Malware Analysis Report

2025-05-05 21:44

Sample ID 221220-rvl81sdb2z
Target ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549
SHA256 ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549
Tags
danabot banker discovery persistence trojan collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549

Threat Level: Known bad

The file ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549 was found to be: Known bad.

Malicious Activity Summary

danabot banker discovery persistence trojan collection spyware stealer

Danabot family

Danabot

Blocklisted process makes network request

Sets service image path in registry

Sets DLL path for service in the registry

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Modifies registry class

outlook_office_path

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

outlook_win_path

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 14:30

Signatures

Danabot family

danabot

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 14:30

Reported

2022-12-20 14:33

Platform

win7-20221111-en

Max time kernel

129s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CourierStd-BoldOblique\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\CourierStd-BoldOblique.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CourierStd-BoldOblique\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 328 set thread context of 1000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\submission_history.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Accessibility.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\vdk150.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CP1257.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\MyriadPro-BoldIt.otf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\AdobePiStd.otf C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\drvDX9.x3d C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\BIB.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\airappinstaller.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Spelling.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\icudt36.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\BIBUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\VDK10.STP C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\DWTRIG20.EXE C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\nppdf32.dll C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\WerFault.exe
PID 1080 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\WerFault.exe
PID 1080 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\WerFault.exe
PID 1080 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\WerFault.exe
PID 328 wrote to memory of 1000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 328 wrote to memory of 1000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 328 wrote to memory of 1000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 328 wrote to memory of 1000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 328 wrote to memory of 1000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 208

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20224

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\microsoft sync framework\v1.0\courierstd-boldoblique.dll",YgReMg==

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:20224 tcp
N/A 127.0.0.1:1312 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:20224 tcp
N/A 31.89.46.0:443 tcp

Files

memory/1080-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

memory/328-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 2509ce535012c3369025c465cd0ce8d3
SHA1 689d0fd00ef209dceacf13a6cb8c44b0307f3354
SHA256 1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9
SHA512 dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

memory/840-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 2509ce535012c3369025c465cd0ce8d3
SHA1 689d0fd00ef209dceacf13a6cb8c44b0307f3354
SHA256 1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9
SHA512 dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 2509ce535012c3369025c465cd0ce8d3
SHA1 689d0fd00ef209dceacf13a6cb8c44b0307f3354
SHA256 1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9
SHA512 dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 2509ce535012c3369025c465cd0ce8d3
SHA1 689d0fd00ef209dceacf13a6cb8c44b0307f3354
SHA256 1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9
SHA512 dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

memory/328-63-0x0000000000B50000-0x0000000000DC1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 2509ce535012c3369025c465cd0ce8d3
SHA1 689d0fd00ef209dceacf13a6cb8c44b0307f3354
SHA256 1c983968980bf6018c7149ee7b56d5ccfa6566bd60c514c872ee14a1aaaad2d9
SHA512 dd887df5972521c87e0999aa6bfa27ac8c510c14b14aba7f9d66503a0d5c4971ca09a66ab7f1ea8c3d6847d59a1ba6237284ba4e36c7ed2519407442f453d7c9

memory/328-64-0x0000000000B50000-0x0000000000DC1000-memory.dmp

memory/328-65-0x0000000000B50000-0x0000000000DC1000-memory.dmp

memory/328-66-0x0000000003450000-0x0000000003B75000-memory.dmp

memory/328-67-0x0000000003450000-0x0000000003B75000-memory.dmp

memory/328-69-0x0000000003450000-0x0000000003B75000-memory.dmp

memory/328-70-0x0000000003450000-0x0000000003B75000-memory.dmp

memory/328-73-0x0000000003B80000-0x0000000003CC0000-memory.dmp

memory/328-72-0x0000000003B80000-0x0000000003CC0000-memory.dmp

memory/328-75-0x0000000003DD0000-0x0000000003F10000-memory.dmp

memory/1000-76-0x0000000000290000-0x00000000004A9000-memory.dmp

memory/328-78-0x0000000003DD0000-0x0000000003F10000-memory.dmp

memory/328-79-0x0000000003B80000-0x0000000003CC0000-memory.dmp

memory/328-80-0x0000000003B80000-0x0000000003CC0000-memory.dmp

memory/1000-81-0x00000000FF1C3CEC-mapping.dmp

memory/1000-82-0x0000000001D70000-0x0000000001EB0000-memory.dmp

memory/1000-83-0x0000000001D70000-0x0000000001EB0000-memory.dmp

memory/1000-84-0x000007FEFB691000-0x000007FEFB693000-memory.dmp

memory/1000-85-0x0000000000290000-0x00000000004A9000-memory.dmp

memory/1000-86-0x0000000001FD0000-0x00000000021FA000-memory.dmp

memory/328-87-0x0000000003450000-0x0000000003B75000-memory.dmp

\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

MD5 eea4a32ae17ab95ec1512168aea4ee49
SHA1 9d4a325d67300b81d943c329c40915b2496ecaa8
SHA256 750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf
SHA512 227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

\??\c:\program files (x86)\microsoft sync framework\v1.0\courierstd-boldoblique.dll

MD5 eea4a32ae17ab95ec1512168aea4ee49
SHA1 9d4a325d67300b81d943c329c40915b2496ecaa8
SHA256 750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf
SHA512 227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

memory/288-90-0x0000000002180000-0x00000000023F1000-memory.dmp

memory/288-92-0x0000000002180000-0x00000000023F1000-memory.dmp

memory/328-93-0x0000000000ED0000-0x0000000000EFE000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\AdobeESDGlobalApps.xml

MD5 08a872b713c4f7f847de6f9c1d7d3457
SHA1 d819edc8b277f736d4a8c71c4986955b66ebf820
SHA256 13f545fe6bb8251d84518c8261df0bae28f8dbab3ecd3ebd25a89c7da5a75e54
SHA512 1555355aa76bae5dada97e66483767dd8fa1e7047646bef3553c5720ee0390660c313a27559ec3571dcc3d3c4ffdde4c91346591abbca22257206277ff589c0a

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\INDEX.000

MD5 023d87454619d85a090724584853cc2e
SHA1 b110e30707b43c7b56250d763aa9d26b50681078
SHA256 3af0202ed8f8df6099e006dc65dbc1d9cbb289231e15a61deae096761e9c3670
SHA512 dd5ffea28b3fdf22216a426f893d61fef083b55f9d31574e205307b342822e6ab1307396c22f37279f1f33e4fd6536395a0518b8b20392424141e9147dbc70d8

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MTOC_help.H1H

MD5 70a8954491b0490ac132577d6e021029
SHA1 3b17404ebcc80f0921accdce983aba3d61fbae3f
SHA256 076deb93c9daf262e90d7944c54c8abc621ecfdd63563bb794e5c82721280579
SHA512 e205fba7f7f2ce82b28d5f4137433628c5f8ec4d8b47a7b8d0ee098c40eb6658e0e5f4004985fae6493a503d2f572d987956d194b76b3676f685f265a3812f2a

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_CValidator.H1D

MD5 02ecb08e05bbd6fc17c3a5dcf53957ce
SHA1 6ed9a6936071eb90ece53f4eded8d5544704306e
SHA256 e088a33f93b425b768ae3a6341d99ecdb118329a00d7e04f92c673b91c5ace89
SHA512 fdfc65878a4271b1bab12dd290a975be0b207d880afe2543ffe42c1873c3175f2256e64cf7a239a921dd46e14b91b96d7fbe62be96b836f0c61044f4e4236c53

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

MD5 ec6b65facf9337606521a1ba1f4e83b1
SHA1 9f9e7d63fe11d6839be435f4a1e8035a59946e71
SHA256 fbeb91f0f2898adc827a0a42c6089a1845294be224e69e04169497d46ba7651a
SHA512 e5d23f6cbdd0a590532e31789264b4a0dacf480a47b5b4dad67eff800f2cef824345881c7e08d631bfe52cff6e0019d791c7b28bf2324380b9e3f66c5fde9698

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MAPIR.DLL.trx_dll

MD5 6160f8c93afc05e003587e6ca882fe45
SHA1 0254cbfac12f7d90f2ef4f6310420653c63d7e42
SHA256 229e4cbf919ed25ea98a528867d5869352d9e06cda2fdc295976be6b6987445e
SHA512 15ddd1efc78f28d8072d8eb33e8fb74500978323e8730aef035d6847748c4f70b6c156cec24d2ff40a880eb9b49248c3b04388bc74485366b923bf710b71b56b

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\ppcrlconfig.dll

MD5 9e7d79c6d1c464e17f43dbac83e10208
SHA1 88b3b958b4340650876b233b5b7e4f06ef4decaa
SHA256 2d15906df93e4505cdcc57f4347102d737d837332c1e56920696af4709920e90
SHA512 25359c4fda30bb68fc97f3eaa82da056241766c8a97a201c97e5712225776bb2b59b431534adf9e485f68237e2015e9f4ad55570397c05221c54b45af709c2e4

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MKWD_AssetId.H1W

MD5 a0d29da03fdb4614faf7b35f0be73131
SHA1 d3fd5834ac69dbaec848ca412c9c59c5a3e527ff
SHA256 831264ec6d831611eede23f12a689c126b91e07098b62039a22366d7a5f7c3cc
SHA512 9b36bc2f2f3133345e046b974901bd96c968f87e8d937ce81d962cfa606e69464c8d7e9e752585050520a9875f2b05b3702450f5460db93642327e89c9616a3f

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\displayswitch.lnk

MD5 b162ba26a0d11df9e1f5463b514ba776
SHA1 74cb2c98f2b2303e36c85f5eea34f5d6201e3335
SHA256 e9811a91b8de13d57fecd535ff7da6ca9adf8390a5ae0501c8f2fa4aea120517
SHA512 574cb468547de495851fbb6857e4c8e0d3d7784df67237ac06495be514c416ed60695ef807f93a11e33ead304edba451f974601fd8045f952fdf94c889eee07e

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\background.png

MD5 9adaf3a844ce0ce36bfed07fa2d7ef66
SHA1 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256 d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512 e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\VISINTL.DLL.trx_dll

MD5 e65fc0a920e01aaf99b281b726570ea2
SHA1 529ce2fca4eb44d3dd2d4fa7914c51cb00d5687d
SHA256 ea3ecf627216c3a322dbc47c5921276270546a0f687cae02bc0d3254c0fd5c87
SHA512 13e070f7db78a318b1aa40dc0d561c4b92cb95c91ca782c6ce35bbda33fde495a0473c59437d0c8c5105c15c194994b9ad59e28d20699c9841e7437ab169915a

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\usertile39.bmp

MD5 65bfce337e2c25ad0b890ebe3a1a1a0c
SHA1 4d0c963426990fd6a1332f050c1cd72722409cf2
SHA256 45f0957a66fcb8fba8485a9adc0d65b79a8b4733c616c943bb22bd2d3c218ffa
SHA512 9e9299e90c91ccb009e82e7e9d8d9f67c103b6c2972a9d9d85e7a185e6c60f7eda9d53e6dbcbab31c4bc0dccf00e486c6bb2dcd412f06e34198c167d32e1c677

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\directories.acrodata

MD5 874cefb76c681117882796730d3edfca
SHA1 49dc3745d5ee5a3328a3f1e08b08d126ea570580
SHA256 75bdd6932cbb98d11710f1c6738f2f00a5439e4c100f9eb4cb7809c730ad8eb6
SHA512 c4ed39dd3857642c1e0949a7cbee674f9a264e911681763f4319b7e23d9fb3887708fffce41d0dd5b3dd7f3408f05be0052c55b0a93668ef26cfa30c160c9d65

