Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-ppjvlahe22
Target f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa
SHA256 f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa
Tags
danabot banker collection discovery persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa

Threat Level: Known bad

The file f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa was found to be: Known bad.

Malicious Activity Summary

danabot banker collection discovery persistence spyware stealer trojan

Danabot

Sets DLL path for service in the registry

Sets service image path in registry

Blocklisted process makes network request

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

outlook_office_path

Suspicious use of WriteProcessMemory

outlook_win_path

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 12:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 12:30

Reported

2022-12-20 12:32

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acrobat_parcel_generic_32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\acrobat_parcel_generic_32.dll\u0600" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acrobat_parcel_generic_32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\acrobat_parcel_generic_32.dllĀ" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acrobat_parcel_generic_32\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1916 set thread context of 1880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\tl.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\LICENSE.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\SaveAsRTF.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D860E98EFB9758940232A48C83DBE163A5F54E26 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D860E98EFB9758940232A48C83DBE163A5F54E26\Blob = 030000000100000014000000d860e98efb9758940232a48c83dbe163a5f54e2620000000010000009f0200003082029b30820204a0030201020208034c2a0e78724f23300d06092a864886f70d01010b05003074311f301d06035504030c165468617774652054686d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3230313232303133333231385a170d3234313231393133333231385a3074311f301d06035504030c165468617774652054686d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100b3f41e534681cc71c139d24130c00ec089913dcac6898dc5ddb826d7d2538204a2fab38d2f05629158d5622f4e6d853a9137189332dab47804282e8b3589d1431e6a6666b89effdd91e05dda8bc4b2ffc9629e7083e87f1a12303989d3e2067e47eef2b2d45ea6de0e5a5b967cb05d74896805f787e6425006d60a44f66d86270203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468617774652054686d657374616d70696e67204341300d06092a864886f70d01010b0500038181007dd9fe766358ba3077b606fffa7e25119a529747cb6554457d69af612849ac90ac92ef1ac52333da3c357aa40c2912523eaee7be4e973f244164231a5114a1960e85bd0b998fa0934b084378da77ac0546736872145c83a130812965ee41e1b0e29ae802c74881d630d12b606ed8aca59d9f892e7efe828b18cb4e8351ce304d C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1916 wrote to memory of 1880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1916 wrote to memory of 1880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2104 wrote to memory of 1360 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 1360 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 1360 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 1316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 1316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe

"C:\Users\Admin\AppData\Local\Temp\f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 472

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\acrobat_parcel_generic_32.dll",hmIkNEw2QTY=

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:1312 tcp
N/A 209.197.3.8:80 tcp
N/A 20.189.173.12:443 tcp
N/A 87.248.202.1:80 tcp
N/A 104.80.225.205:443 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:14124 tcp
N/A 35.62.50.114:443 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:14124 tcp
N/A 127.0.0.1:14121 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/2912-132-0x000000000234E000-0x000000000243D000-memory.dmp

memory/2912-133-0x0000000002440000-0x0000000002570000-memory.dmp

memory/2912-134-0x0000000000400000-0x000000000053E000-memory.dmp

memory/1916-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

memory/2912-138-0x0000000000400000-0x000000000053E000-memory.dmp

memory/1916-139-0x00000000054F0000-0x0000000005C15000-memory.dmp

memory/1916-140-0x00000000054F0000-0x0000000005C15000-memory.dmp

memory/1916-141-0x0000000006360000-0x00000000064A0000-memory.dmp

memory/1916-142-0x0000000006360000-0x00000000064A0000-memory.dmp

memory/1916-143-0x0000000006360000-0x00000000064A0000-memory.dmp

memory/1916-144-0x0000000006360000-0x00000000064A0000-memory.dmp

memory/1916-146-0x0000000006360000-0x00000000064A0000-memory.dmp

memory/1880-147-0x00007FF798A16890-mapping.dmp

memory/1916-145-0x0000000006360000-0x00000000064A0000-memory.dmp

memory/1880-149-0x000001A6F1C00000-0x000001A6F1D40000-memory.dmp

memory/1880-150-0x000001A6F1C00000-0x000001A6F1D40000-memory.dmp

memory/1916-148-0x00000000063D9000-0x00000000063DB000-memory.dmp

memory/1880-151-0x0000000000960000-0x0000000000B79000-memory.dmp

memory/1880-152-0x000001A6F1D80000-0x000001A6F1FAA000-memory.dmp

memory/1916-153-0x00000000054F0000-0x0000000005C15000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\acrobat_parcel_generic_32.dll

MD5 27ad2e09e7fb67aeb3f0a177eacee5bf
SHA1 632ba1684b6bda253915c77bc6dc7428b6386feb
SHA256 d2fec46d1e80bd292d599da77ab32e31978809a2fe90607baca1ee9b2a7811d3
SHA512 d114cd91dad0ab93b528c3529ef5004ba6dfe34caa1056dda642a3ac1747fc401490546a8e84d66c31c0b4e32cb410db0117288c4560fed6182955455c24e2ce

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 7f7a57cdda3a793223eddb107acd3e40
SHA1 9d70b2e4ad0c07ab5e1ce5eaa896fdaea4bee467
SHA256 1b5d2585fdddcbe2216e1b96a17ae0decca911b6e37e951f13131cda3b984004
SHA512 ef8669adc775284392618e23f7e09c6b7d905544f2e13ee62c2fab6f036a84adbf0636d2c277e1f954c12c534422d3860ecf673dc29b1e50099d6d51cdf94078

C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.dll

MD5 27ad2e09e7fb67aeb3f0a177eacee5bf
SHA1 632ba1684b6bda253915c77bc6dc7428b6386feb
SHA256 d2fec46d1e80bd292d599da77ab32e31978809a2fe90607baca1ee9b2a7811d3
SHA512 d114cd91dad0ab93b528c3529ef5004ba6dfe34caa1056dda642a3ac1747fc401490546a8e84d66c31c0b4e32cb410db0117288c4560fed6182955455c24e2ce

memory/2104-157-0x0000000003FB0000-0x00000000046D5000-memory.dmp

memory/2104-158-0x0000000003FB0000-0x00000000046D5000-memory.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c.xml

MD5 c017cbd831d5fe3da5d63535c0a7cac9
SHA1 4266aab95f2a6988bf07637bf9591bb363f542b5
SHA256 ad263ad6a68bc9376a151f62188941748b467f82e9638fdfd937047e289edf6a
SHA512 f96a087201821c6299acb8d1e428a4d58ff9d31a1c5d9f20d24ff1e9e9e97aacdb31ca818d6c53caa0d7da4b3a48a54cf2a39259ed2d362f9aa082c065d6c40c

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.office32ww.msi.16.x-none.xml

MD5 b5cf5d15a8e6c6f2eb99a5645a2c2336
SHA1 7efe1b634ce1253a6761eb0c54f79dd42b79325f
SHA256 f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c
SHA512 83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\scan_property.ico

MD5 a348f66a6427a599596849f4256a5b8d
SHA1 1edc7072a3cdaaa191065ce17855e6a596cfe6de
SHA256 7e2789e022e43c931114d6a712e0ddeaa925975e08a77e3c403cd705c3b819e8
SHA512 2a564e12977ab9fc745563626e53eb882d0d3ed2c1c70eda231a9630066fb4d43a85ab919678faaf8e19252e2b93da1f2e43aad0768e46b9ec5587dadb26ea24

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xml

MD5 2bc8ee174a90308d275eda81bf42d95e
SHA1 284647d3ee515e4794d1984d2f01989f33121d2d
SHA256 d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8
SHA512 fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327

memory/1360-164-0x0000000000000000-mapping.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 1d9c8b9cdd2c40a2b6b3e10bab641d8b
SHA1 73665a873c1d54b9a5660f6d8a086d0f6c9075cd
SHA256 547edf5e6d7bd9a1ed64c342b6612ebc604e80cb30bd0f675247ae62d0e59c3e
SHA512 fc305d2628cc31c9c6c1cc99185110db0c1be63524b920c900c81c81f44de24702dc50434beb43333b5b85a048146bd9db8ee21744970b1f885689a9e3719b01

C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.dll

MD5 27ad2e09e7fb67aeb3f0a177eacee5bf
SHA1 632ba1684b6bda253915c77bc6dc7428b6386feb
SHA256 d2fec46d1e80bd292d599da77ab32e31978809a2fe90607baca1ee9b2a7811d3
SHA512 d114cd91dad0ab93b528c3529ef5004ba6dfe34caa1056dda642a3ac1747fc401490546a8e84d66c31c0b4e32cb410db0117288c4560fed6182955455c24e2ce

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edbres00001.jrs

MD5 fcd6bcb56c1689fcef28b57c22475bad
SHA1 1adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256 de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA512 73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

memory/1360-167-0x0000000003E10000-0x0000000004535000-memory.dmp

memory/1360-168-0x0000000003E10000-0x0000000004535000-memory.dmp

memory/1316-169-0x0000000000000000-mapping.dmp

memory/2492-170-0x0000000000000000-mapping.dmp

memory/2104-171-0x0000000003FB0000-0x00000000046D5000-memory.dmp

memory/1360-172-0x0000000003E10000-0x0000000004535000-memory.dmp