Malware analysis Wondershare Filmora 12 License.exe Malicious activity

Add for printing

File name:	Wondershare Filmora 12 License.exe
Full analysis:	https://app.any.run/tasks/3ce69bb0-7fa8-4c17-97cc-57768b047d04
Verdict:	Malicious activity
Threats:	Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method. HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 28, 2023, 11:54:51
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	hijackloader loader danabot stealer danabot-unpacked
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	5120A1FF676E7185F4CD3C40F6159082
SHA1:	DB5DEFC22EA4526ABAFCD8EBC916DDF90C42CAF2
SHA256:	0541EF965DB2B921D8F8AF92F0FB84EE1561D7BB08C94CFB1847DA06434F91F7
SSDEEP:	98304:GyMto40WNltDPp9zkw9bK4n5hOLVLvvtuyoLoCOSbeSsOfES2+Fu2NgffyAsgaeO:e7G7ye916

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Wondershare Filmora 12 License.exe (PID: 2612)
- Loads dropped or rewritten executable
  - VBoxExtPackHelperApp.exe (PID: 2804)
- Application was dropped or rewritten from another process
  - VBoxExtPackHelperApp.exe (PID: 2804)
- HIJACKLOADER has been detected (YARA)
  - cmd.exe (PID: 3052)
  - explorer.exe (PID: 992)
- Unusual connection from system programs
  - rundll32.exe (PID: 2596)
- DANABOT has been detected (SURICATA)
  - rundll32.exe (PID: 2596)
- DANABOT has been detected (YARA)
  - rundll32.exe (PID: 2596)
- Steals credentials from Web Browsers
  - rundll32.exe (PID: 2596)
- Steals credentials
  - rundll32.exe (PID: 2596)
- Uses Task Scheduler to run other applications
  - rundll32.exe (PID: 2596)
- Actions looks like stealing of personal data
  - rundll32.exe (PID: 2596)
SUSPICIOUS
- Process drops legitimate windows executable
  - Wondershare Filmora 12 License.exe (PID: 2612)
- The process drops C-runtime libraries
  - Wondershare Filmora 12 License.exe (PID: 2612)
- Reads the Internet Settings
  - Wondershare Filmora 12 License.exe (PID: 2612)
  - rundll32.exe (PID: 2596)
- Starts CMD.EXE for commands execution
  - VBoxExtPackHelperApp.exe (PID: 2804)
- Reads settings of System Certificates
  - rundll32.exe (PID: 2596)
- Searches for installed software
  - rundll32.exe (PID: 2596)
- Reads browser cookies
  - rundll32.exe (PID: 2596)
- Accesses Microsoft Outlook profiles
  - rundll32.exe (PID: 2596)
INFO
- Checks supported languages
  - Wondershare Filmora 12 License.exe (PID: 2612)
  - VBoxExtPackHelperApp.exe (PID: 2804)
- Reads the computer name
  - Wondershare Filmora 12 License.exe (PID: 2612)
  - VBoxExtPackHelperApp.exe (PID: 2804)
- Create files in a temporary directory
  - Wondershare Filmora 12 License.exe (PID: 2612)
  - VBoxExtPackHelperApp.exe (PID: 2804)
  - rundll32.exe (PID: 2596)
- Checks proxy server information
  - rundll32.exe (PID: 2596)
- Creates files in the program directory
  - explorer.exe (PID: 992)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

DanaBot

(PID) Process(2596) rundll32.exe

C2 (0)