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MOR6INT.REST.trx_dll

MD5 b22a432ea8c671f119cf8285d1021671
SHA1 3346593a9adb233233509247b1df059742f6aa3e
SHA256 bfd9148c099dfd9477204806df55034d06c9aacf3a4241ab97c4e4acb0349b17
SHA512 361badcd731f078d1bd64e61709f183e73163a1a09e1ed543e56a9c57b2bd28c930111797692c6be4ce4bea17a5e8283fec6ac27db7bd078047552dc51e5dece

memory/288-108-0x0000000002700000-0x0000000002E25000-memory.dmp

memory/288-109-0x0000000002700000-0x0000000002E25000-memory.dmp

memory/288-111-0x0000000002700000-0x0000000002E25000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Help_MValidator.Lck

MD5 b485167c5b0e59d47009a16f90fe2659
SHA1 891ebccd5baa32daed16fb5a0825ca7a4464931f
SHA256 db44b8db4f05d720ef1a57abadeed0c164d47b17416c7dd7d136d8f10fba91c9
SHA512 665e3fcbd83b7876dd1dc7f34fadd8669debdfab8962bdce3b72b08139a75ef157c4f4c3b90ea9c1f20637bb4f2a29091d9186987d22c7d23428a2e7ccf80bd4

memory/288-113-0x0000000002700000-0x0000000002E25000-memory.dmp

memory/1052-114-0x0000000000000000-mapping.dmp

\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

MD5 eea4a32ae17ab95ec1512168aea4ee49
SHA1 9d4a325d67300b81d943c329c40915b2496ecaa8
SHA256 750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf
SHA512 227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

MD5 eea4a32ae17ab95ec1512168aea4ee49
SHA1 9d4a325d67300b81d943c329c40915b2496ecaa8
SHA256 750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf
SHA512 227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

MD5 eea4a32ae17ab95ec1512168aea4ee49
SHA1 9d4a325d67300b81d943c329c40915b2496ecaa8
SHA256 750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf
SHA512 227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

\Program Files (x86)\Microsoft Sync Framework\v1.0\CourierStd-BoldOblique.dll

MD5 eea4a32ae17ab95ec1512168aea4ee49
SHA1 9d4a325d67300b81d943c329c40915b2496ecaa8
SHA256 750d952a1c94923e7fa8b1b284267858a11bba387dfdef95b2a762bcbc3f91bf
SHA512 227c7ee092c166e9f3a3789548d4793c10bc5c20c14dc6e1ec91ba1689d53733f1b58cb2e2e001da212100b6eadf28d3c30eef4972a4f7a0a29176f11858743a

memory/1052-120-0x0000000000930000-0x0000000000BA1000-memory.dmp

memory/1052-121-0x0000000000930000-0x0000000000BA1000-memory.dmp

memory/1052-122-0x00000000025E0000-0x0000000002D05000-memory.dmp

memory/1052-123-0x00000000025E0000-0x0000000002D05000-memory.dmp

memory/1052-126-0x00000000025E0000-0x0000000002D05000-memory.dmp

memory/1052-125-0x00000000025E0000-0x0000000002D05000-memory.dmp

memory/1052-128-0x00000000025E0000-0x0000000002D05000-memory.dmp

memory/1052-127-0x0000000000930000-0x0000000000BA1000-memory.dmp

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

\Program Files\Mozilla Firefox\firefox.exe

MD5 d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1 124d3c2ba93644ac6c2d7253de242b46be836692
SHA256 8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512 f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

memory/1212-133-0x0000000000000000-mapping.dmp

memory/288-134-0x0000000002180000-0x00000000023F1000-memory.dmp

memory/288-135-0x0000000002700000-0x0000000002E25000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-20 14:30

