danabot | 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97

Analysis

max time kernel
119s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19/12/2022, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4fe627b0bc66a57bfdb76c531c06ce6.exe
Size

1.1MB
MD5

d4fe627b0bc66a57bfdb76c531c06ce6
SHA1

1a9ff0a579460a2e90266ebbfbad127514a74e7a
SHA256

9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97
SHA512

bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617
SSDEEP

24576:4MsPdMWW1GIdBCSGZtT/EHr0HUqcBfcvGjZzK6r:XngtAHr0HU7cu9zKM

Score

10^/10

danabot banker discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1284	rundll32.exe
4	1284	rundll32.exe
9	1284	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SYMBOL\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Media Player\\en-US\\SYMBOL.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SYMBOL\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1284	rundll32.exe
1916	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rundll32.exe
File created	C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Desktop.ini	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 1608	1284	rundll32.exe	31

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\brt.fca	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\template.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\MinionPro-BoldIt.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\CP1252.TXT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\CourierStd-Oblique.otf	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\EQNEDT32.CNT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\MCIMPP.mpp	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\VDK10.STD	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\ccme_base.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Identity-H	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\PDFFile_8.ico	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\SYMBOL.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\cryptocme2.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\SaslPrepProfile_norm_bidi.spp	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Thawte Root Certificate.cer	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\DW20.EXE	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AcroTextExtractor.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Adobe Root Certificate.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 39 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1608	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1284	1424	d4fe627b0bc66a57bfdb76c531c06ce6.exe	28
PID 1424 wrote to memory of 1284	1424	d4fe627b0bc66a57bfdb76c531c06ce6.exe	28
PID 1424 wrote to memory of 1284	1424	d4fe627b0bc66a57bfdb76c531c06ce6.exe	28
PID 1424 wrote to memory of 1284	1424	d4fe627b0bc66a57bfdb76c531c06ce6.exe	28
PID 1424 wrote to memory of 1284	1424	d4fe627b0bc66a57bfdb76c531c06ce6.exe	28
PID 1424 wrote to memory of 1284	1424	d4fe627b0bc66a57bfdb76c531c06ce6.exe	28
PID 1424 wrote to memory of 1284	1424	d4fe627b0bc66a57bfdb76c531c06ce6.exe	28
PID 1284 wrote to memory of 1608	1284	rundll32.exe	31
PID 1284 wrote to memory of 1608	1284	rundll32.exe	31
PID 1284 wrote to memory of 1608	1284	rundll32.exe	31
PID 1284 wrote to memory of 1608	1284	rundll32.exe	31
PID 1284 wrote to memory of 1608	1284	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\d4fe627b0bc66a57bfdb76c531c06ce6.exe
"C:\Users\Admin\AppData\Local\Temp\d4fe627b0bc66a57bfdb76c531c06ce6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23994
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1916
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows media player\en-us\symbol.dll",r1ZZTA==
  2⤵
  PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms

Filesize
107KB

MD5
45d8799942c86cbb5a57bee8cb0ac07b

SHA1
aa02c48627782715d6a0d545995e65cf77eebeff

SHA256
a3200e64195e3f3eaf17239602f38684802bf8aa8786189ca0190ca9f7486b31

SHA512
ccc470401616d42115ab192956cefb5b9c360a1024eb33c3a9f521b7d951e6cd036e78e022652dee2ff35eba74cf16f2b4045b42849d8df4b13632c959b9499e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\AssetLibrary.ico

Filesize
5KB

MD5
ca98ea80630e3f5f0dd4ab39bd25ffb5

SHA1
3fbfc2f0aea9875245631ff84ea912b2acf5c9d1

SHA256
5d8e1d9c9d7d8a54b35b9dc70224e6d6fa19518977492b92d54f98ace9efc7a1

SHA512
6b1fc477b7a74154eb654692c0ddee811bb48ccfd119ae9f8c85f5ca1d1f992308264ffb8e7303590fe2f212043028ddee7c0052ff10f6349caec83567a93507

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Desktop.ini

Filesize
370B

MD5
2db341606a8d0e39c81a95a64ed33c84

SHA1
fe436d05231e70928a5acb556d6b8b3ef3260fd6

SHA256
01a69ba309c6665e612654e9d4d6b081772083dd3b9bb657c5123f02233e775a

SHA512
ef9ae495413e6dd72ada2148dd8da69542229d2fccb7e717ca488ac8ca7a5653c8a5075e0ba43eb735d37f16c416a26b0ec5db38438f2463724e219f19c51d96

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_CValidator.H1D

Filesize
11KB

MD5
15df0c4efe61e89ac34133dffde48d75

SHA1
be9773dbefb06cf48b46ec76831c0680f5375cc7

SHA256
88f9c30ea167b52d97189e8dc344bc0640f2ad8cac5d63c1434b4c3df4053c07

SHA512
4e3f1e3876b4618616a3a98e322ba5abf4304d505790e2231abb78adadc25aa3367da6b8cd64f79b71eb2517f5853736506ea5a3652a0fdee5015352e0799175

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
75b592d072f1406ee14771c8b3732e56

SHA1
3cf6d7f0f276a49a6a2275a750e5850e8f9b20a4

SHA256
6b906c6174b54d0315ff4bf7cbcd1a9f02d493c942252db5c5d49ec9f5f12f8d

SHA512
12c4853dd6314212497fd44d32953c49985c4b2d5dab004595c45e0d87b12da5ffbbf6610cfe09a3750197e696beb0650843faa83004d063b0aef55e8951c531

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ONINTL.REST.trx_dll

Filesize
254KB

MD5
9166ad55769791fe3a6ed688f114ad1e

SHA1
ae83ff5266d6a691e78ffb2a32378cc08014d693

SHA256
4423ed91253d2f07dcbdfc68ff88bd85f08aee00c98eba138b946b934139c490

SHA512
8dd251ee0457276f013f195f2ae4f173e33cd9d358ba3066e8fbc4472badbd4541b367bd192cb58a8644a05f928626653a67fc951b4e0f9020363a499f177356

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Ringtone 08.wma

Filesize
135KB

MD5
01c6a0605a97e6ad1541e469cefb08b7

SHA1
63a7535e651e5b753937f81c3ba39f85747eda68

SHA256
c8552f0d52a133e808ab064528dbf9ef1fc8cb2362b9a46b034938606d1a6c1e

SHA512
624d83e909d791ef0ffb228a6a30d75c60aeb1c88f519910b83d86bcfc4799c66349fb76fd417db4746de2e77c3882a0e5e4c0431909184b324e4de8d6c368fb

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
7232474e7c3b7c2f30a4f020ca8544d8

SHA1
120a84c032eca72029f8189e51320ea55a10d10a

SHA256
e5efd8da158f04cb809a6a107e5ba077f1281255f394826e9890ecdee0187a44

SHA512
b073fac844387ec3444f8f190311f0887492bbb8a418341599ccd882e5bbc6aee046db12c87716313335eaa5f626cbe535f940ef1187f13e270e17c7466cbee6

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
7232474e7c3b7c2f30a4f020ca8544d8

SHA1
120a84c032eca72029f8189e51320ea55a10d10a

SHA256
e5efd8da158f04cb809a6a107e5ba077f1281255f394826e9890ecdee0187a44

SHA512
b073fac844387ec3444f8f190311f0887492bbb8a418341599ccd882e5bbc6aee046db12c87716313335eaa5f626cbe535f940ef1187f13e270e17c7466cbee6

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\print_property.ico

Filesize
58KB

MD5
30d7062e069bc0a9b34f4034090c1aae

SHA1
e5fcedd8e4cc0463c0bc6912b1791f2876e28a61

SHA256
24e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000

SHA512
85dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windows media player\en-us\symbol.dll

Filesize
726KB

MD5
e34351821762100fd33463fffbe7a0ae

SHA1
d12dda8fd686c35202f00bd83a745a06289e7536

SHA256
0b00ba5c15e8845bdef32b580607fac20908e07f194a99b66f7f2eb1a987c1ad

SHA512
d89f34e78b1320c4e4829c0e88f0dd8d6188e8a305527b224a818710edba08d51dcf187757b236239140e22d5092b0d62fec338dd8202b10a3e8b35d60dd784a

Download Submit
\Program Files (x86)\Windows Media Player\en-US\SYMBOL.dll

Filesize
726KB

MD5
e34351821762100fd33463fffbe7a0ae

SHA1
d12dda8fd686c35202f00bd83a745a06289e7536

SHA256
0b00ba5c15e8845bdef32b580607fac20908e07f194a99b66f7f2eb1a987c1ad

SHA512
d89f34e78b1320c4e4829c0e88f0dd8d6188e8a305527b224a818710edba08d51dcf187757b236239140e22d5092b0d62fec338dd8202b10a3e8b35d60dd784a

Download Submit
\Program Files (x86)\Windows Media Player\en-US\SYMBOL.dll

Filesize
726KB

MD5
e34351821762100fd33463fffbe7a0ae

SHA1
d12dda8fd686c35202f00bd83a745a06289e7536

SHA256
0b00ba5c15e8845bdef32b580607fac20908e07f194a99b66f7f2eb1a987c1ad

SHA512
d89f34e78b1320c4e4829c0e88f0dd8d6188e8a305527b224a818710edba08d51dcf187757b236239140e22d5092b0d62fec338dd8202b10a3e8b35d60dd784a

Download Submit
\Program Files (x86)\Windows Media Player\en-US\SYMBOL.dll

Filesize
726KB

MD5
e34351821762100fd33463fffbe7a0ae

SHA1
d12dda8fd686c35202f00bd83a745a06289e7536

SHA256
0b00ba5c15e8845bdef32b580607fac20908e07f194a99b66f7f2eb1a987c1ad

SHA512
d89f34e78b1320c4e4829c0e88f0dd8d6188e8a305527b224a818710edba08d51dcf187757b236239140e22d5092b0d62fec338dd8202b10a3e8b35d60dd784a

Download Submit
\Program Files (x86)\Windows Media Player\en-US\SYMBOL.dll

Filesize
726KB

MD5
e34351821762100fd33463fffbe7a0ae

SHA1
d12dda8fd686c35202f00bd83a745a06289e7536

SHA256
0b00ba5c15e8845bdef32b580607fac20908e07f194a99b66f7f2eb1a987c1ad

SHA512
d89f34e78b1320c4e4829c0e88f0dd8d6188e8a305527b224a818710edba08d51dcf187757b236239140e22d5092b0d62fec338dd8202b10a3e8b35d60dd784a

Download Submit
\Program Files (x86)\Windows Media Player\en-US\SYMBOL.dll

Filesize
726KB

MD5
e34351821762100fd33463fffbe7a0ae

SHA1
d12dda8fd686c35202f00bd83a745a06289e7536

SHA256
0b00ba5c15e8845bdef32b580607fac20908e07f194a99b66f7f2eb1a987c1ad

SHA512
d89f34e78b1320c4e4829c0e88f0dd8d6188e8a305527b224a818710edba08d51dcf187757b236239140e22d5092b0d62fec338dd8202b10a3e8b35d60dd784a

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
memory/1284-72-0x0000000004C30000-0x0000000004D70000-memory.dmp

Filesize
1.2MB

Download
memory/1284-65-0x00000000042C0000-0x00000000049E5000-memory.dmp

Filesize
7.1MB

Download
memory/1284-81-0x00000000042C0000-0x00000000049E5000-memory.dmp

Filesize
7.1MB

Download
memory/1284-68-0x00000000042C0000-0x00000000049E5000-memory.dmp

Filesize
7.1MB

Download
memory/1284-69-0x0000000004C30000-0x0000000004D70000-memory.dmp

Filesize
1.2MB

Download
memory/1284-66-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/1284-74-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/1284-63-0x00000000042C0000-0x00000000049E5000-memory.dmp

Filesize
7.1MB

Download
memory/1284-73-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/1284-67-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/1424-60-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1424-54-0x0000000001DD0000-0x0000000001EA6000-memory.dmp

Filesize
856KB

Download
memory/1424-58-0x0000000001EB0000-0x0000000001FC5000-memory.dmp

Filesize
1.1MB

Download
memory/1424-57-0x0000000001DD0000-0x0000000001EA6000-memory.dmp

Filesize
856KB

Download
memory/1424-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1592-108-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1592-115-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1592-107-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1592-105-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1608-80-0x0000000002010000-0x000000000223A000-memory.dmp

Filesize
2.2MB

Download
memory/1608-77-0x0000000001E00000-0x0000000001F40000-memory.dmp

Filesize
1.2MB

Download
memory/1608-79-0x0000000000260000-0x0000000000479000-memory.dmp

Filesize
2.1MB

Download
memory/1608-76-0x0000000001E00000-0x0000000001F40000-memory.dmp

Filesize
1.2MB

Download
memory/1608-78-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1608-70-0x0000000000260000-0x0000000000479000-memory.dmp

Filesize
2.1MB

Download
memory/1916-88-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1916-86-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1916-98-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1916-114-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads