Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/03/2025, 04:06
Static task
static1
Behavioral task
behavioral1
Sample
c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0.dll
Resource
win10v2004-20250314-en
General
-
Target
c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0.dll
-
Size
5.5MB
-
MD5
a3287c38bc4dc6621238f79c995f661f
-
SHA1
05855c33f623c5de17c501ae023cd2e64c47c406
-
SHA256
c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0
-
SHA512
28b31da397bc8f8be23fb67281b4f31377abcbad8baeef2a78b71b990b651f29777618e2e46abace9a84284825c461f90c54662a4776669ae25c3dfe35955401
-
SSDEEP
98304:qFprUM3pWeTtU1zs3QPzpltsGFc4uz0bsAWopU/:qFp9tTqS2zplFFO0blp
Malware Config
Extracted
danabot
-
type
loader
Signatures
-
Danabot family
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" rundll32.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 2588 rundll32.exe 17 2588 rundll32.exe -
Uses browser remote debugging 2 TTPs 2 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2144 chrome.exe 1552 chrome.exe -
Loads dropped DLL 10 IoCs
pid Process 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of SetThreadContext 22 IoCs
description pid Process procid_target PID 2588 set thread context of 2228 2588 rundll32.exe 33 PID 2588 set thread context of 1976 2588 rundll32.exe 35 PID 2588 set thread context of 1616 2588 rundll32.exe 41 PID 2588 set thread context of 2808 2588 rundll32.exe 42 PID 2588 set thread context of 2876 2588 rundll32.exe 43 PID 2588 set thread context of 2096 2588 rundll32.exe 44 PID 2588 set thread context of 2120 2588 rundll32.exe 45 PID 2588 set thread context of 1332 2588 rundll32.exe 46 PID 2588 set thread context of 1028 2588 rundll32.exe 47 PID 2588 set thread context of 1264 2588 rundll32.exe 48 PID 2588 set thread context of 2800 2588 rundll32.exe 49 PID 2588 set thread context of 2664 2588 rundll32.exe 50 PID 2588 set thread context of 2648 2588 rundll32.exe 51 PID 2588 set thread context of 1860 2588 rundll32.exe 52 PID 2588 set thread context of 408 2588 rundll32.exe 53 PID 2588 set thread context of 1916 2588 rundll32.exe 54 PID 2588 set thread context of 1504 2588 rundll32.exe 55 PID 2588 set thread context of 1612 2588 rundll32.exe 56 PID 2588 set thread context of 828 2588 rundll32.exe 57 PID 2588 set thread context of 2924 2588 rundll32.exe 58 PID 2588 set thread context of 2848 2588 rundll32.exe 59 PID 2588 set thread context of 1800 2588 rundll32.exe 60 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FCB64932547B4CA116AA8CAD9ABC5A16652349F rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FCB64932547B4CA116AA8CAD9ABC5A16652349F\Blob = 0300000001000000140000004fcb64932547b4ca116aa8cad9abc5a16652349f20000000010000007402000030820270308201d9a003020102020878959cd748e3328f300d06092a864886f70d01010b050030703123302106035504030c1a475445204379626572546375737420476c6f62616c20526f6f7431223020060355040b0c1922475445204379626572547275737420536f6c7574696f6e7331183016060355040a0c0f47544520436f72706f726174696f6e310b3009060355040613025553301e170d3233303332303034303730375a170d3237303331393034303730375a30703123302106035504030c1a475445204379626572546375737420476c6f62616c20526f6f7431223020060355040b0c1922475445204379626572547275737420536f6c7574696f6e7331183016060355040a0c0f47544520436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100eb4953e789b41331142690686109a1a0c617da1411d06ef1e37ee3f9360fa728dad35edf97657533ab98d7dea6aec202eba9211315cdb06b1e25bbdc566162a9ca3e3c8682cef315bc5797b3defb7c4b91a1ff3aaa3927d69bb16ab153f4335a0d9ff6b645e8270d9826dcb7df29aca4928622b978aa98fb80ce731e5226ade70203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038181002eff8719be74d5536cda43a924322f12b11181c4c09ed8dfd7bf7394f750996571b2b95cccd3be30bb8ae7a0df287c1eaac374ece5898c7bc61dbb286e3c404f4da4f22719238abab49f51a36758e18f21544afffc0d9eb13505392b78b53ba6d0bac221f73221b6550f9c279ccd5f32914987db177a89b3a78e11daadbb94ed rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2588 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2588 rundll32.exe Token: SeDebugPrivilege 2588 rundll32.exe Token: SeDebugPrivilege 2588 rundll32.exe Token: SeDebugPrivilege 2588 rundll32.exe Token: SeDebugPrivilege 2588 rundll32.exe Token: SeDebugPrivilege 2588 rundll32.exe Token: SeDebugPrivilege 2588 rundll32.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 2228 rundll32.exe 1976 rundll32.exe 2588 rundll32.exe 1616 rundll32.exe 2808 rundll32.exe 2876 rundll32.exe 2096 rundll32.exe 2120 rundll32.exe 1332 rundll32.exe 1028 rundll32.exe 1264 rundll32.exe 2800 rundll32.exe 2664 rundll32.exe 2648 rundll32.exe 1860 rundll32.exe 408 rundll32.exe 1916 rundll32.exe 1504 rundll32.exe 1612 rundll32.exe 828 rundll32.exe 2924 rundll32.exe 2848 rundll32.exe 1800 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2588 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2588 2380 rundll32.exe 30 PID 2380 wrote to memory of 2588 2380 rundll32.exe 30 PID 2380 wrote to memory of 2588 2380 rundll32.exe 30 PID 2380 wrote to memory of 2588 2380 rundll32.exe 30 PID 2380 wrote to memory of 2588 2380 rundll32.exe 30 PID 2380 wrote to memory of 2588 2380 rundll32.exe 30 PID 2380 wrote to memory of 2588 2380 rundll32.exe 30 PID 2588 wrote to memory of 2228 2588 rundll32.exe 33 PID 2588 wrote to memory of 2228 2588 rundll32.exe 33 PID 2588 wrote to memory of 2228 2588 rundll32.exe 33 PID 2588 wrote to memory of 2228 2588 rundll32.exe 33 PID 2588 wrote to memory of 2228 2588 rundll32.exe 33 PID 2588 wrote to memory of 1976 2588 rundll32.exe 35 PID 2588 wrote to memory of 1976 2588 rundll32.exe 35 PID 2588 wrote to memory of 1976 2588 rundll32.exe 35 PID 2588 wrote to memory of 1976 2588 rundll32.exe 35 PID 2588 wrote to memory of 1976 2588 rundll32.exe 35 PID 2588 wrote to memory of 2144 2588 rundll32.exe 36 PID 2588 wrote to memory of 2144 2588 rundll32.exe 36 PID 2588 wrote to memory of 2144 2588 rundll32.exe 36 PID 2588 wrote to memory of 2144 2588 rundll32.exe 36 PID 2144 wrote to memory of 2108 2144 chrome.exe 37 PID 2144 wrote to memory of 2108 2144 chrome.exe 37 PID 2144 wrote to memory of 2108 2144 chrome.exe 37 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 PID 2144 wrote to memory of 824 2144 chrome.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0.dll,#12⤵
- Modifies visibility of file extensions in Explorer
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2588 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2228
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe--restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"3⤵
- Uses browser remote debugging
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef5fe9758,0x7fef5fe9768,0x7fef5fe97784⤵PID:2108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=872 --field-trial-handle=936,i,8898586681493587536,14764761446477779444,131072 --disable-features=PaintHolding /prefetch:24⤵PID:824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1240 --field-trial-handle=936,i,8898586681493587536,14764761446477779444,131072 --disable-features=PaintHolding /prefetch:84⤵PID:268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=9223 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1532 --field-trial-handle=936,i,8898586681493587536,14764761446477779444,131072 --disable-features=PaintHolding /prefetch:14⤵
- Uses browser remote debugging
PID:1552
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1616
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2808
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2876
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2096
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2120
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1332
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1028
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1264
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2800
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2664
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2648
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1860
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:408
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1916
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1504
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1612
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:828
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2924
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:2848
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#613⤵
- Suspicious use of FindShellTrayWindow
PID:1800
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Authentication Process
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD5ae71383c3cbc5a7c64ee793a5779015b
SHA11cabfd5c590a76fe86af0c042b4d9a6e1546cf78
SHA25629bbdf534e97add374f41c9a2e5a1a34952b8eac501f1a8828f5999e7e0d79f7
SHA512f7703b0e5b67e2c3bbba42efe912eda68c90d7fe4425c7d2f20f02f2d6e659f71870286055eb87095a0861e4ba04a9fbf72bfb328bda10aadafe2880fd06e51d
-
Filesize
92KB
MD5102841a614a648b375e94e751611b38f
SHA11368e0d6d73fa3cee946bdbf474f577afffe2a43
SHA256c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264
SHA512ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a
-
Filesize
46KB
MD5b13fcb3223116f6eec60be9143cae98b
SHA19a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88
SHA256961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b
SHA51289d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d
-
Filesize
654KB
MD51fd347ee17287e9c9532c46a49c4abc4
SHA1ad5d9599030bfbcc828c4321fffd7b9066369393
SHA256912373af6f3c176b7e0a71c986d6288f76f5be80de7c9a580b110690271e9237
SHA5129e52622077e805fcff2c6fe510524bf9ca7246da9ef42843041e82ced28b59163a2729335139df9e2d2a4c748ed56471bb053f337655a77d2d0976370f07acf4