Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/03/2025, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
Crypt B.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Crypt B.dll
Resource
win10v2004-20250314-en
General
-
Target
Crypt B.dll
-
Size
5.5MB
-
MD5
a3287c38bc4dc6621238f79c995f661f
-
SHA1
05855c33f623c5de17c501ae023cd2e64c47c406
-
SHA256
c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0
-
SHA512
28b31da397bc8f8be23fb67281b4f31377abcbad8baeef2a78b71b990b651f29777618e2e46abace9a84284825c461f90c54662a4776669ae25c3dfe35955401
-
SSDEEP
98304:qFprUM3pWeTtU1zs3QPzpltsGFc4uz0bsAWopU/:qFp9tTqS2zplFFO0blp
Malware Config
Extracted
danabot
-
type
loader
Signatures
-
Danabot family
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" rundll32.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 2544 rundll32.exe 16 2544 rundll32.exe -
Uses browser remote debugging 2 TTPs 2 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2280 chrome.exe 2136 chrome.exe -
Loads dropped DLL 10 IoCs
pid Process 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe -
Suspicious use of SetThreadContext 22 IoCs
description pid Process procid_target PID 2544 set thread context of 2628 2544 rundll32.exe 33 PID 2544 set thread context of 1584 2544 rundll32.exe 34 PID 2544 set thread context of 2376 2544 rundll32.exe 41 PID 2544 set thread context of 2680 2544 rundll32.exe 42 PID 2544 set thread context of 2260 2544 rundll32.exe 43 PID 2544 set thread context of 1612 2544 rundll32.exe 44 PID 2544 set thread context of 2664 2544 rundll32.exe 45 PID 2544 set thread context of 2008 2544 rundll32.exe 46 PID 2544 set thread context of 1460 2544 rundll32.exe 47 PID 2544 set thread context of 2136 2544 rundll32.exe 48 PID 2544 set thread context of 2108 2544 rundll32.exe 49 PID 2544 set thread context of 776 2544 rundll32.exe 50 PID 2544 set thread context of 2828 2544 rundll32.exe 51 PID 2544 set thread context of 380 2544 rundll32.exe 52 PID 2544 set thread context of 1420 2544 rundll32.exe 53 PID 2544 set thread context of 1604 2544 rundll32.exe 54 PID 2544 set thread context of 1224 2544 rundll32.exe 55 PID 2544 set thread context of 2220 2544 rundll32.exe 56 PID 2544 set thread context of 2624 2544 rundll32.exe 57 PID 2544 set thread context of 2832 2544 rundll32.exe 58 PID 2544 set thread context of 2164 2544 rundll32.exe 59 PID 2544 set thread context of 1624 2544 rundll32.exe 60 -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B339EEF6A09C80A18026C4F89F14DC467AF0005D rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B339EEF6A09C80A18026C4F89F14DC467AF0005D\Blob = 030000000100000014000000b339eef6a09c80a18026c4f89f14dc467af0005d20000000010000005602000030820252308201bba0030201020208606e2d1d2a4c21e5300d06092a864886f70d01010b050030613120301e06035504030c17446962694365727420476c6f62616c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3233303331393132323833385a170d3237303331383132323833385a30613120301e06035504030c17446962694365727420476c6f62616c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b360cb62fd883e6ac3d5a2e8dd1f4f3c030a39d451ca0f999ad3d8e8728dd3676f722982f5037d0576549f1aa797b354189937c001eb9917aaf75f07637f74d3e64da4f178e75b1cdcecdfbebfb1ec5d76ae96829781d9c9b9786dc75c0ddf2d0c486c39e5838c03e3809f75690368f44001c7bd1219e30a371d12971ca4548f0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100203d47a60f89aac48d67d29408647a0531502c833f28644b1cd00125a0d7f59131c467192686bfdb427e5e8dd745a41db2bcd2768fc565461cbe4e0fc8bd2499f7e704a4acac000b91de96eb34a526852aa5a6782a6f0a9241e6e153774f6c30b938639cfa2cd3e6726bbfb36cf4ceb2a399a3751d14d7dd1232c57007b8a2fa rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2544 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe 2544 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2544 rundll32.exe Token: SeDebugPrivilege 2544 rundll32.exe Token: SeDebugPrivilege 2544 rundll32.exe Token: SeDebugPrivilege 2544 rundll32.exe Token: SeDebugPrivilege 2544 rundll32.exe Token: SeDebugPrivilege 2544 rundll32.exe Token: SeDebugPrivilege 2544 rundll32.exe Token: SeShutdownPrivilege 2280 chrome.exe Token: SeShutdownPrivilege 2280 chrome.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 2628 rundll32.exe 1584 rundll32.exe 2544 rundll32.exe 2376 rundll32.exe 2680 rundll32.exe 2260 rundll32.exe 1612 rundll32.exe 2664 rundll32.exe 2008 rundll32.exe 1460 rundll32.exe 2136 rundll32.exe 2108 rundll32.exe 776 rundll32.exe 2828 rundll32.exe 380 rundll32.exe 1420 rundll32.exe 1604 rundll32.exe 1224 rundll32.exe 2220 rundll32.exe 2624 rundll32.exe 2832 rundll32.exe 2164 rundll32.exe 1624 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2544 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2544 2400 rundll32.exe 30 PID 2400 wrote to memory of 2544 2400 rundll32.exe 30 PID 2400 wrote to memory of 2544 2400 rundll32.exe 30 PID 2400 wrote to memory of 2544 2400 rundll32.exe 30 PID 2400 wrote to memory of 2544 2400 rundll32.exe 30 PID 2400 wrote to memory of 2544 2400 rundll32.exe 30 PID 2400 wrote to memory of 2544 2400 rundll32.exe 30 PID 2544 wrote to memory of 2628 2544 rundll32.exe 33 PID 2544 wrote to memory of 2628 2544 rundll32.exe 33 PID 2544 wrote to memory of 2628 2544 rundll32.exe 33 PID 2544 wrote to memory of 2628 2544 rundll32.exe 33 PID 2544 wrote to memory of 2628 2544 rundll32.exe 33 PID 2544 wrote to memory of 1584 2544 rundll32.exe 34 PID 2544 wrote to memory of 1584 2544 rundll32.exe 34 PID 2544 wrote to memory of 1584 2544 rundll32.exe 34 PID 2544 wrote to memory of 1584 2544 rundll32.exe 34 PID 2544 wrote to memory of 1584 2544 rundll32.exe 34 PID 2544 wrote to memory of 2280 2544 rundll32.exe 36 PID 2544 wrote to memory of 2280 2544 rundll32.exe 36 PID 2544 wrote to memory of 2280 2544 rundll32.exe 36 PID 2544 wrote to memory of 2280 2544 rundll32.exe 36 PID 2280 wrote to memory of 840 2280 chrome.exe 37 PID 2280 wrote to memory of 840 2280 chrome.exe 37 PID 2280 wrote to memory of 840 2280 chrome.exe 37 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 PID 2280 wrote to memory of 1192 2280 chrome.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Crypt B.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Crypt B.dll",#12⤵
- Modifies visibility of file extensions in Explorer
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2544 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2628
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe--restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"3⤵
- Uses browser remote debugging
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6ce9758,0x7fef6ce9768,0x7fef6ce97784⤵PID:840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=872 --field-trial-handle=1012,i,11208126140945858639,10838569164596115531,131072 --disable-features=PaintHolding /prefetch:24⤵PID:1192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1240 --field-trial-handle=1012,i,11208126140945858639,10838569164596115531,131072 --disable-features=PaintHolding /prefetch:84⤵PID:1512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=9223 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1596 --field-trial-handle=1012,i,11208126140945858639,10838569164596115531,131072 --disable-features=PaintHolding /prefetch:14⤵
- Uses browser remote debugging
- Drops file in Program Files directory
PID:2136
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2376
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2680
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2260
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1612
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2664
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2008
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1460
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2136
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2108
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:776
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2828
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:380
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1420
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1604
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1224
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2220
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2624
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2832
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2164
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1624
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Authentication Process
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD5ae71383c3cbc5a7c64ee793a5779015b
SHA11cabfd5c590a76fe86af0c042b4d9a6e1546cf78
SHA25629bbdf534e97add374f41c9a2e5a1a34952b8eac501f1a8828f5999e7e0d79f7
SHA512f7703b0e5b67e2c3bbba42efe912eda68c90d7fe4425c7d2f20f02f2d6e659f71870286055eb87095a0861e4ba04a9fbf72bfb328bda10aadafe2880fd06e51d
-
Filesize
46KB
MD5b13fcb3223116f6eec60be9143cae98b
SHA19a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88
SHA256961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b
SHA51289d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d
-
Filesize
654KB
MD51fd347ee17287e9c9532c46a49c4abc4
SHA1ad5d9599030bfbcc828c4321fffd7b9066369393
SHA256912373af6f3c176b7e0a71c986d6288f76f5be80de7c9a580b110690271e9237
SHA5129e52622077e805fcff2c6fe510524bf9ca7246da9ef42843041e82ced28b59163a2729335139df9e2d2a4c748ed56471bb053f337655a77d2d0976370f07acf4