Resubmissions
19-02-2022 18:44
220219-xdz2fachfn 1031-01-2022 07:14
220131-h2552agegp 1029-01-2022 08:45
220129-knq53agfcl 10Analysis
-
max time kernel
1205s -
max time network
1034s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 07:14
Static task
static1
Behavioral task
behavioral1
Sample
a07a26961fcd37fbbbe292225e069243.exe
Resource
win7-en-20211208
General
-
Target
a07a26961fcd37fbbbe292225e069243.exe
-
Size
1.2MB
-
MD5
a07a26961fcd37fbbbe292225e069243
-
SHA1
d4f3c4d7045865e52284544c1957cf3786902404
-
SHA256
8b73e5a9e4093166d04fcee33db13db39dacbb6a2bb8282282e1ab9558fddc86
-
SHA512
81fe9aa924055f4a039cd662d4244bbf9a48b6698fbb6bffd891cd59d55a613e67011bcc3ad2420f9d7bf4d2447abdccbf4caff086ab2ae7331e6aa3191fd769
Malware Config
Extracted
danabot
4
5.253.84.124:443
103.175.16.114:443
193.34.166.107:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Extracted
danabot
2108
4
5.253.84.124:443
103.175.16.114:443
193.34.166.107:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
main
Signatures
-
Danabot Loader Component 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 behavioral2/memory/920-134-0x0000000003F20000-0x0000000004070000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 behavioral2/memory/3028-385-0x00000000043D0000-0x0000000004520000-memory.dmp DanabotLoader2021 -
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 52 4000 rundll32.exe 54 4000 rundll32.exe 57 920 RUNDLL32.EXE 59 920 RUNDLL32.EXE 113 920 RUNDLL32.EXE -
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 6 IoCs
Processes:
rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXEpid process 4000 rundll32.exe 3684 svchost.exe 920 RUNDLL32.EXE 920 RUNDLL32.EXE 3028 RUNDLL32.EXE 3028 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RUNDLL32.EXEdescription ioc process File opened (read-only) \??\W: RUNDLL32.EXE File opened (read-only) \??\X: RUNDLL32.EXE File opened (read-only) \??\F: RUNDLL32.EXE File opened (read-only) \??\K: RUNDLL32.EXE File opened (read-only) \??\N: RUNDLL32.EXE File opened (read-only) \??\P: RUNDLL32.EXE File opened (read-only) \??\V: RUNDLL32.EXE File opened (read-only) \??\E: RUNDLL32.EXE File opened (read-only) \??\H: RUNDLL32.EXE File opened (read-only) \??\I: RUNDLL32.EXE File opened (read-only) \??\M: RUNDLL32.EXE File opened (read-only) \??\A: RUNDLL32.EXE File opened (read-only) \??\B: RUNDLL32.EXE File opened (read-only) \??\L: RUNDLL32.EXE File opened (read-only) \??\Y: RUNDLL32.EXE File opened (read-only) \??\R: RUNDLL32.EXE File opened (read-only) \??\S: RUNDLL32.EXE File opened (read-only) \??\T: RUNDLL32.EXE File opened (read-only) \??\U: RUNDLL32.EXE File opened (read-only) \??\G: RUNDLL32.EXE File opened (read-only) \??\J: RUNDLL32.EXE File opened (read-only) \??\O: RUNDLL32.EXE File opened (read-only) \??\Q: RUNDLL32.EXE File opened (read-only) \??\Z: RUNDLL32.EXE -
Drops file in System32 directory 3 IoCs
Processes:
RUNDLL32.EXErundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat RUNDLL32.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\pkcs11.txt rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\cert9.db rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 3028 set thread context of 340 3028 RUNDLL32.EXE rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\732D13F73167C49E92D39092E9E7B3F884F76C54 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\732D13F73167C49E92D39092E9E7B3F884F76C54\Blob = 