Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2025, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
Crypt B.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Crypt B.dll
Resource
win10v2004-20250314-en
General
-
Target
Crypt B.dll
-
Size
5.5MB
-
MD5
a3287c38bc4dc6621238f79c995f661f
-
SHA1
05855c33f623c5de17c501ae023cd2e64c47c406
-
SHA256
c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0
-
SHA512
28b31da397bc8f8be23fb67281b4f31377abcbad8baeef2a78b71b990b651f29777618e2e46abace9a84284825c461f90c54662a4776669ae25c3dfe35955401
-
SSDEEP
98304:qFprUM3pWeTtU1zs3QPzpltsGFc4uz0bsAWopU/:qFp9tTqS2zplFFO0blp
Malware Config
Extracted
danabot
-
type
loader
Signatures
-
Danabot family
-
Blocklisted process makes network request 39 IoCs
flow pid Process 1 3844 rundll32.exe 17 3844 rundll32.exe 19 3844 rundll32.exe 20 3844 rundll32.exe 21 3844 rundll32.exe 23 3844 rundll32.exe 24 3844 rundll32.exe 26 3844 rundll32.exe 27 3844 rundll32.exe 35 3844 rundll32.exe 36 3844 rundll32.exe 37 3844 rundll32.exe 38 3844 rundll32.exe 40 3844 rundll32.exe 41 3844 rundll32.exe 42 3844 rundll32.exe 47 3844 rundll32.exe 49 3844 rundll32.exe 51 3844 rundll32.exe 53 3844 rundll32.exe 54 3844 rundll32.exe 55 3844 rundll32.exe 57 3844 rundll32.exe 58 3844 rundll32.exe 59 3844 rundll32.exe 60 3844 rundll32.exe 67 3844 rundll32.exe 69 3844 rundll32.exe 74 3844 rundll32.exe 77 3844 rundll32.exe 78 3844 rundll32.exe 82 3844 rundll32.exe 122 3844 rundll32.exe 130 3844 rundll32.exe 133 3844 rundll32.exe 134 3844 rundll32.exe 134 3844 rundll32.exe 144 3844 rundll32.exe 122 3844 rundll32.exe -
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4056 chrome.exe 1648 chrome.exe 4712 chrome.exe 2856 chrome.exe 2004 msedge.exe 4332 msedge.exe 6052 msedge.exe 4860 chrome.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe -
Suspicious use of SetThreadContext 22 IoCs
description pid Process procid_target PID 3844 set thread context of 4612 3844 rundll32.exe 89 PID 3844 set thread context of 1560 3844 rundll32.exe 101 PID 3844 set thread context of 5292 3844 rundll32.exe 111 PID 3844 set thread context of 532 3844 rundll32.exe 114 PID 3844 set thread context of 2168 3844 rundll32.exe 115 PID 3844 set thread context of 3568 3844 rundll32.exe 117 PID 3844 set thread context of 1656 3844 rundll32.exe 118 PID 3844 set thread context of 1464 3844 rundll32.exe 119 PID 3844 set thread context of 4760 3844 rundll32.exe 120 PID 3844 set thread context of 3596 3844 rundll32.exe 121 PID 3844 set thread context of 3444 3844 rundll32.exe 122 PID 3844 set thread context of 3896 3844 rundll32.exe 123 PID 3844 set thread context of 4972 3844 rundll32.exe 124 PID 3844 set thread context of 640 3844 rundll32.exe 125 PID 3844 set thread context of 1676 3844 rundll32.exe 126 PID 3844 set thread context of 3232 3844 rundll32.exe 127 PID 3844 set thread context of 456 3844 rundll32.exe 128 PID 3844 set thread context of 3172 3844 rundll32.exe 129 PID 3844 set thread context of 4252 3844 rundll32.exe 130 PID 3844 set thread context of 5256 3844 rundll32.exe 131 PID 3844 set thread context of 1876 3844 rundll32.exe 132 PID 3844 set thread context of 4432 3844 rundll32.exe 133 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rundll32.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A362990C04F3D0F9EF1779B61C0C74C5FE5568CF rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A362990C04F3D0F9EF1779B61C0C74C5FE5568CF\Blob = 030000000100000014000000a362990c04f3d0f9ef1779b61c0c74c5fe5568cf20000000010000005602000030820252308201bba003020102020800892552338d3963300d06092a864886f70d01010b050030613120301e06035504030c17446967694365727420476c6f62616c20526f6f6d20434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3233303331393132323833375a170d3237303331383132323833375a30613120301e06035504030c17446967694365727420476c6f62616c20526f6f6d20434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c41019919641868e1779af4a3023d132cc9203092b92afaf225911ee8e68a173ca65476b6e6f4dfa01fa24283a71f6165faf462fced59d29c5e6a3709acf08a555b45ff346234d1bda56f366b3024302d8a7c75644eca8cacd47c9f6f51878ae445b278496f5c1eb5c775906a9dd809f6b47c2e1ce6446b6e03ddc0c309b3c1d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038181003d2dd995fadf02255c4836678d0bebeac41d2c2b06e015861c268775c4602400e8958e9d9651494a0860458ed74a7982aa1b788ce2be81dafd2c24aa27460f53681894b1b2b8e32911136592452cb5118244d0c97a6e595e84f42d9fc4454cafe9c4b0295ce6067c21e4189c60561b79c7988ed6def9491b2dc11f16d4508570 rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3844 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe 3844 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 2004 msedge.exe 2004 msedge.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeDebugPrivilege 3844 rundll32.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4612 rundll32.exe 3844 rundll32.exe 4860 chrome.exe 1560 rundll32.exe 2004 msedge.exe 1936 rundll32.exe 5292 rundll32.exe 532 rundll32.exe 2168 rundll32.exe 3568 rundll32.exe 1656 rundll32.exe 1464 rundll32.exe 4760 rundll32.exe 3596 rundll32.exe 3444 rundll32.exe 3896 rundll32.exe 4972 rundll32.exe 640 rundll32.exe 1676 rundll32.exe 3232 rundll32.exe 456 rundll32.exe 3172 rundll32.exe 4252 rundll32.exe 5256 rundll32.exe 1876 rundll32.exe 4432 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3844 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 3844 5076 rundll32.exe 85 PID 5076 wrote to memory of 3844 5076 rundll32.exe 85 PID 5076 wrote to memory of 3844 5076 rundll32.exe 85 PID 3844 wrote to memory of 4612 3844 rundll32.exe 89 PID 3844 wrote to memory of 4612 3844 rundll32.exe 89 PID 3844 wrote to memory of 4612 3844 rundll32.exe 89 PID 3844 wrote to memory of 4860 3844 rundll32.exe 91 PID 3844 wrote to memory of 4860 3844 rundll32.exe 91 PID 4860 wrote to memory of 4884 4860 chrome.exe 92 PID 4860 wrote to memory of 4884 4860 chrome.exe 92 PID 4860 wrote to memory of 1548 4860 chrome.exe 93 PID 4860 wrote to memory of 1548 4860 chrome.exe 93 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 2020 4860 chrome.exe 94 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 PID 4860 wrote to memory of 3108 4860 chrome.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Crypt B.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Crypt B.dll",#12⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3844 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe--restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80746dcf8,0x7ff80746dd04,0x7ff80746dd104⤵PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2060,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2052 /prefetch:34⤵PID:1548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1752 /prefetch:24⤵PID:2020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2428,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2424 /prefetch:84⤵PID:3108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3160 /prefetch:14⤵
- Uses browser remote debugging
PID:1648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3136 /prefetch:14⤵
- Uses browser remote debugging
PID:4056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4272 /prefetch:24⤵
- Uses browser remote debugging
PID:4712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3856,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4544 /prefetch:14⤵
- Uses browser remote debugging
PID:2856
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe--restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffff90af208,0x7ffff90af214,0x7ffff90af2204⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2252,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:34⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:24⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2572,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:84⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3580,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:14⤵
- Uses browser remote debugging
PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3596,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:14⤵
- Uses browser remote debugging
PID:4332
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5292
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1936
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:532
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2168
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3568
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1656
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1464
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4760
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3596
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3444
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3896
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4972
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:640
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1676
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3232
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:456
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3172
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4252
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5256
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1876
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4432
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:1920
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:2448
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD584a12e3ab392762dbb1bb3f6e6ba3a8b
SHA1c59c75fb26dddac5bbd48269e34ad4dcbd2e6a6d
SHA25677596305652a2d18c3ba9370d2b5a6a06fa9f62a0b229ca42e5e1b340467d97a
SHA51285e21f2858b4dbc9c2abfe13b3de8309eea951aa2fe6055031ae3beebc3a47672d4b4a5123f51cf4f13aa6cf308cdc7a5678a42a0d7795132f16d49bedf9fda6
-
Filesize
280B
MD560d40d2b37759323c10800b75df359b8
SHA1f5890e7d8fc1976fe036fea293832d2e9968c05c
SHA256c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0
SHA5120c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40KB
MD505baa2c73b148a3f8b1b32a58ce627ad
SHA175c7ffc9f691ae2aace96c5db5a0293dba98cf23
SHA256e06d782b4fa6f91664bdbe445964a182ad0c3eba74e5d98a80b6abf5394f9da7
SHA5123be5240d700af1a7b45f0b7a0de38e639146181e23c7056a331b293148998c109024b55d6260f7b5d5cef362ec5eb2706baee1a29a667158642ea8b970f6d3cf
-
Filesize
1.0MB
MD5d39cfbf3a9ac37b2a817a50fcc5812f1
SHA1054b89c910a54e2e5fc53aba563db9d7bd952607
SHA256406c20f60039459cd0c6dcdf66445a0c04017a92a65a7682ad46c6a8961ed3f6
SHA512649eba663ae5173fe09cc6972185481f798e9d542f1693d2b3807a94f0fbaeb1555099b809d3f8d0848d1a789cf4cc25c282d6b24f9d730b54fa4af83fff0819
-
Filesize
40KB
MD5ab893875d697a3145af5eed5309bee26
SHA1c90116149196cbf74ffb453ecb3b12945372ebfa
SHA25602b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA5126b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc