633c0023a65b9557f837b4
SHA1 6475a5b1050166bbaa40e4ea665093da32b46073
SHA256 702a7269c90cec81ff1c548109e4b3274463c9d58940c88e1bb63c933f13c003
SHA512 878cb01b7433dfe579dfee9146754fa4bdbdd72e7ba0dcb883ede588dd8fe73aeffbc16ca46e227b62489363328c3c03f39ccad7123fa33db725d6a311236549

memory/4652-156-0x0000000003940000-0x0000000004065000-memory.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Policy.vpol

MD5 06a26bd9a786dfd815b92d9f149ac770
SHA1 c5532598867b39bc635399b7845691a04209abb2
SHA256 cf0120016fbb22ffae5cdc3e3995c4b5908d09c0fa759058abfd0cdba04d18c9
SHA512 b856b25525f39f2c3d99e7e954e672ce732408a37f5ea0f85099a30808917b6dd0e046b7a3e29a08f949bc6bab7b05f9182c9620db5f40f210fe5d64d296c5e5

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 945f0c08be6f3fca2469775218ca24ee
SHA1 1c7ebb81f10582b539a80db91042ebe9c57697f9
SHA256 10964c29f39f6cc0745b737fcf1a41298b93b3ea15cbadf80a26bd63486e7f46
SHA512 1937b18659657b38edc7c12ac374b491f1448daf9c24e204a64acfb61d53748aacc1e592c890920f66a048a51a2250c84d3d2527ffddf27b27b28eef3b8f40ad

memory/4348-168-0x0000000000000000-mapping.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2013BackupWin64.xml

MD5 d24bea7d3b999f28e375d1d061a03d97
SHA1 95b207708762aa4752c77728128cbe3033646204
SHA256 57184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2
SHA512 3d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\watermark.png

MD5 1f93b502e78190a2f496c2d9558e069d
SHA1 6ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA256 5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512 cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R..dll

MD5 63fdacce53633c0023a65b9557f837b4
SHA1 6475a5b1050166bbaa40e4ea665093da32b46073
SHA256 702a7269c90cec81ff1c548109e4b3274463c9d58940c88e1bb63c933f13c003
SHA512 878cb01b7433dfe579dfee9146754fa4bdbdd72e7ba0dcb883ede588dd8fe73aeffbc16ca46e227b62489363328c3c03f39ccad7123fa33db725d6a311236549

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe.xml

MD5 4194b927b32c56bb3a5ed72c164c917e
SHA1 ec60c6bb8b2d0181408c65b3456b7b3b92cca134
SHA256 86d065b6d87309122e9fce9b960f5d56a45dfcdd83122a4225ed9fd3136320d8
SHA512 c94baa6f849bb048e572667e19268754efc58bce6673373db9817c729b36acbfd0bb30975a441f2a5cd16e00be97db412dd82f1669c1701004a1e27307f75c1d

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\setup.exe

MD5 96f7cb9f7481a279bd4bc0681a3b993e
SHA1 deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256 d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512 694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe.xml

MD5 7e913c1a399dd176eea1bb8f2be26268
SHA1 6be9a44820ffbabb10202af890da00c9aa2dfec2
SHA256 5295393602a18f301613c7160e24f88816070a41cf69b32c821b6d3858541b4a
SHA512 dc52de8489f586081c246a297a35987eb7f74e122f475df88cfdc683787fe532e609db3b43915c73f7f172e1a4fc13efacd1b52252d1041e5c8f4dd190009105

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.AsyncTextService_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml

MD5 2240070d6603ab019cd125005cf38b7b
SHA1 ca96d028f51a7d5ec16630b48935f26c72794b0a
SHA256 7b3b1b641ebbda5397a11af86cb347b0f644ab439341c62b1c81d6990e6f75bc
SHA512 95c6f48f717d9103d30c31e00b7ff3a0d235693a8fffed772c0a0c39107bf3003ac84d6c78e2af566d91a88fa523dcc2c523dcc707d19fc77799832d548f330c

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml

MD5 36b733e882d091355ffdd2b0a3286888
SHA1 0043a974ebd90d802e8cc5e04b5cefc980d03292
SHA256 f83662badfaa62797f925aa8292852be5351d3e641d70fe22c911ee4cdf68aad
SHA512 abb0df60401f74df3368e17cd8ff672dceaeef0fbeb097da659c07f2b8d756a09ada065ecb3ba7ccabbb4416817d730c13e6340ae5c6239dff31ae8b81c0a10c

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

MD5 ded8a0ae2ade3e3cab8bfbfea00b969f
SHA1 73752c78795a78ef3b742ad41737959e6f51ee42
SHA256 ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85
SHA512 3c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xml

MD5 1944801cae061223e36fcce6aed6bfba
SHA1 b465c53f3e6ae74fac368f36cbfc5842ce085e14
SHA256 b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959
SHA512 82b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f

memory/4652-170-0x0000000003940000-0x0000000004065000-memory.dmp

memory/4348-171-0x0000000003F20000-0x0000000004645000-memory.dmp

memory/4348-172-0x0000000003F20000-0x0000000004645000-memory.dmp

memory/4736-173-0x0000000000000000-mapping.dmp

memory/4600-174-0x0000000000000000-mapping.dmp

memory/4652-175-0x0000000003940000-0x0000000004065000-memory.dmp