030000000100000014000000732d13f73167c49e92d39092e9e7b3f884f76c5420000000010000009b0200003082029730820200a003020102020824dd69d069c34765300d06092a864886f70d01010b0500306c312b302906035504030c224469676f436572742048696768204173737572616e636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230303230313037323631325a170d3234303133313037323631325a306c312b302906035504030c224469676f436572742048696768204173737572616e636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100d7bc679b1b0b3dc50b16143c321198b2eb063d1a73c0a20b111c9bdd17d791ab07308d715cb680f07a0e70722c727f1d65e531c02c2f4e8d26cbd5a37fecf4de35d06309c9ff781e5d3e1ac08cd1f15cd3959af85f96cb142b7cdd0e4bfa74cdda8e90f758844098eefa224d63dbc37a1b3db098d7ecbb4ae0f641826236ed290203010001a3423040300f0603551d130101ff040530030101ff302d0603551d110426302482224469676f436572742048696768204173737572616e636520455620526f6f74204341300d06092a864886f70d01010b050003818100b9ac816bdb688f4e86f56f471b27b796f46c0cc65a6dd0ada0589d04a8e54da05b2f555b31fef1bcd5dec9952571fbf9b49b71b1f00c63316a5425633dcb600bb933356622345d314405b8a0204392d34c8f6934826f9c06d31077d36b77e2d6f337288ccce3db38a92f0ea38dc17d4fa9d034334fdff0f9bed7e78fb429643a RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEpid process 3684 svchost.exe 3684 svchost.exe 920 RUNDLL32.EXE 920 RUNDLL32.EXE 920 RUNDLL32.EXE 920 RUNDLL32.EXE 920 RUNDLL32.EXE 920 RUNDLL32.EXE 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 3684 svchost.exe 3684 svchost.exe 3028 RUNDLL32.EXE 3028 RUNDLL32.EXE 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe 3684 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RUNDLL32.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 920 RUNDLL32.EXE Token: SeDebugPrivilege 1348 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 340 rundll32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a07a26961fcd37fbbbe292225e069243.exesvchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exedescription pid process target process PID 2704 wrote to memory of 4000 2704 a07a26961fcd37fbbbe292225e069243.exe rundll32.exe PID 2704 wrote to memory of 4000 2704 a07a26961fcd37fbbbe292225e069243.exe rundll32.exe PID 2704 wrote to memory of 4000 2704 a07a26961fcd37fbbbe292225e069243.exe rundll32.exe PID 3684 wrote to memory of 920 3684 svchost.exe RUNDLL32.EXE PID 3684 wrote to memory of 920 3684 svchost.exe RUNDLL32.EXE PID 3684 wrote to memory of 920 3684 svchost.exe RUNDLL32.EXE PID 4000 wrote to memory of 1348 4000 rundll32.exe powershell.exe PID 4000 wrote to memory of 1348 4000 rundll32.exe powershell.exe PID 4000 wrote to memory of 1348 4000 rundll32.exe powershell.exe PID 920 wrote to memory of 3028 920 RUNDLL32.EXE RUNDLL32.EXE PID 920 wrote to memory of 3028 920 RUNDLL32.EXE RUNDLL32.EXE PID 920 wrote to memory of 3028 920 RUNDLL32.EXE RUNDLL32.EXE PID 3028 wrote to memory of 340 3028 RUNDLL32.EXE rundll32.exe PID 3028 wrote to memory of 340 3028 RUNDLL32.EXE rundll32.exe PID 3028 wrote to memory of 340 3028 RUNDLL32.EXE rundll32.exe PID 340 wrote to memory of 3040 340 rundll32.exe ctfmon.exe PID 340 wrote to memory of 3040 340 rundll32.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe"C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll,z C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll,Rw06Szg=2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll,ol9CMWZab2w=3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 60304⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\utpgu.tmpMD5
7afff00e154aa57a778d18a45ddcabd8
SHA19bb34b9d087332ae717390616075d3e3dfc9652f
SHA256640f483fda1814a612992e6ec1158538fe16deac109b4bbdf7d8b134635cafc6
SHA512a27b906d94418611c917b855ebdcfe8ebf9776eee39378f4ef044f505674d99c0842c03d379c631787c672a8cd7fa326402cf81d6c93a472fd2a2d388a0c957d
-
C:\ProgramData\utpgu.tmpMD5
7671343c7a0acea6c211a3e48aeafa68
SHA1351d8a20f490a8ef5a87b4a8d719db2bc1d97e8e
SHA256bbdc7a3cfc70ea6924e8fc0798c9dd6c4dec70c825b5d7e0caea3521fc21fafb
SHA5120b358170d75ac38ecf9dedd4008a7252fd53ca85cd5c2439927ab6badfbc92a07b73f223aa20dda30907aed06477c933c4b362ee022e029d2768d045e34e318a
-
C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
22078973d714eb967f70f0c981c460fc
SHA1e1b604762e14162116e2364de0e7a85c64f34925
SHA25624b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c
SHA512589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859
-
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
22078973d714eb967f70f0c981c460fc
SHA1e1b604762e14162116e2364de0e7a85c64f34925
SHA25624b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c
SHA512589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859
-
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
22078973d714eb967f70f0c981c460fc
SHA1e1b604762e14162116e2364de0e7a85c64f34925
SHA25624b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c
SHA512589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859
-
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
22078973d714eb967f70f0c981c460fc
SHA1e1b604762e14162116e2364de0e7a85c64f34925
SHA25624b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c
SHA512589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859
-
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
22078973d714eb967f70f0c981c460fc
SHA1e1b604762e14162116e2364de0e7a85c64f34925
SHA25624b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c
SHA512589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859
-
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
22078973d714eb967f70f0c981c460fc
SHA1e1b604762e14162116e2364de0e7a85c64f34925
SHA25624b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c
SHA512589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859
-
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
22078973d714eb967f70f0c981c460fc
SHA1e1b604762e14162116e2364de0e7a85c64f34925
SHA25624b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c
SHA512589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859
-
memory/340-405-0x00000215C8250000-0x00000215C8412000-memory.dmpFilesize
1.8MB
-
memory/340-407-0x0000000000DF0000-0x0000000000FA1000-memory.dmpFilesize
1.7MB
-
memory/920-134-0x0000000003F20000-0x0000000004070000-memory.dmpFilesize
1.3MB
-
memory/920-135-0x0000000004570000-0x0000000005571000-memory.dmpFilesize
16.0MB
-
memory/1348-151-0x0000000007730000-0x000000000774C000-memory.dmpFilesize
112KB
-
memory/1348-143-0x00000000045A0000-0x00000000045D6000-memory.dmpFilesize
216KB
-
memory/1348-146-0x0000000004682000-0x0000000004683000-memory.dmpFilesize
4KB
-
memory/1348-147-0x0000000006F80000-0x0000000006FA2000-memory.dmpFilesize
136KB
-
memory/1348-148-0x0000000007930000-0x0000000007996000-memory.dmpFilesize
408KB
-
memory/1348-149-0x00000000078C0000-0x0000000007926000-memory.dmpFilesize
408KB
-
memory/1348-150-0x00000000079A0000-0x0000000007CF0000-memory.dmpFilesize
3.3MB
-
memory/1348-145-0x0000000007030000-0x0000000007658000-memory.dmpFilesize
6.2MB
-
memory/1348-152-0x0000000007EB0000-0x0000000007EFB000-memory.dmpFilesize
300KB
-
memory/1348-153-0x00000000080E0000-0x0000000008156000-memory.dmpFilesize
472KB
-
memory/1348-162-0x0000000009170000-0x00000000091A3000-memory.dmpFilesize
204KB
-
memory/1348-163-0x000000007F1C0000-0x000000007F1C1000-memory.dmpFilesize
4KB
-
memory/1348-164-0x0000000007E50000-0x0000000007E6E000-memory.dmpFilesize
120KB
-
memory/1348-169-0x00000000092A0000-0x0000000009345000-memory.dmpFilesize
660KB
-
memory/1348-170-0x0000000009480000-0x0000000009514000-memory.dmpFilesize
592KB
-
memory/1348-171-0x0000000004683000-0x0000000004684000-memory.dmpFilesize
4KB
-
memory/1348-364-0x0000000009410000-0x000000000942A000-memory.dmpFilesize
104KB
-
memory/1348-369-0x0000000009400000-0x0000000009408000-memory.dmpFilesize
32KB
-
memory/1348-144-0x0000000004680000-0x0000000004681000-memory.dmpFilesize
4KB
-
memory/2704-116-0x0000000002360000-0x000000000245B000-memory.dmpFilesize
1004KB
-
memory/2704-117-0x0000000000400000-0x0000000000556000-memory.dmpFilesize
1.3MB
-
memory/3028-385-0x00000000043D0000-0x0000000004520000-memory.dmpFilesize
1.3MB
-
memory/3028-387-0x0000000004A20000-0x0000000005A21000-memory.dmpFilesize
16.0MB
-
memory/3028-406-0x0000000005A30000-0x0000000005CE0000-memory.dmpFilesize
2.7MB
-
memory/3028-408-0x0000000004A20000-0x0000000005A21000-memory.dmpFilesize
16.0MB
-
memory/3684-129-0x0000000003F70000-0x0000000004F71000-memory.dmpFilesize
16.0MB
-
memory/4000-120-0x0000000005430000-0x0000000006431000-memory.dmpFilesize
16.0MB