danabot | d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
Size

311KB
MD5

ff8b0ef6c574e5f6f1fa4c4eb75c637d
SHA1

3263f6595d1329cea9348b34a9857a98998a33c6
SHA256

d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac
SHA512

9c2d049aaf278d86db69256dd312cf34d1d1b6dcabe964b93ab2a29b21f9045bceaaf809b46c92e6c4f5d5f27befda9692712fc23c4d45de2bef147c98708ff4
SSDEEP

6144:zjB1L2OqdTTq9rZ0NCKg4bBYqH4rWlRjO1n:zPHqdTuduLlarW9u

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1152-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

62 100 rundll32.exe
67 100 rundll32.exe
99 100 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

EA55.exe

pid process

652 EA55.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

100 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 100 set thread context of 3948 100 rundll32.exe rundll32.exe

flow	pid	process
62	100	rundll32.exe
67	100	rundll32.exe
99	100	rundll32.exe

pid	process
652	EA55.exe

pid	process
100	rundll32.exe

description	pid	process	target process
PID 100 set thread context of 3948	100	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Close2x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\libEGL.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\dd_arrow_small.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1788 652 WerFault.exe EA55.exe

pid	pid_target	process	target process
1788	652	WerFault.exe	EA55.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355ca7a100054656d7000003a0009000400efbe0c5519999355cf7a2e00000000000000000000000000000000000000000000000000c2ed0201540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2016

pid	process
2016

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe

pid	process
1152	d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
1152	d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2016
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe

pid process

1152 d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe

pid	process
2016

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016
Token: SeShutdownPrivilege	2016
Token: SeCreatePagefilePrivilege	2016

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3948 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2016
2016

pid	process
3948	rundll32.exe

pid	process
2016
2016

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EA55.exerundll32.exe

description	pid	process	target process
PID 2016 wrote to memory of 652	2016		EA55.exe
PID 2016 wrote to memory of 652	2016		EA55.exe
PID 2016 wrote to memory of 652	2016		EA55.exe
PID 652 wrote to memory of 100	652	EA55.exe	rundll32.exe
PID 652 wrote to memory of 100	652	EA55.exe	rundll32.exe
PID 652 wrote to memory of 100	652	EA55.exe	rundll32.exe
PID 100 wrote to memory of 3948	100	rundll32.exe	rundll32.exe
PID 100 wrote to memory of 3948	100	rundll32.exe	rundll32.exe
PID 100 wrote to memory of 3948	100	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
"C:\Users\Admin\AppData\Local\Temp\d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1152

C:\Users\Admin\AppData\Local\Temp\EA55.exe
C:\Users\Admin\AppData\Local\Temp\EA55.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 532
2⤵
- Program crash
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 652 -ip 652
1⤵
PID:3956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4624

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:3732

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\libegl.dll",ZVUQVDRLaQ==
2⤵
PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\libEGL.dll
Filesize
726KB

MD5
8f2e23c4dfdd3993842e7214e1b2d683

SHA1
8efa50f9f1dbac3a077bc96572bc7632ca1221d0

SHA256
238261d8c53bca4562f7dba3f6c028682bf157201b0cced79ed5ea6226f34316

SHA512
944408bde6320076fc0a385d1d4a1b50dd6ea11968ced21e2c10e9547310ea167902ec2a8f21cf223d67fd493b3f49a12d65d1e43ea30fd5cbd4a2398da94a64

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\libEGL.dll
Filesize
726KB

MD5
8f2e23c4dfdd3993842e7214e1b2d683

SHA1
8efa50f9f1dbac3a077bc96572bc7632ca1221d0

SHA256
238261d8c53bca4562f7dba3f6c028682bf157201b0cced79ed5ea6226f34316

SHA512
944408bde6320076fc0a385d1d4a1b50dd6ea11968ced21e2c10e9547310ea167902ec2a8f21cf223d67fd493b3f49a12d65d1e43ea30fd5cbd4a2398da94a64

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\DeploymentConfiguration.xml
Filesize
614B

MD5
54cec4437128f703c259efb3dc734386

SHA1
9b15ebe33a771a7e12cd966fd8b583da06914015

SHA256
d44d8ffc6e0261e32c4b5c77573a0daa0b4066d4e160c2cd5b5728199f63dfb4

SHA512
c1793acc8f6dc9997fd0261d501ffed200f3c039c9b77e554a031262925878b56727bd84cf5fbeeccb481c1d4511f37e940a8f8436054c8f08adb8e5f46773ea

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe.xml
Filesize
840B

MD5
2528a361d2ecf923788b3f69833696ec

SHA1
38980657507f08069bc9a05ef8ec17da33410c30

SHA256
7b9699e0d489996eaeb9620d5e5b15cb5f523144a8dbf2a73412329711bd6b7c

SHA512
532f760ba48c2051537edea47506efea1ea8204e51dc61173692da9eab58b5a0bd934b7fa2ce07798e9d468acede6a4926b234dcef3ee0685676505079681202

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOutlook2016CAWin32.xml
Filesize
1KB

MD5
e161373cbfe90116f098d3970623da4f

SHA1
355e659f67ceb62724b7ed7c8a832ee255b6d009

SHA256
2746f5819698bf19e5509335b6cd8fa53320d7eb972a132ef254c164f3005245

SHA512
a78ecf84d8faca28460d03f824c1bbed474529f054599f891460c6b0c4025d96895900485165c8e73f52c644af55e31acbad6567ae2e5be9eeddb045a3c5a830