Attributes

(217)0123456789ABCDEF0123456789abcdef

77777777777777777777777777777777

424a0d380332858ee55bdebc4af3789f

74e70a2b3ba1cf29d84b9b4bcf3e2e37

10099790675505530477208181553592

52248698410825720534578748235158

75577147990529272777244152852699

29879648335669968284202797289605

27471731754805904856071347468521

41928680912561502802222185647539

19090265611636784727014501906679

42909301854462163997308722217328

89830323194097355403213400972588

12702124828893241746590704277717

64435257876535089165358128175072

65705031260985098497423188333483

40118092599999512098893413065920

56149967242541210492743493570749

20312769561451689224110579311248

81261022967853463840169352001328

89950003622606842227508135323070

04517341633685004541062586971416

68363196144955700784444165611827

25289510217088876144205509505128

42941826148615804143873447737955

50239267234596860714306679811299

40894712314200270603852166995638

48719957657284814898909770759462

61343766945636488273037083893479

10808359326479767786019153434744

00961034231316672578686920482194

93287863336020338479709268434224

76210557602350161326147806527610

13945487119911582560140965510769

07131070417070599280317977580014

54375765357722984094124368522288

23983303911468164807668823692122

07373226721607407477717009111345

50432053804647694904686120113087

81624074018480047704715733666292

62494235712488239685422217536601

43391485680840520336859458494803

79885141663410976897627118935756

32374730795191650763975830047269

81655271797088101601789319141530

03482262544051353358162468249467

68187662128347821288428654584401

39551426222087723485023722868022

27500950222482786620174449402169

77164820083536398202298024892620

48089869933550806433231352972533

22088194568951085155178100221003

45937058829107307118655300596214

11062467923351196304051895241701

70402485862954819831383774196396

29858439594897060895617022421062

85255603278638246716655439297654

40292184474789307951866999282788

07921929927011428546551433875806

37711044353429355406671265303499

62770993207157743542287621283671

84370370914135017194504580505029

11346886119981935056486823337887

51980432679477764885109979612316

75697661102170730178212875780161

06280855283803109571158829574281

41920853258904166001701785985821

63414003714687551412794400562878

93526663075439267701459858210336

59831191739244732511225464712252

38680331590270772766871534347608

63504720252982827271461690125050

61685823838436633108977746354101

90545764962192996590429095877462

53156113056083907389766971404812

52442226251255605447462085599609

15707867135849550236741915584185

99062780106646580951009578471398

98194138208715964648914493053407

92073707889052048273062303883776

77101736648382398574828787891286

47120146047432661269784969366551

10898843579635350691237459149897

21926201904875576195823347717353

13353181327272067343385951994831

90012179423759678474868994823595

99369642528734712461590403327731

82141032801252925387191478859899

31033105677441361963648030647213

77826656898686468463277710150809

40118260877020161532499046833293

12949209127762411378780302243557

46606283971659376426832674269780

14201174159756348119636828602231

80897432761383952437387628725734

41927459393512718973631166078467

60036084894662356762579528277471

92122419290710461342083806363940

84512691828894000571524625445295

76934935675272895683154177544176

31393844571917550968471078465956

62547942312293338483924514339614

91771529896554605945588149018382

75021729685839352072417274332572

88908647278284231516999958018757

57891031463338652579140051973659

30481314406858570673698294079477

44496306656291505503608252399443

79002723867491459962308678322286

61977543992816745254823298629859

87535754662860517388378547361676

85769017780335804511440773337196

25384235329193944778736647528245

10289461266249948596765520743605

30315217970499989304888248413244

84749230227584701679988710036046

70704877377286176171227694098633

15390895687841291101095126905033

45393869871295783467257264868341

72001966298605611936667524296823

67397084815179752036423595736533

68957392061769855284593965042530

91096713918026269165823180506035

55673628769498182593088388796888

44306184642975841824731350308098

59326863990650118941756995270074

86099731814269502352396232391105

57450826919295792878938752101867

70471816232510275169531004318559

64837602657827828194249605561893

69658653255131371944831362477736

53468410118796740709840825496997

93755607223451067047210860259793

12469963669934775136071472657940

64436203408861395055989217248455

72998707376989996514806623647239

92859320868822848751165438350943

32766472226259406155605804500409

47211826027729977563540237169063

04480797157716494477784470005974

19032457722226253269698374446528

35352729304393746106576383349151

67878761373365912343802950200656

82527118129468050147943114675429

C0000000000000000000000000000000

000000000000000000000000000003c4

2d06B4265ebc749ff7d0f1f1f88232e8

1632e9088fd44b7787d5e407e955080c

C0000000000000000000000000000000

000000000000000000000000000003C7

5fffffffffffffffffffffffffffffff

606117a2f4bde428b7458a54b6e87b85

a20e034bf8813ef5c18d01105e726a17

eb248b264ae9706f440bedc8ccb6b22c

5FBFF498AA938CE739B8E022FBAFEF40

563F6E6A3472FC2A514C0CE9DAE23B7E

80000000000000000000000000000000

00000000000000000000000000000431

80000000000000000000000000000001

50FE8A1892976154C59CFC193ACCF5B3

08E2A8A0E65147D4BD6316030E16D19C

85C97F0A9CA267122B96ABBCEA7E8FC8

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6C611070995AD10045841B09B761B893

8D91E471E0989CDA27DF505A453F2B76

35294F2DDF23E3B122ACC99C9E9F1E14

80000000000000000000000000000000

00000000000000000000000000000C96

3E1AF419A269A5F866A7D3C25C3DF80A

E979259373FF2B182F49D4CE7E1BBC8B

80000000000000000000000000000000

00000000000000000000000000000C99

80000000000000000000000000000001

5F700CFFF1A624E5E497161BCC8A198F

3FA8124359F96680B83D1C3EB2C070E5

C545C9858D03ECFB744BF8D717717EFC

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D7598

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D759B

9B9F605F5A858107AB1EC85E6B41C8AA

582CA3511EDDFB74F02F3A6598980BB9

41ECE55743711A8C3CBF3783CD08C0EE

4D4DC440D4641A8F366E550DFDB3BB67

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6C611070995AD10045841B09B761B893

8D91E471E0989CDA27DF505A453F2B76

35294F2DDF23E3B122ACC99C9E9F1E14

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D7598

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D759B

9B9F605F5A858107AB1EC85E6B41C8AA

582CA3511EDDFB74F02F3A6598980BB9

41ECE55743711A8C3CBF3783CD08C0EE

4D4DC440D4641A8F366E550DFDB3BB67

66666666666666666666666666666666

00001111222233334444555566667777

20142015201620172018201920202021

20222023202420252026202720282029

20302031203220332034203520362037

20132012201120102009200820072006

20052004200320022001200019991998

19971996199519941993199219911990

19891988198719861985198419831982

19811980197919781977197619751974

19731972197119701969196819671966

19651964196319621961196019591958

19571956195519541953195219511950

Certificates

(29)-----BEGIN CERTIFICATE----- MIICvDCCAiUCEEoZ0jiMglkcpV1zXxVd3KMwDQYJKoZIhvcNAQEEBQAwgZ4xHzAd BgNVBAoTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWdu LCBJbmMuMSwwKgYDVQQLEyNWZXJpU2lnbiBUaW1lIFN0YW1waW5nIFNlcnZpY2Ug Um9vdDE0MDIGA1UECxMrTk8gTElBQklMSVRZIEFDQ0VQVEVELCAoYyk5NyBWZXJp U2lnbiw...

C2 (3)178.20.47.4:443

88.218.61.195:443

195.2.75.109:443

Attributes

(219)0123456789ABCDEF0123456789abcdef

77777777777777777777777777777777

424a0d380332858ee55bdebc4af3789f

74e70a2b3ba1cf29d84b9b4bcf3e2e37

10099790675505530477208181553592

52248698410825720534578748235158

75577147990529272777244152852699

29879648335669968284202797289605

27471731754805904856071347468521

41928680912561502802222185647539

19090265611636784727014501906679

42909301854462163997308722217328

89830323194097355403213400972588

12702124828893241746590704277717

64435257876535089165358128175072

65705031260985098497423188333483

40118092599999512098893413065920

56149967242541210492743493570749

20312769561451689224110579311248

81261022967853463840169352001328

89950003622606842227508135323070

04517341633685004541062586971416

68363196144955700784444165611827

25289510217088876144205509505128

42941826148615804143873447737955

50239267234596860714306679811299

40894712314200270603852166995638

48719957657284814898909770759462

61343766945636488273037083893479

10808359326479767786019153434744

00961034231316672578686920482194

93287863336020338479709268434224

76210557602350161326147806527610

13945487119911582560140965510769

07131070417070599280317977580014

54375765357722984094124368522288

23983303911468164807668823692122

07373226721607407477717009111345

50432053804647694904686120113087

81624074018480047704715733666292

62494235712488239685422217536601

43391485680840520336859458494803

79885141663410976897627118935756

32374730795191650763975830047269

81655271797088101601789319141530

03482262544051353358162468249467

68187662128347821288428654584401

39551426222087723485023722868022

27500950222482786620174449402169

77164820083536398202298024892620

48089869933550806433231352972533

22088194568951085155178100221003

45937058829107307118655300596214

11062467923351196304051895241701

70402485862954819831383774196396

29858439594897060895617022421062

85255603278638246716655439297654

40292184474789307951866999282788

07921929927011428546551433875806

37711044353429355406671265303499

62770993207157743542287621283671

84370370914135017194504580505029

11346886119981935056486823337887

51980432679477764885109979612316

75697661102170730178212875780161

06280855283803109571158829574281

41920853258904166001701785985821

63414003714687551412794400562878

93526663075439267701459858210336

59831191739244732511225464712252

38680331590270772766871534347608

63504720252982827271461690125050

61685823838436633108977746354101

90545764962192996590429095877462

53156113056083907389766971404812

52442226251255605447462085599609

15707867135849550236741915584185

99062780106646580951009578471398

98194138208715964648914493053407

92073707889052048273062303883776

77101736648382398574828787891286

47120146047432661269784969366551

10898843579635350691237459149897

21926201904875576195823347717353

13353181327272067343385951994831

90012179423759678474868994823595

99369642528734712461590403327731

82141032801252925387191478859899

31033105677441361963648030647213

77826656898686468463277710150809

40118260877020161532499046833293

12949209127762411378780302243557

46606283971659376426832674269780

14201174159756348119636828602231

80897432761383952437387628725734

41927459393512718973631166078467

60036084894662356762579528277471

92122419290710461342083806363940

84512691828894000571524625445295

76934935675272895683154177544176

31393844571917550968471078465956

62547942312293338483924514339614

91771529896554605945588149018382

75021729685839352072417274332572

88908647278284231516999958018757

57891031463338652579140051973659

30481314406858570673698294079477

44496306656291505503608252399443

79002723867491459962308678322286

61977543992816745254823298629859

87535754662860517388378547361676

85769017780335804511440773337196

25384235329193944778736647528245

10289461266249948596765520743605

30315217970499989304888248413244

84749230227584701679988710036046

70704877377286176171227694098633

15390895687841291101095126905033

45393869871295783467257264868341

72001966298605611936667524296823

67397084815179752036423595736533

68957392061769855284593965042530

91096713918026269165823180506035

55673628769498182593088388796888

44306184642975841824731350308098

59326863990650118941756995270074

86099731814269502352396232391105

57450826919295792878938752101867

70471816232510275169531004318559

64837602657827828194249605561893

69658653255131371944831362477736

53468410118796740709840825496997

93755607223451067047210860259793

12469963669934775136071472657940

64436203408861395055989217248455

72998707376989996514806623647239

92859320868822848751165438350943

32766472226259406155605804500409

47211826027729977563540237169063

04480797157716494477784470005974

19032457722226253269698374446528

35352729304393746106576383349151

67878761373365912343802950200656

82527118129468050147943114675429

C0000000000000000000000000000000

000000000000000000000000000003c4

2d06B4265ebc749ff7d0f1f1f88232e8

1632e9088fd44b7787d5e407e955080c

C0000000000000000000000000000000

000000000000000000000000000003C7

5fffffffffffffffffffffffffffffff

606117a2f4bde428b7458a54b6e87b85

a20e034bf8813ef5c18d01105e726a17

eb248b264ae9706f440bedc8ccb6b22c

5FBFF498AA938CE739B8E022FBAFEF40

563F6E6A3472FC2A514C0CE9DAE23B7E

80000000000000000000000000000000

00000000000000000000000000000431

80000000000000000000000000000001

50FE8A1892976154C59CFC193ACCF5B3

08E2A8A0E65147D4BD6316030E16D19C

85C97F0A9CA267122B96ABBCEA7E8FC8

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6C611070995AD10045841B09B761B893

8D91E471E0989CDA27DF505A453F2B76

35294F2DDF23E3B122ACC99C9E9F1E14

80000000000000000000000000000000

00000000000000000000000000000C96

3E1AF419A269A5F866A7D3C25C3DF80A

E979259373FF2B182F49D4CE7E1BBC8B

80000000000000000000000000000000

00000000000000000000000000000C99

80000000000000000000000000000001

5F700CFFF1A624E5E497161BCC8A198F

3FA8124359F96680B83D1C3EB2C070E5

C545C9858D03ECFB744BF8D717717EFC

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D7598

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D759B

9B9F605F5A858107AB1EC85E6B41C8AA

582CA3511EDDFB74F02F3A6598980BB9

41ECE55743711A8C3CBF3783CD08C0EE

4D4DC440D4641A8F366E550DFDB3BB67

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6C611070995AD10045841B09B761B893

8D91E471E0989CDA27DF505A453F2B76

35294F2DDF23E3B122ACC99C9E9F1E14

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D7598

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D759B

9B9F605F5A858107AB1EC85E6B41C8AA

582CA3511EDDFB74F02F3A6598980BB9

41ECE55743711A8C3CBF3783CD08C0EE

4D4DC440D4641A8F366E550DFDB3BB67

66666666666666666666666666666666

00001111222233334444555566667777

20142015201620172018201920202021

20222023202420252026202720282029

20302031203220332034203520362037

20132012201120102009200820072006

20052004200320022001200019991998

19971996199519941993199219911990

19891988198719861985198419831982

19811980197919781977197619751974

19731972197119701969196819671966

19651964196319621961196019591958

19571956195519541953195219511950

B042C994850B07B12C3FBC05246EFF24

08C173B7434C9F867F115EF0F1928058

Certificates

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:08:01 11:26:15+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.33
CodeSize:	163328
InitializedDataSize:	187904
UninitializedDataSize:	-
EntryPoint:	0x15de0
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

568

"C:\Windows\regedit.exe"

C:\Windows\regedit.exe

—

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Editor

Exit code:

3221226540

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll

872

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

—

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

992

C:\Windows\SysWOW64\explorer.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

2596

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1732

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

—

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1760

"C:\Windows\system32\notepad.exe"

C:\Windows\System32\notepad.exe

—

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2596

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61

C:\Windows\SysWOW64\rundll32.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\user32.dll

DanaBot

(PID) Process(2596) rundll32.exe

C2 (0)

Attributes

(217)0123456789ABCDEF0123456789abcdef

77777777777777777777777777777777

424a0d380332858ee55bdebc4af3789f

74e70a2b3ba1cf29d84b9b4bcf3e2e37

10099790675505530477208181553592

52248698410825720534578748235158

75577147990529272777244152852699

29879648335669968284202797289605

27471731754805904856071347468521

41928680912561502802222185647539

19090265611636784727014501906679

42909301854462163997308722217328

89830323194097355403213400972588

12702124828893241746590704277717

64435257876535089165358128175072

65705031260985098497423188333483

40118092599999512098893413065920

56149967242541210492743493570749

20312769561451689224110579311248

81261022967853463840169352001328

89950003622606842227508135323070

04517341633685004541062586971416

68363196144955700784444165611827

25289510217088876144205509505128

42941826148615804143873447737955

50239267234596860714306679811299

40894712314200270603852166995638

48719957657284814898909770759462

61343766945636488273037083893479

10808359326479767786019153434744

00961034231316672578686920482194

93287863336020338479709268434224

76210557602350161326147806527610

13945487119911582560140965510769

07131070417070599280317977580014

54375765357722984094124368522288

23983303911468164807668823692122

07373226721607407477717009111345

50432053804647694904686120113087

81624074018480047704715733666292

62494235712488239685422217536601

43391485680840520336859458494803

79885141663410976897627118935756

32374730795191650763975830047269

81655271797088101601789319141530

03482262544051353358162468249467

68187662128347821288428654584401

39551426222087723485023722868022

27500950222482786620174449402169

77164820083536398202298024892620

48089869933550806433231352972533

22088194568951085155178100221003

45937058829107307118655300596214

11062467923351196304051895241701

70402485862954819831383774196396

29858439594897060895617022421062

85255603278638246716655439297654

40292184474789307951866999282788

07921929927011428546551433875806

37711044353429355406671265303499

62770993207157743542287621283671

84370370914135017194504580505029

11346886119981935056486823337887

51980432679477764885109979612316

75697661102170730178212875780161

06280855283803109571158829574281

41920853258904166001701785985821

63414003714687551412794400562878

93526663075439267701459858210336

59831191739244732511225464712252

38680331590270772766871534347608

63504720252982827271461690125050

61685823838436633108977746354101

90545764962192996590429095877462

53156113056083907389766971404812

52442226251255605447462085599609

15707867135849550236741915584185

99062780106646580951009578471398

98194138208715964648914493053407

92073707889052048273062303883776

77101736648382398574828787891286

47120146047432661269784969366551

10898843579635350691237459149897

21926201904875576195823347717353

13353181327272067343385951994831

90012179423759678474868994823595

99369642528734712461590403327731

82141032801252925387191478859899

31033105677441361963648030647213

77826656898686468463277710150809

40118260877020161532499046833293

12949209127762411378780302243557

46606283971659376426832674269780

14201174159756348119636828602231

80897432761383952437387628725734

41927459393512718973631166078467

60036084894662356762579528277471

92122419290710461342083806363940

84512691828894000571524625445295

76934935675272895683154177544176

31393844571917550968471078465956

62547942312293338483924514339614

91771529896554605945588149018382

75021729685839352072417274332572

88908647278284231516999958018757

57891031463338652579140051973659

30481314406858570673698294079477

44496306656291505503608252399443

79002723867491459962308678322286

61977543992816745254823298629859

87535754662860517388378547361676

85769017780335804511440773337196

25384235329193944778736647528245

10289461266249948596765520743605

30315217970499989304888248413244

84749230227584701679988710036046

70704877377286176171227694098633

15390895687841291101095126905033

45393869871295783467257264868341

72001966298605611936667524296823

67397084815179752036423595736533

68957392061769855284593965042530

91096713918026269165823180506035

55673628769498182593088388796888

44306184642975841824731350308098

59326863990650118941756995270074

86099731814269502352396232391105

57450826919295792878938752101867

70471816232510275169531004318559

64837602657827828194249605561893

69658653255131371944831362477736

53468410118796740709840825496997

93755607223451067047210860259793

12469963669934775136071472657940

64436203408861395055989217248455

72998707376989996514806623647239

92859320868822848751165438350943

32766472226259406155605804500409

47211826027729977563540237169063

04480797157716494477784470005974

19032457722226253269698374446528

35352729304393746106576383349151

67878761373365912343802950200656

82527118129468050147943114675429

C0000000000000000000000000000000

000000000000000000000000000003c4

2d06B4265ebc749ff7d0f1f1f88232e8

1632e9088fd44b7787d5e407e955080c

C0000000000000000000000000000000

000000000000000000000000000003C7

5fffffffffffffffffffffffffffffff

606117a2f4bde428b7458a54b6e87b85

a20e034bf8813ef5c18d01105e726a17

eb248b264ae9706f440bedc8ccb6b22c

5FBFF498AA938CE739B8E022FBAFEF40

563F6E6A3472FC2A514C0CE9DAE23B7E

80000000000000000000000000000000

00000000000000000000000000000431

80000000000000000000000000000001

50FE8A1892976154C59CFC193ACCF5B3

08E2A8A0E65147D4BD6316030E16D19C

85C97F0A9CA267122B96ABBCEA7E8FC8

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6C611070995AD10045841B09B761B893

8D91E471E0989CDA27DF505A453F2B76

35294F2DDF23E3B122ACC99C9E9F1E14

80000000000000000000000000000000

00000000000000000000000000000C96

3E1AF419A269A5F866A7D3C25C3DF80A

E979259373FF2B182F49D4CE7E1BBC8B

80000000000000000000000000000000

00000000000000000000000000000C99

80000000000000000000000000000001

5F700CFFF1A624E5E497161BCC8A198F

3FA8124359F96680B83D1C3EB2C070E5

C545C9858D03ECFB744BF8D717717EFC

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D7598

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D759B

9B9F605F5A858107AB1EC85E6B41C8AA

582CA3511EDDFB74F02F3A6598980BB9

41ECE55743711A8C3CBF3783CD08C0EE

4D4DC440D4641A8F366E550DFDB3BB67

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6C611070995AD10045841B09B761B893

8D91E471E0989CDA27DF505A453F2B76

35294F2DDF23E3B122ACC99C9E9F1E14

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D7598

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D759B

9B9F605F5A858107AB1EC85E6B41C8AA

582CA3511EDDFB74F02F3A6598980BB9

41ECE55743711A8C3CBF3783CD08C0EE

4D4DC440D4641A8F366E550DFDB3BB67

66666666666666666666666666666666

00001111222233334444555566667777

20142015201620172018201920202021

20222023202420252026202720282029

20302031203220332034203520362037

20132012201120102009200820072006

20052004200320022001200019991998

19971996199519941993199219911990

19891988198719861985198419831982

19811980197919781977197619751974

19731972197119701969196819671966

19651964196319621961196019591958

19571956195519541953195219511950

Certificates

(PID) Process(2596) rundll32.exe

C2 (3)178.20.47.4:443

88.218.61.195:443

195.2.75.109:443

Attributes

(219)0123456789ABCDEF0123456789abcdef

77777777777777777777777777777777

424a0d380332858ee55bdebc4af3789f

74e70a2b3ba1cf29d84b9b4bcf3e2e37

10099790675505530477208181553592

52248698410825720534578748235158

75577147990529272777244152852699

29879648335669968284202797289605

27471731754805904856071347468521

41928680912561502802222185647539

19090265611636784727014501906679

42909301854462163997308722217328

89830323194097355403213400972588

12702124828893241746590704277717

64435257876535089165358128175072

65705031260985098497423188333483

40118092599999512098893413065920

56149967242541210492743493570749

20312769561451689224110579311248

81261022967853463840169352001328

89950003622606842227508135323070

04517341633685004541062586971416

68363196144955700784444165611827

25289510217088876144205509505128

42941826148615804143873447737955

50239267234596860714306679811299

40894712314200270603852166995638

48719957657284814898909770759462

61343766945636488273037083893479

10808359326479767786019153434744

00961034231316672578686920482194

93287863336020338479709268434224

76210557602350161326147806527610

13945487119911582560140965510769

07131070417070599280317977580014

54375765357722984094124368522288

23983303911468164807668823692122

07373226721607407477717009111345

50432053804647694904686120113087

81624074018480047704715733666292

62494235712488239685422217536601

43391485680840520336859458494803

79885141663410976897627118935756

32374730795191650763975830047269

81655271797088101601789319141530

03482262544051353358162468249467

68187662128347821288428654584401

39551426222087723485023722868022

27500950222482786620174449402169

77164820083536398202298024892620

48089869933550806433231352972533

22088194568951085155178100221003

45937058829107307118655300596214

11062467923351196304051895241701

70402485862954819831383774196396

29858439594897060895617022421062

85255603278638246716655439297654

40292184474789307951866999282788

07921929927011428546551433875806

37711044353429355406671265303499

62770993207157743542287621283671

84370370914135017194504580505029

11346886119981935056486823337887

51980432679477764885109979612316

75697661102170730178212875780161

06280855283803109571158829574281

41920853258904166001701785985821

63414003714687551412794400562878

93526663075439267701459858210336

59831191739244732511225464712252

38680331590270772766871534347608

63504720252982827271461690125050

61685823838436633108977746354101

90545764962192996590429095877462

53156113056083907389766971404812

52442226251255605447462085599609

15707867135849550236741915584185

99062780106646580951009578471398

98194138208715964648914493053407

92073707889052048273062303883776

77101736648382398574828787891286

47120146047432661269784969366551

10898843579635350691237459149897

21926201904875576195823347717353

13353181327272067343385951994831

90012179423759678474868994823595

99369642528734712461590403327731

82141032801252925387191478859899

31033105677441361963648030647213

77826656898686468463277710150809

40118260877020161532499046833293

12949209127762411378780302243557

46606283971659376426832674269780

14201174159756348119636828602231

80897432761383952437387628725734

41927459393512718973631166078467

60036084894662356762579528277471

92122419290710461342083806363940

84512691828894000571524625445295

76934935675272895683154177544176

31393844571917550968471078465956

62547942312293338483924514339614

91771529896554605945588149018382

75021729685839352072417274332572

88908647278284231516999958018757

57891031463338652579140051973659

30481314406858570673698294079477

44496306656291505503608252399443

79002723867491459962308678322286

61977543992816745254823298629859

87535754662860517388378547361676

85769017780335804511440773337196

25384235329193944778736647528245

10289461266249948596765520743605

30315217970499989304888248413244

84749230227584701679988710036046

70704877377286176171227694098633

15390895687841291101095126905033

45393869871295783467257264868341

72001966298605611936667524296823

67397084815179752036423595736533

68957392061769855284593965042530

91096713918026269165823180506035

55673628769498182593088388796888

44306184642975841824731350308098

59326863990650118941756995270074

86099731814269502352396232391105

57450826919295792878938752101867

70471816232510275169531004318559

64837602657827828194249605561893

69658653255131371944831362477736

53468410118796740709840825496997

93755607223451067047210860259793

12469963669934775136071472657940

64436203408861395055989217248455

72998707376989996514806623647239

92859320868822848751165438350943

32766472226259406155605804500409

47211826027729977563540237169063

04480797157716494477784470005974

19032457722226253269698374446528

35352729304393746106576383349151

67878761373365912343802950200656

82527118129468050147943114675429

C0000000000000000000000000000000

000000000000000000000000000003c4

2d06B4265ebc749ff7d0f1f1f88232e8

1632e9088fd44b7787d5e407e955080c

C0000000000000000000000000000000

000000000000000000000000000003C7

5fffffffffffffffffffffffffffffff

606117a2f4bde428b7458a54b6e87b85

a20e034bf8813ef5c18d01105e726a17

eb248b264ae9706f440bedc8ccb6b22c

5FBFF498AA938CE739B8E022FBAFEF40

563F6E6A3472FC2A514C0CE9DAE23B7E

80000000000000000000000000000000

00000000000000000000000000000431

80000000000000000000000000000001

50FE8A1892976154C59CFC193ACCF5B3

08E2A8A0E65147D4BD6316030E16D19C

85C97F0A9CA267122B96ABBCEA7E8FC8

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6C611070995AD10045841B09B761B893

8D91E471E0989CDA27DF505A453F2B76

35294F2DDF23E3B122ACC99C9E9F1E14

80000000000000000000000000000000

00000000000000000000000000000C96

3E1AF419A269A5F866A7D3C25C3DF80A

E979259373FF2B182F49D4CE7E1BBC8B

80000000000000000000000000000000

00000000000000000000000000000C99

80000000000000000000000000000001

5F700CFFF1A624E5E497161BCC8A198F

3FA8124359F96680B83D1C3EB2C070E5

C545C9858D03ECFB744BF8D717717EFC

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D7598

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D759B

9B9F605F5A858107AB1EC85E6B41C8AA

582CA3511EDDFB74F02F3A6598980BB9

41ECE55743711A8C3CBF3783CD08C0EE

4D4DC440D4641A8F366E550DFDB3BB67

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6C611070995AD10045841B09B761B893

8D91E471E0989CDA27DF505A453F2B76

35294F2DDF23E3B122ACC99C9E9F1E14

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D7598

9B9F605F5A858107AB1EC85E6B41C8AA

CF846E86789051D37998F7B9022D759B

9B9F605F5A858107AB1EC85E6B41C8AA

582CA3511EDDFB74F02F3A6598980BB9

41ECE55743711A8C3CBF3783CD08C0EE

4D4DC440D4641A8F366E550DFDB3BB67

66666666666666666666666666666666

00001111222233334444555566667777

20142015201620172018201920202021

20222023202420252026202720282029

20302031203220332034203520362037

20132012201120102009200820072006

20052004200320022001200019991998

19971996199519941993199219911990

19891988198719861985198419831982

19811980197919781977197619751974

19731972197119701969196819671966

19651964196319621961196019591958

19571956195519541953195219511950

B042C994850B07B12C3FBC05246EFF24

08C173B7434C9F867F115EF0F1928058

Certificates

2612

"C:\Users\admin\AppData\Local\Temp\Wondershare Filmora 12 License.exe"

