danabot | c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
Size

214KB
MD5

816287b83f2bcba44a103e227868ef1f
SHA1

4a57ff432e2f83bdbdb5c1d880728e02a47262bb
SHA256

c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc
SHA512

0235eaf331a51d8dccb1352769eb72545c36ead5ce5b988a279c795dc840cdc25a750b5b15c185df95fd4523bca45ab843a8f0c89baf4d2bad6ad3e0d5d062ea
SSDEEP

3072:IX4oLOH3aR6hPmyakx2fb+Siha+onfhe+aNRAtOba+oN2ZEzjcbImdzmuX:IIoLOHrhPmmx2T+SMinpex0RNjjcbXF

Score

10^/10

danabot smokeloader backdoor banker persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3064-133-0x0000000002190000-0x0000000002199000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

36 4140 rundll32.exe
38 4140 rundll32.exe
54 4140 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

EC97.exe

pid process

3768 EC97.exe

flow	pid	process
36	4140	rundll32.exe
38	4140	rundll32.exe
54	4140	rundll32.exe

pid	process
3768	EC97.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\warning\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\warning.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\warning\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4140 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4140 set thread context of 1468 4140 rundll32.exe rundll32.exe

pid	process
4140	rundll32.exe

description	pid	process	target process
PID 4140 set thread context of 1468	4140	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\warning.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\end_review.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_hiContrast_bow.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pages_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5100 3768 WerFault.exe EC97.exe

pid	pid_target	process	target process
5100	3768	WerFault.exe	EC97.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093553a0b100054656d7000003a0009000400efbe6b558a6c9355400b2e0000000000000000000000000000000000000000000000000019270201540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1204

pid	process
1204

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe

pid	process
3064	c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
3064	c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe

pid process

3064 c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe

pid	process
1204

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1468 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

1204
1204

pid	process
1468	rundll32.exe

pid	process
1204
1204

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EC97.exerundll32.exe

description	pid	process	target process
PID 1204 wrote to memory of 3768	1204		EC97.exe
PID 1204 wrote to memory of 3768	1204		EC97.exe
PID 1204 wrote to memory of 3768	1204		EC97.exe
PID 3768 wrote to memory of 4140	3768	EC97.exe	rundll32.exe
PID 3768 wrote to memory of 4140	3768	EC97.exe	rundll32.exe
PID 3768 wrote to memory of 4140	3768	EC97.exe	rundll32.exe
PID 4140 wrote to memory of 1468	4140	rundll32.exe	rundll32.exe
PID 4140 wrote to memory of 1468	4140	rundll32.exe	rundll32.exe
PID 4140 wrote to memory of 1468	4140	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
"C:\Users\Admin\AppData\Local\Temp\c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3064

C:\Users\Admin\AppData\Local\Temp\EC97.exe
C:\Users\Admin\AppData\Local\Temp\EC97.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23973
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 536
2⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3768 -ip 3768
1⤵
PID:5000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2180

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4420

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\warning.dll",NDAEUQ==
2⤵
PID:2524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\warning.dll
Filesize
726KB

MD5
c89d5e59681dc482c03b9652c30770cf

SHA1
a158c61003ddefec7201e8c6a822da6d6e1a06f0

SHA256
ce0a985986e9d56d69a8033ae6ad45d24f0c7711313d02489854f2f67d6d8525

SHA512
4f88e2503a514127f250f9d8a1a1f3b3532ace92b96f7174530e1b3382a5fb0146d035826cbb6aa00b9bd4f02345454ee686ae22153ec4316edc0c30d38d1bff

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\warning.dll
Filesize
726KB

MD5
c89d5e59681dc482c03b9652c30770cf

SHA1
a158c61003ddefec7201e8c6a822da6d6e1a06f0

SHA256
ce0a985986e9d56d69a8033ae6ad45d24f0c7711313d02489854f2f67d6d8525

SHA512
4f88e2503a514127f250f9d8a1a1f3b3532ace92b96f7174530e1b3382a5fb0146d035826cbb6aa00b9bd4f02345454ee686ae22153ec4316edc0c30d38d1bff

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
843B

MD5
72d7dc9f57f3487a99e2f05c06274c28

SHA1
ba789a0e8174327b30443f5b7131228f4ad40cf0

SHA256
dae20c31fd2cd68389b40f99cb7791c8d79d8d8aca2c417d90713ad6c926471f

SHA512
aa15897d32ee44cbb2a8d9dfbdbf32b7a6885150ca8fb5c715020310385e6f889612f80eb452ec73d444fdf03fef7eb920fe586662c2185c93a695e72d56362c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
7KB

MD5
e585657cf3525fd22dad5e2409eb9e60

SHA1
1c0b9d97bb93098e1d8a162b9725a0d6134dc913

SHA256
581fd3d9aa551599bd691b5b23cdc51c48f7f3a65955adf1e1d0fef0a8cfb8b8

SHA512
601c03a19bb0d1170db8c3a05ff4a38d209e2ec53426b2048362504b75e3971f40480afd118cd741a52e69ba5a55c61dd4cc488f335be3d67584982009392ced

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe.xml
Filesize
58KB

MD5
ca7452f3c00cc3083d549346e3726b1c

SHA1
64c6e09bffa49ef36ab0ac3a7a0d98ff944eb89a

SHA256
a8736abe4c9f3715f7f737db3437af332373204263e458978f653a1c860f088b

SHA512
1a307069368230702b9d397640e4ae16cad64958aea87437b9d0c443a43242d0e72bab932be1a5fa294138c792cdbd0752edb783afe51d253cb7502fa0bc719d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013BackupWin32.xml
Filesize
12KB

MD5
879dbf8cded6ac59df3fb0f32aa9eec6

SHA1
844be6baee27e23e5821491fc9532269b1143142

SHA256
3e0f02c2bd9c695d43963c9085e496ab42e7914bdc05f511d56442883c6c9687

SHA512
2d3be800531b56ea768c458fbcb2a563df27a2c981b6e0203dd98559eda4772c93588374b12b5a239de64e63f0b922556bcccd68a3ea4ffcbb8e53740a9e65ab

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
93447f82356b12f678a0f974e2e2be69

SHA1
3ad3fa3bef149afe80dc5a3be89809194e7bac0d

SHA256
9fdf39205a20650ec5bf5b6eb29724538d16674544bd82a8b5663cb7ac4b79ef

SHA512
fea19d835915f8fb4e120c2d62354501723990cbf3edac1fcfa925477909e1ccb1e71db8ca402c78aaa8007a9419e08b9906ebe68744ac384d26b4d707457813

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
eb076d5514ddf5d1b5945e67f79838d9

SHA1
e46652fea53ff94cb21b9db1014e35ba62cdd3d8

SHA256
1f00c6bba9b02c850abe7866fe53807fc2f483d154a5c258b6dbaac0e78bdd0d

SHA512
61785301b83064d16087a1539c8988e2fdd4ca4334b36f30ae7f04a77f0ba888b79e0c1830c8a6c086a478a6cc533845e715db8cb9dc56a049cd0d495a3c6244

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edbres00002.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC97.exe
Filesize
1006KB

MD5
09ab2a3073c44472b97fc3ec002ea7c2

SHA1
29b4b86b5eeb1358ace14fc65d675fa6949bf71d

SHA256
6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3

SHA512
fec42d8c395c55bae94fb9147b47adc4794c938df01f43058595a4513b0a3885f20f01e6b3ab354de86b81c32c2a55388d7fb70fec6abada440ef969683e2f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC97.exe
Filesize
1006KB

MD5
09ab2a3073c44472b97fc3ec002ea7c2

SHA1
29b4b86b5eeb1358ace14fc65d675fa6949bf71d

SHA256
6517235ae083a10475336ec757aa38100a525b56e45f1cf305c6ed36523d74a3

SHA512
fec42d8c395c55bae94fb9147b47adc4794c938df01f43058595a4513b0a3885f20f01e6b3ab354de86b81c32c2a55388d7fb70fec6abada440ef969683e2f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\warning.dll
Filesize
726KB

MD5
c89d5e59681dc482c03b9652c30770cf

SHA1
a158c61003ddefec7201e8c6a822da6d6e1a06f0

SHA256
ce0a985986e9d56d69a8033ae6ad45d24f0c7711313d02489854f2f67d6d8525

SHA512
4f88e2503a514127f250f9d8a1a1f3b3532ace92b96f7174530e1b3382a5fb0146d035826cbb6aa00b9bd4f02345454ee686ae22153ec4316edc0c30d38d1bff

Download Submit
memory/1468-153-0x00007FF7D3526890-mapping.dmp

Download
memory/1468-154-0x0000011E2CD50000-0x0000011E2CE90000-memory.dmp

Filesize
1.2MB

Download
memory/1468-155-0x0000011E2CD50000-0x0000011E2CE90000-memory.dmp

Filesize
1.2MB

Download
memory/1468-157-0x00000000000B0000-0x00000000002C9000-memory.dmp

Filesize
2.1MB

Download
memory/1468-158-0x0000011E2B510000-0x0000011E2B73A000-memory.dmp

Filesize
2.2MB

Download
memory/2524-170-0x0000000000000000-mapping.dmp

Download
memory/2524-174-0x0000000004410000-0x0000000004B35000-memory.dmp

Filesize
7.1MB

Download
memory/2524-173-0x0000000004410000-0x0000000004B35000-memory.dmp

Filesize
7.1MB

Download
memory/3064-135-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3064-134-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3064-133-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/3064-132-0x0000000000488000-0x0000000000499000-memory.dmp

Filesize
68KB

Download
memory/3768-142-0x00000000022BC000-0x0000000002392000-memory.dmp

Filesize
856KB

Download
memory/3768-144-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/3768-136-0x0000000000000000-mapping.dmp

Download
memory/3768-143-0x00000000023A0000-0x00000000024B5000-memory.dmp

Filesize
1.1MB

Download
memory/4140-148-0x0000000005340000-0x0000000005480000-memory.dmp

Filesize
1.2MB

Download
memory/4140-151-0x0000000005340000-0x0000000005480000-memory.dmp

Filesize
1.2MB

Download
memory/4140-150-0x0000000005340000-0x0000000005480000-memory.dmp

Filesize
1.2MB

Download
memory/4140-149-0x0000000005340000-0x0000000005480000-memory.dmp

Filesize
1.2MB

Download
memory/4140-147-0x0000000005340000-0x0000000005480000-memory.dmp

Filesize
1.2MB

Download
memory/4140-159-0x0000000004A20000-0x0000000005145000-memory.dmp

Filesize
7.1MB

Download
memory/4140-146-0x0000000004A20000-0x0000000005145000-memory.dmp

Filesize
7.1MB

Download
memory/4140-152-0x0000000005340000-0x0000000005480000-memory.dmp

Filesize
1.2MB

Download
memory/4140-139-0x0000000000000000-mapping.dmp

Download
memory/4140-156-0x00000000053B9000-0x00000000053BB000-memory.dmp

Filesize
8KB

Download
memory/4420-163-0x0000000003170000-0x0000000003895000-memory.dmp

Filesize
7.1MB

Download
memory/4420-164-0x0000000003170000-0x0000000003895000-memory.dmp

Filesize
7.1MB

Download