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
78b7477a992942b2e10e02524196d6d7

SHA1
0e6a3e3f1840618b6a2dd86504b24131241a6ef7

SHA256
a36abaffcada598a83decc6d89e178eefcfd932970da7a0c23b83857db013bdf

SHA512
5fa62095f52ee25155549a50a672723f5e47c0ba930237cdffd432d9019cd28cf59e688e83cb42c331ca1ae0709bf521df6aad5211ef6b496a013d10ff9ea125

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
3a1bb43de9c023e58e6b73d835eaea4e

SHA1
2ae2fe3331d1a8042fa575bd069307f92107ec71

SHA256
d8b95d801e43e2eacfc5ca2de422a17e78191d269398ebeb0316b5c86a1fee05

SHA512
a3af9c922bb0e996ceed19aa83e0af95055223492c1e613960fb60d2ebb29fe85ee0f47cf077726d921c8f56eac76d8eea2af61e72124acc118c87d88331f5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA55.exe
Filesize
1.1MB

MD5
076f3ebdf25ab73e33b760c7171db59a

SHA1
76ec6960e35a5b4adb6886479355c9a93bddcc00

SHA256
57d4d742672d0b1a350de9a156f806404a137fe73c32363df3976a5205cade21

SHA512
8e40439ec3331b877b81ee3daf15bc647cdb00092e7d50bd5df47f322d200ea1e6e3e3d8cb3951c9d8d253ae8e56de0102f98f330a29d4ba950739feb7dddba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA55.exe
Filesize
1.1MB

MD5
076f3ebdf25ab73e33b760c7171db59a

SHA1
76ec6960e35a5b4adb6886479355c9a93bddcc00

SHA256
57d4d742672d0b1a350de9a156f806404a137fe73c32363df3976a5205cade21

SHA512
8e40439ec3331b877b81ee3daf15bc647cdb00092e7d50bd5df47f322d200ea1e6e3e3d8cb3951c9d8d253ae8e56de0102f98f330a29d4ba950739feb7dddba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\libegl.dll
Filesize
726KB

MD5
8f2e23c4dfdd3993842e7214e1b2d683

SHA1
8efa50f9f1dbac3a077bc96572bc7632ca1221d0

SHA256
238261d8c53bca4562f7dba3f6c028682bf157201b0cced79ed5ea6226f34316

SHA512
944408bde6320076fc0a385d1d4a1b50dd6ea11968ced21e2c10e9547310ea167902ec2a8f21cf223d67fd493b3f49a12d65d1e43ea30fd5cbd4a2398da94a64

Download Submit
memory/100-152-0x00000000050D0000-0x0000000005210000-memory.dmp

Filesize
1.2MB

Download
memory/100-146-0x0000000004860000-0x0000000004F85000-memory.dmp

Filesize
7.1MB

Download
memory/100-147-0x00000000050D0000-0x0000000005210000-memory.dmp

Filesize
1.2MB

Download
memory/100-148-0x00000000050D0000-0x0000000005210000-memory.dmp

Filesize
1.2MB

Download
memory/100-149-0x00000000050D0000-0x0000000005210000-memory.dmp

Filesize
1.2MB

Download
memory/100-150-0x00000000050D0000-0x0000000005210000-memory.dmp

Filesize
1.2MB

Download
memory/100-151-0x00000000050D0000-0x0000000005210000-memory.dmp

Filesize
1.2MB

Download
memory/100-145-0x0000000004860000-0x0000000004F85000-memory.dmp

Filesize
7.1MB

Download
memory/100-159-0x0000000004860000-0x0000000004F85000-memory.dmp

Filesize
7.1MB

Download
memory/100-139-0x0000000000000000-mapping.dmp

Download
memory/100-156-0x0000000005149000-0x000000000514B000-memory.dmp

Filesize
8KB

Download
memory/652-140-0x000000000221C000-0x00000000022F2000-memory.dmp

Filesize
856KB

Download
memory/652-142-0x0000000002300000-0x0000000002415000-memory.dmp

Filesize
1.1MB

Download
memory/652-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/652-136-0x0000000000000000-mapping.dmp

Download
memory/1152-132-0x0000000000798000-0x00000000007AE000-memory.dmp

Filesize
88KB

Download
memory/1152-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/1392-169-0x0000000000000000-mapping.dmp

Download
memory/3732-163-0x0000000003BC0000-0x00000000042E5000-memory.dmp

Filesize
7.1MB

Download
memory/3732-171-0x0000000003BC0000-0x00000000042E5000-memory.dmp

Filesize
7.1MB

Download
memory/3948-158-0x00000245878B0000-0x0000024587ADA000-memory.dmp

Filesize
2.2MB

Download
memory/3948-157-0x00000000004D0000-0x00000000006E9000-memory.dmp

Filesize
2.1MB

Download
memory/3948-154-0x0000024589280000-0x00000245893C0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-155-0x0000024589280000-0x00000245893C0000-memory.dmp

Filesize
1.2MB

Download
memory/3948-153-0x00007FF7BCFA6890-mapping.dmp

Download