Reported

2022-12-20 14:33

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Combine_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\Combine_R_RHP..dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Combine_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2504 set thread context of 5112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\reviews_super.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\snapshot_blob.bin C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Checkers.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Acrofx32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\license.html C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\RTC.der C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\remove.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\organize.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\EPDF_Full.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\index.html C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\apple-touch-icon-57x57-precomposed.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\chrome_elf.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\PDFPrevHndlr.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\duplicate.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Eula.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\464BE6F8F2B54B6CFC524B5AD00C5323B1D021D9 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\464BE6F8F2B54B6CFC524B5AD00C5323B1D021D9\Blob = 030000000100000014000000464be6f8f2b54b6cfc524b5ad00c5323b1d021d92000000001000000b0020000308202ac30820215a003020102020878b3cbd96a613e4d300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f7420436572746968696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232303135333330345a170d3234313231393135333330345a30733132303006035504030c294d6963726f736f667420526f6f7420436572746968696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100c03c76ccc762becc71e060c2913b5e12e24c8d1a701ec79953814bb20ff4435321f9cd8bb91dcaed47f27bdd59eae4140a405475049c89d8afd2be9a0f72385ee17bb765dafc5464ae8aded25dcadad84ec735428f2085b56f4aa0a111b287c5d3284078392afb0deb5a6894e26a8428bfc5443cc1c44793b84e869e000d30090203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f667420526f6f7420436572746968696361746520417574686f726974792032303131300d06092a864886f70d01010b05000381810054bce66504841440c60d08dbf593da5f5a0850897d19b709093892dcf413b483235f5d1735c8bed36e5374fe0a8ff375d10ca4a53d5d485462e5a320eee3c0443e4e3dc9b212e70b373d8faec6ec76337538354e64861c4338ef4a141e7a4c8767fff3936b895095cde27591a6dd69269b628e13eb8316d4941d92906ecdbc8b C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 5112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2504 wrote to memory of 5112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2504 wrote to memory of 5112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1428 wrote to memory of 3488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1428 wrote to memory of 3488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1428 wrote to memory of 3488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 4712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 4712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 4712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\schtasks.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe

"C:\Users\Admin\AppData\Local\Temp\ac3cf4cc11b0b3e744b4685be1b9a81a63fc507702864bdebd165b939e99f549.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 472

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20223

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\combine_r_rhp..dll",VANRUDI=

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:1312 tcp
N/A 40.126.31.73:443 tcp
N/A 40.79.141.153:443 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 23.236.181.126:443 tcp
N/A 73.73.255.76:443 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:20220 tcp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:20220 tcp
N/A 127.0.0.1:20220 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:20220 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:20220 tcp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:20220 tcp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:20220 tcp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/2504-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 db2c90b448fb54d7e74dee29f58d0a64
SHA1 79977831931ad48aa32d80298b754a26bbd4a9d3
SHA256 59a59284c8115307a3931ccec90c78faf5cfd96794c4b4f7d702b8a7ee4d83b4
SHA512 514c880223c801ca6fe338b99ee5b5256e359686376d698e6a6ff5afc62f6908da285541cb432c817195fd01134e86a1ce6adc337708dd2087eebb56f59ddbfd

memory/2504-136-0x00000000024C0000-0x0000000002731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 db2c90b448fb54d7e74dee29f58d0a64
SHA1 79977831931ad48aa32d80298b754a26bbd4a9d3
SHA256 59a59284c8115307a3931ccec90c78faf5cfd96794c4b4f7d702b8a7ee4d83b4
SHA512 514c880223c801ca6fe338b99ee5b5256e359686376d698e6a6ff5afc62f6908da285541cb432c817195fd01134e86a1ce6adc337708dd2087eebb56f59ddbfd

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 db2c90b448fb54d7e74dee29f58d0a64
SHA1 79977831931ad48aa32d80298b754a26bbd4a9d3
SHA256 59a59284c8115307a3931ccec90c78faf5cfd96794c4b4f7d702b8a7ee4d83b4
SHA512 514c880223c801ca6fe338b99ee5b5256e359686376d698e6a6ff5afc62f6908da285541cb432c817195fd01134e86a1ce6adc337708dd2087eebb56f59ddbfd

memory/2504-137-0x00000000024C0000-0x0000000002731000-memory.dmp

memory/2504-138-0x00000000024C0000-0x0000000002731000-memory.dmp

memory/2504-139-0x00000000034A0000-0x0000000003BC5000-memory.dmp

memory/2504-140-0x00000000034A0000-0x0000000003BC5000-memory.dmp

memory/2504-141-0x00000000034A0000-0x0000000003BC5000-memory.dmp

memory/2504-142-0x0000000003CD0000-0x0000000003E10000-memory.dmp

memory/2504-143-0x0000000003CD0000-0x0000000003E10000-memory.dmp

memory/2504-144-0x0000000003CD0000-0x0000000003E10000-memory.dmp

memory/2504-145-0x0000000003CD0000-0x0000000003E10000-memory.dmp

memory/2504-146-0x0000000003CD0000-0x0000000003E10000-memory.dmp

memory/2504-147-0x0000000003CD0000-0x0000000003E10000-memory.dmp

memory/5112-148-0x00007FF6A0756890-mapping.dmp

memory/5112-149-0x000001D5356E0000-0x000001D535820000-memory.dmp

memory/5112-150-0x000001D5356E0000-0x000001D535820000-memory.dmp

memory/2504-151-0x0000000003D49000-0x0000000003D4B000-memory.dmp

memory/5112-152-0x00000000009C0000-0x0000000000BD9000-memory.dmp

memory/5112-153-0x000001D533D10000-0x000001D533F3A000-memory.dmp

memory/2504-154-0x00000000034A0000-0x0000000003BC5000-memory.dmp

C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll

MD5 bb65ba561504883298f8f046ab1f3fd2
SHA1 7ebdba39f6717b3165d79d7c5fe825c69543a217
SHA256 74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792
SHA512 c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

memory/1428-158-0x0000000001500000-0x0000000001771000-memory.dmp

C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll

MD5 bb65ba561504883298f8f046ab1f3fd2
SHA1 7ebdba39f6717b3165d79d7c5fe825c69543a217
SHA256 74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792
SHA512 c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

\??\c:\program files (x86)\msbuild\microsoft\combine_r_rhp..dll

MD5 bb65ba561504883298f8f046ab1f3fd2
SHA1 7ebdba39f6717b3165d79d7c5fe825c69543a217
SHA256 74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792
SHA512 c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SystemIndex.1.gthr

MD5 bd3b9cbb0a1784dab0766f8e32697994
SHA1 69800df48894e8feb5e259b86bb0f07f438f6a36
SHA256 514d7c3812fc63a88c447660b03ab84780d902859bb5a57c18c72551ddaa0348
SHA512 3439dd2a4b6b293f51f376d40caf447a285ec147eb4761d5898d5b3b6301b25f5ea5aeaa14d4932010c2ac45854ef7483b8cf3f6fba9ff5ce4374cee29bf6ac5

memory/1428-159-0x0000000001500000-0x0000000001771000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

MD5 45af97fa42bd933c57342a0efcc56fa8
SHA1 55b8fba0a9de2dfa54ea2a79435906cbb6f077bd
SHA256 f98d2b04a97c4e111f9928df2a7dab31ba3cbbeb493ad1f6503c93eb74209d6b
SHA512 8bda6ff82a7d6117052ddd8e4964d8fd7833bd5d53f39179839e5f63799a5e144efde32b15e395b260666c0f984f802b24fd43c3136700bfe9e05be4713bccde

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\resource.xml

MD5 0e190f6bbc7898c31d4eae77c6abebfe
SHA1 fb6673c8116b650f0536d56be09eb188d7bdc930
SHA256 f7f461d92f4a45d1232e7e5ad76cffbbb7b83abd69df864387c757051494d118
SHA512 faaf0699ddb7e4e152afaf54bed0794c9e816cb762454c277f5d52acf88a44535cc3a44797c73393fc50db8afe2566bcaf9a4f93d945c6b0b3d8458d16ae5312

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\CiST0000.001

MD5 2a1801484fed207d6469068f57a62214
SHA1 c12999e2fa101c6b6bb3a5f0e66f4e0c5b938d4e
SHA256 30c7988571781563e5e697f564b616750e354bcd69e9bf7a39e3854e4b7bec28
SHA512 a7e12254278e83710077d5cb3b8162cd74c4211147a6823afa8aa3c67cc3041e066b34e63bcf0cae9087177543c52871e67bac373db1b8ab3d5058ba9f3f41b4

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftOutlook2013CAWin64.xml

MD5 880227fa1e5c41f3a7ea11e13f156de7
SHA1 042b7a68c2b3c588522edd750209bb4576638991
SHA256 c7f9df2f4c59a9f856761c82d28874f752cad8bdca8102bff4ff41c514f0b9fc
SHA512 caa06d82bb2e828e4e08fcca96c4b789b31611864b827ae9468e9dfbadbe10a48ae366d3d96bf92567f41d0c6792986363a0dfa6564332296fe1c111ffef4f30

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json

MD5 289935a24fcaf93d1d41b4842414bdb0
SHA1 5e83951c0aeaefa25b0f918e9b3ceddb7d23d949
SHA256 12493caa467a364b7cc88d930fb41372ae8960605b12547f0283577b1564c58c
SHA512 e8dfa0c926def3a80aef8ace3edd8da408cf3e286a3bd5769db29c0d99be7febf166131b750898f48aa6932de6b4b8598f076b90aa9666696de9d7cc29063aa8

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftOffice2016BackupWin64.xml

MD5 2d995c7aa8d041ffa18821c898bc2cb7
SHA1 f16ef806d79bffeec76f27102bd8e1273a0f3747
SHA256 614e99dbea133397b0b4ee8a222df8502f8f782fbcdd44651793c1c894281948
SHA512 81dcbfa24e216bf2a06379ca7d830bd6e16b58c16cd595704903a636f770eb70ca2146ec682559b48e9ff2518cbf3e1ed693050938a9a2b2e478eba6b86959e6

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\tasks.xml

MD5 6ab160b8998020e6d4373c003e9879d4
SHA1 efa87d3fb95a73a892ed88b08651c44fe03c150f
SHA256 faf021b3c06abc41a9fb8e021171fd0ea41684b732a8e77433e447af8e527516
SHA512 c923c48b0b5c741777666ca161864879defd50c299ae76d9f093ffb846d144600c99d281d879f9328509061f3ae6784a706f15248e0fed7bfd7a595b389aae1b

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SmsInterceptStore.db

MD5 b85cff0869b27cb9b319c8695ff13ecb
SHA1 20acc437243a95409d7048c3f50cd6605a460c17
SHA256 c645e9de8051cd91b6fd1829a3ff3b39a9b73fcd7da6ec56c4ef0feb7ca6a440
SHA512 1cded0944a62c0e58a5284aaeb4363bfcecdf83f231604e7e15871e195dde506eba8c91f3d01723eb2fd46cb530ef99e7184da44e3a8038d3328b05b02c31e0e

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\CiST0000.002

MD5 2a1801484fed207d6469068f57a62214
SHA1 c12999e2fa101c6b6bb3a5f0e66f4e0c5b938d4e
SHA256 30c7988571781563e5e697f564b616750e354bcd69e9bf7a39e3854e4b7bec28
SHA512 a7e12254278e83710077d5cb3b8162cd74c4211147a6823afa8aa3c67cc3041e066b34e63bcf0cae9087177543c52871e67bac373db1b8ab3d5058ba9f3f41b4

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SmsInterceptStore.jfm

MD5 42503cb1e39818ef9265e178f1c15cb6
SHA1 3a7ae377387bbff92f8f66cf5608a581ae0d7a84
SHA256 7cb882655d38dc1eba3f35810fa95138decf03fc90a828f17994d6bc76acb0d2
SHA512 a39900fdf1f5012992824a470c26d9e0c61e34cca1987d06ee9802d1c81aef4197a9bfe941cd50a3954b485239db906f771953fc0795919f80f7bfdc88aba294

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\stream.x64.x-none.hash

MD5 2b4d6d3b95916f9810449019372fbbde
SHA1 2c9f59c51fc6b290f758aed25a899dba37459fc6
SHA256 cea19b915390806a9677165794194c66b19e3198a342d51e5a880e7b55768ac7
SHA512 5cbb012b89989d53a7814dcb9f0391a761ebea6a7c9d1dcaae0efb476e61b30ce678387c4ff6fcebea0643f96d2f3bf126cff9511a75c1780ec89b51ba79c8db

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\user-48.png

MD5 e738274439f0bcf555425a00af9a2f75
SHA1 cf0d5425bda34e865bc73601ac299d425d9064ef
SHA256 191e237f5a862cdbafa4562bebf080680a051d2c07b4f256c9b856f10d63d010
SHA512 2c2c1ccb38d14150dcb89249c3a2ee995e9467fb99ea20cc4819c4a683b50be0753b04264048084ae2611399b56736ca50d7a94dd98bd3dd055f430471188c8d

memory/1428-173-0x0000000001E60000-0x0000000002585000-memory.dmp

memory/1428-174-0x0000000001E60000-0x0000000002585000-memory.dmp

memory/1428-177-0x0000000001E60000-0x0000000002585000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

MD5 45af97fa42bd933c57342a0efcc56fa8
SHA1 55b8fba0a9de2dfa54ea2a79435906cbb6f077bd
SHA256 f98d2b04a97c4e111f9928df2a7dab31ba3cbbeb493ad1f6503c93eb74209d6b
SHA512 8bda6ff82a7d6117052ddd8e4964d8fd7833bd5d53f39179839e5f63799a5e144efde32b15e395b260666c0f984f802b24fd43c3136700bfe9e05be4713bccde

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

MD5 656d587b76da4f43efb839ef9a83026e
SHA1 daf648eb7f98cfcec644be29d92c1990c1e56b2c
SHA256 e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d
SHA512 19251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7

memory/3488-178-0x0000000000000000-mapping.dmp

memory/3488-181-0x0000000002B80000-0x0000000002DF1000-memory.dmp

C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll

MD5 bb65ba561504883298f8f046ab1f3fd2
SHA1 7ebdba39f6717b3165d79d7c5fe825c69543a217
SHA256 74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792
SHA512 c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

C:\Program Files (x86)\MSBuild\Microsoft\Combine_R_RHP..dll

MD5 bb65ba561504883298f8f046ab1f3fd2
SHA1 7ebdba39f6717b3165d79d7c5fe825c69543a217
SHA256 74f6386468cda2f6773c2b1d0eaa23beca3fa4c7327759cb5058b68ca2df9792
SHA512 c12b99e0fa105c83a1b15fc042e70d35002b5a34ce742eeb55fd566977913cd84d968da0e7684c7e58ab8978a3d4a19debf6f948409438e9b08cf9491d033866

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_8_12_19_6_54.etl

MD5 b5c3f386ba6bf489748767a83ba66310
SHA1 28f9ff04c8a1b35baf3eb1933090f572b12a48fc
SHA256 2fb189580fa637d418545ef5e45f4b84a4fb2f34c8d00e11b0b35524a543bdd4
SHA512 a362c83287399e9c3371ce708be38f83109f0850443a01401941d3cab01e2df71021eca2d0f437b392dc2ac8a582fc9562fa3aacf1027fc332f61876bc0fbe8d

memory/3488-183-0x0000000002B80000-0x0000000002DF1000-memory.dmp

memory/3488-184-0x0000000003640000-0x0000000003D65000-memory.dmp

memory/3488-185-0x0000000003640000-0x0000000003D65000-memory.dmp

memory/3488-190-0x0000000002B80000-0x0000000002DF1000-memory.dmp

memory/3488-191-0x0000000003640000-0x0000000003D65000-memory.dmp

memory/3028-192-0x0000000000000000-mapping.dmp

memory/4712-193-0x0000000000000000-mapping.dmp

memory/1428-194-0x0000000001500000-0x0000000001771000-memory.dmp

memory/1428-195-0x0000000001E60000-0x0000000002585000-memory.dmp