C:\Users\admin\AppData\Local\Temp\Wondershare Filmora 12 License.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\wondershare filmora 12 license.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2804

"C:\Users\admin\AppData\Local\Temp\RarSFX0\VBoxExtPackHelperApp.exe"

C:\Users\admin\AppData\Local\Temp\RarSFX0\VBoxExtPackHelperApp.exe

—

Wondershare Filmora 12 License.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\rarsfx0\vboxextpackhelperapp.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rarsfx0\msvcr100.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\users\admin\appdata\local\temp\rarsfx0\msvcp100.dll
c:\windows\system32\ws2_32.dll

3052

C:\Windows\SysWOW64\cmd.exe

VBoxExtPackHelperApp.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\cmd.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

27 568

Read events

27 551

Write events

Delete events

Modification events


(PID) Process:	(2612) Wondershare Filmora 12 License.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2612) Wondershare Filmora 12 License.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2612) Wondershare Filmora 12 License.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2612) Wondershare Filmora 12 License.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2596) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2596) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000C1000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2596) rundll32.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2596) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2596) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2612	Wondershare Filmora 12 License.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\ondatra.mpeg		—
		MD5:—	SHA256:—
2804	VBoxExtPackHelperApp.exe	C:\Users\admin\AppData\Local\Temp\5986d320		—
		MD5:—	SHA256:—
3052	cmd.exe	C:\Users\admin\AppData\Local\Temp\wcirr		—
		MD5:—	SHA256:—
2612	Wondershare Filmora 12 License.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\msvcp100.dll		executable
		MD5:4F096D96285E06CD51AEF7D2D3DE04DA	SHA256:5BB420FBE28315F2117376052BB8488CE84A3398DDA65005B8AE1F792017E9A8
2612	Wondershare Filmora 12 License.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\msvcr100.dll		executable
		MD5:DF3CA8D16BDED6A54977B30E66864D33	SHA256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
2612	Wondershare Filmora 12 License.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\VBoxExtPackHelperApp.exe		executable
		MD5:D31086FCA1A6D45927D90963FFD1989B	SHA256:EAD20929594F6BFB4004C08C45C5567131D88ABDE650A2D2A87FBD3D441DDB98
2596	rundll32.exe	C:\Users\admin\AppData\Local\Temp\Sreorear		binary
		MD5:0F653EDF207BB943166A7EED331F14AD	SHA256:E4D518E335DF25562B0570F4F3FC6F39BF63F7D84805AECD485C5798671EA3D8
2596	rundll32.exe	C:\Users\admin\AppData\Local\Temp\Oweyipryrase		binary
		MD5:AE4F400E858ADD6ECF3D2CBBF0E55F9B	SHA256:73C170558B62DD23D381F4AA9BD7B4D7C9613671C5D08D286CFBEB02E6BE300A
2596	rundll32.exe	C:\Users\admin\AppData\Local\Temp\Yftusqiot		binary
		MD5:CEEDD8AE976601F9C9365EBEC5CFD997	SHA256:0B1A7E634F5B8A88211685983E83E7739359ACE5F26CA99746F46BB81507A42E
2596	rundll32.exe	C:\Users\admin\AppData\Local\Temp\Oweyipryrase-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2596	rundll32.exe	195.2.75.109:443	—	Hosting technology LTD	RU	malicious

DNS requests

No data

Threats

PID	Process	Class	Message
2596	rundll32.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Danabot

Add for printing

No debug info

General Info

Wondershare Filmora 12 License.exe

5120A1FF676E7185F4CD3C40F6159082

DB5DEFC22EA4526ABAFCD8EBC916DDF90C42CAF2

0541EF965DB2B921D8F8AF92F0FB84EE1561D7BB08C94CFB1847DA06434F91F7

98304:GyMto40WNltDPp9zkw9bK4n5hOLVLvvtuyoLoCOSbeSsOfES2+Fu2NgffyAsgaeO:e7G7ye916

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

HIJACKLOADER has been detected (YARA)

Unusual connection from system programs

DANABOT has been detected (SURICATA)

DANABOT has been detected (YARA)

Steals credentials from Web Browsers

Steals credentials

Uses Task Scheduler to run other applications

Actions looks like stealing of personal data

SUSPICIOUS

Process drops legitimate windows executable

The process drops C-runtime libraries

Reads the Internet Settings

Starts CMD.EXE for commands execution

Reads settings of System Certificates

Searches for installed software

Reads browser cookies

Accesses Microsoft Outlook profiles

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Checks proxy server information

Creates files in the program directory

Malware configuration

DanaBot

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

DanaBot

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings