danabot | 30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a

Analysis

max time kernel
121s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-12-2022 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.0MB
MD5

1a61e55fa3fd1dc5cbf63d91e6c5a93b
SHA1

0f68fc53fafb875aa9150ab4d39b8b5015cac684
SHA256

30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a
SHA512

975c9594a3583bd72d550c57ddd60bec585c87f556aa8118ed4288f0f77e69473a11c0d889692e758363ecdb4c4e9abb6c3d7bb01cc173051bddb9e46ca598d8
SSDEEP

24576:iEGwNZdOMFdGiOlPwFU0yB8zuj+9LJwFP:UwNLKiOlPEjyfOuFP

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

2 2024 rundll32.exe
4 2024 rundll32.exe
9 2024 rundll32.exe

flow	pid	process
2	2024	rundll32.exe
4	2024	rundll32.exe
9	2024	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PDDom\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Media Player\\en-US\\PDDom.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PDDom\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

2024 rundll32.exe
1128 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2024 set thread context of 1632 2024 rundll32.exe rundll32.exe

pid	process
2024	rundll32.exe
1128	svchost.exe

description	pid	process	target process
PID 2024 set thread context of 1632	2024	rundll32.exe	rundll32.exe

Drops file in Program Files directory 34 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\PDXFile_8.ico	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\DVA.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\SaveAsRTF.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\MSADDNDR.DLL	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\atl.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\CP1251.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FLT	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\tr.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\PDDom.api	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\VDK10.SYX	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\tesselate.x3d	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\DisplayLanguageNames.en_US.txt	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\CGMIMP32.FLT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AcroRd32Info.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\PDDom.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\MSOEURO.DLL	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\turnOnNotificationInAcrobat.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

956 2024 WerFault.exe rundll32.exe

pid	pid_target	process	target process
956	2024	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2024 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1632 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2024	rundll32.exe

pid	process
1632	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

tmp.exerundll32.exe

description	pid	process	target process
PID 1692 wrote to memory of 2024	1692	tmp.exe	rundll32.exe
PID 1692 wrote to memory of 2024	1692	tmp.exe	rundll32.exe
PID 1692 wrote to memory of 2024	1692	tmp.exe	rundll32.exe
PID 1692 wrote to memory of 2024	1692	tmp.exe	rundll32.exe
PID 1692 wrote to memory of 2024	1692	tmp.exe	rundll32.exe
PID 1692 wrote to memory of 2024	1692	tmp.exe	rundll32.exe
PID 1692 wrote to memory of 2024	1692	tmp.exe	rundll32.exe
PID 2024 wrote to memory of 956	2024	rundll32.exe	WerFault.exe
PID 2024 wrote to memory of 956	2024	rundll32.exe	WerFault.exe
PID 2024 wrote to memory of 956	2024	rundll32.exe	WerFault.exe
PID 2024 wrote to memory of 956	2024	rundll32.exe	WerFault.exe
PID 2024 wrote to memory of 1632	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1632	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1632	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1632	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1632	2024	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1576
3⤵
- Program crash
PID:956

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23994
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1632

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1128

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows media player\en-us\pddom.dll",cyZNZzM0
2⤵
PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ENVELOPR.DLL.trx_dll
Filesize
14KB

MD5
10fa6ecb335d75b17d2c3ac4f3cbaabb

SHA1
0f549eed3c20f7178f2b6f12cb8f3c0dcf022f94

SHA256
1dd89f6d6d5159abd258bf7c0126382986781bee81ad7f7da15e50f2db8e45b8

SHA512
c55f5986fb3ba8d2828d0428a8599cfc1e2b1db7263ffc4bedcc016a3ba47539534685b3dfa0edaff5a8e90a7272cac113cedb3ae672cb43a8a6c42040c1ac01

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_MValidator.H1D
Filesize
14KB

MD5
4d1a16071c2c69e2309ad5b18e9467cd

SHA1
246ff5d628bb257f3abeb26dad5aba41af1121e4

SHA256
76c6db31954bda35c16c2d97cdc078b379189118283518efc5f3327e4ffee570

SHA512
b6f49be1d133bac7ae17ec43afa5d8788fe2c69b2d39abb72924c2ff28507bbe4753113614387d84092b1c5eaec0e7e1b24540511a1f58c7b4b4a05c01a38b0f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MOR6INT.REST.trx_dll
Filesize
48KB

MD5
b22a432ea8c671f119cf8285d1021671

SHA1
3346593a9adb233233509247b1df059742f6aa3e

SHA256
bfd9148c099dfd9477204806df55034d06c9aacf3a4241ab97c4e4acb0349b17

SHA512
361badcd731f078d1bd64e61709f183e73163a1a09e1ed543e56a9c57b2bd28c930111797692c6be4ce4bea17a5e8283fec6ac27db7bd078047552dc51e5dece

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MSS.chk
Filesize
8KB

MD5
fa8464cc5561847c3a0e1cd47e5e9637

SHA1
1febb59dbb8538eceb5c8a0059ff56b4db833a41

SHA256
b331b5929e01945fb9679eb7441f2d7d3ab3aea6f87db654661e6cabb552949d

SHA512
11438cf0fe0c2292b843880792da7eb5d5a5240d2de1e3726ae71838fc2799fde1978ce109fe3994e7b37327d5dfab86e491e2083011b8943da2ba92a93e4188

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\PUBWZINT.REST.trx_dll
Filesize
362KB

MD5
d0b43ae0f1c35e7cb24b440f93474a45

SHA1
aea690fb1b2a91c6fb72681df53a9a77981286bd

SHA256
88dc81fe77c8822ffff27ac78065c22362a876a9b82ccfd33853894a4c17d533

SHA512
1c309a7ab932e6e7e3ded65c20854a4d3398011e625bd7cab0c50631c9c2ea4b9aed3df39b08b98354fd8183432644a8f96df773ce2512e0fce7ee62f14de31f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
d3942976b816e1324d9b48196f79cdb7

SHA1
11f8c380bd151697a1d08db35413744eaaba4579

SHA256
1edf3092b0514a3a15d33391de85eefd9432da405e4c20a6943394508903adad

SHA512
6d427edb3a0ed6668af5fd351a8e02ac70bb747c8b020847108b2fad96acd1dcdb33dad3805f599939fe2649bec98c6889a340735ef217fb47e0434c6cdb2c96

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
2f850da4ec3b75b17c0383c4578aae28

SHA1
ebe2cc59bd8a4d872b87148781f962656c6e82d8

SHA256
38ad41bc7134dd3c9b33807623a61afc43a4b2a60f034f7ca12f9000fad0651f

SHA512
d9cb84be1e5b713f2f1b99073e2c097ab7f3831d0d5ec4256bcc732cf8f6c9fc60bea0da9eff94a686817111a2d2454d80abf8329eea8db134e6c29c40486268

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Speech Recognition.lnk
Filesize
1KB

MD5
1c2d57f6d10fc5fbc894a70c3c3e3cb3

SHA1
758c3a4828c321ae9c008e66067811baddb91b3c

SHA256
df9bdfa348c754781446438c5c46b3c2864a788e4ad735e9eaded00bd8c96de7

SHA512
f77720c2071a84f45aaa371912f8e5132d24de8d709efbb7c6a75c4faad463125c96cef988768277d92650b2e9216e53340a4e45fff4ab41426697d7ce5daf6f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\WWINTL.DLL.trx_dll
Filesize
144KB

MD5
f192da56339a2af3aa3e6194dce4433c

SHA1
f4ca805d1c4a2e5f98247259b2db64f7b19261a4

SHA256
254ce7b5cc2d6e226c10259ae56ac573ca2cdba1888fd3bcabd21b13b33d967f

SHA512
d7ee06520dc551c76beb0be301af22772fe83fe3c7fdbd3ff358bfe1996e69619a3d345941461fc07b474db94323ee152b6f67c4fb54a7cc8cc57c30ac4d8136

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\cache.dat
Filesize
42KB

MD5
1d5f7affb3326ced36667bf6011d9c27

SHA1
761e73786161b661ab4dce3fcb05402d79b60510

SHA256
bace235a5225ca09c5775f06d37e0a887a8e3e5765b8776978b97fca8dbfa30e

SHA512
6b6940dfa50a7a46aa67df0b7d748514fc76585d51568a42eebf6ba14aee21c90d48c26682f7e9d45c47474d8d0995371fb6d8c25f1d0b81d0f7dbedf5d187f9

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\netfol.ico
Filesize
28KB

MD5
3fa8c6dc1f72c3f9f8670a3e236459f2

SHA1
fcca30e9c5f861ac907150c76ca5f2174d214b7b

SHA256
dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7

SHA512
af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\print_queue.ico
Filesize
55KB

MD5
0f3c6d90637f0fdc57b1d303cf8d76cd

SHA1
91cef4325b363b31e4555302a70321a2110b51cf

SHA256
4858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261

SHA512
6f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml
Filesize
1KB

MD5
1d3eb6efb2054c0f8c6dfcc90af00e4e

SHA1
452b9ea9cfbf42179a4e344e38ebad3a7179ead7

SHA256
8fe6157bec03efbc921905d0df8f6f9f4432323f1244fc380ea404d5d0e2c95e

SHA512
a0aefd1bf5bc0b275fbba3af7d06c672d82f3c7b40046f3f11515c6f3467f704d668985816f31f97a64e16c8c1112d78ea1f277e9001a3ef4d65df626544fcaf

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\scan_.ico
Filesize
59KB

MD5
a161b3f9fd62c3931fbd79512810cffa

SHA1
a63f1d8945b983356b66819b3aa5b0bd409995e4

SHA256
d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7

SHA512
f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile34.bmp
Filesize
48KB

MD5
eaf6a6895a0e770389a94bec82fb2a29

SHA1
159fa46649b251792d3d01ee0a7a952ed21f94f6

SHA256
45035faa302ab6a495872bafd1283da0b97e5ebb71450128d29e6336243709be

SHA512
d5c3328221b9bac0bea5de23c5a3be4b3658021d7c92f9cf762963fa7ebbfdadba6694794862e571853fb952c3deff61b33161a0bc17c6879a2d7fdbe583548e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile44.bmp
Filesize
48KB

MD5
44840b46ae11971c62f6ea59273bad91

SHA1
79477b9308b0fb13e7c274c4b8f06f7c36a91543

SHA256
22326779f5599fe87151ac35ba694b47322eb990967d7b22c4a45194ff53e08a

SHA512
4883d0e061cea60681dee0fb2afbfb1e64c068291d8aa04bfddc527abf3f81cfbf176fd2ebbcccacff7fdddc0ee76bbe88de711ac133d8ea0fd689bff5db6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windows media player\en-us\pddom.dll
Filesize
726KB

MD5
15745b23180e915070cd3d69e1569122

SHA1
636feecd3649e95011a93e895d87f331c318f9cf

SHA256
97adc37d6e6898bd1ec60f48b2396d9fdfefe32e601a393fdc11b19523a2a60b

SHA512
8607695e4ef0ae3d7011a3ae6e1596a9b1354cb915594b666bb4d46127ffda2f25676e1f4643f89dfbd95c28325ae01c7182008f0c48d341385bc3fb17343fb7

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDDom.dll
Filesize
726KB

MD5
15745b23180e915070cd3d69e1569122

SHA1
636feecd3649e95011a93e895d87f331c318f9cf

SHA256
97adc37d6e6898bd1ec60f48b2396d9fdfefe32e601a393fdc11b19523a2a60b

SHA512
8607695e4ef0ae3d7011a3ae6e1596a9b1354cb915594b666bb4d46127ffda2f25676e1f4643f89dfbd95c28325ae01c7182008f0c48d341385bc3fb17343fb7

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDDom.dll
Filesize
726KB

MD5
15745b23180e915070cd3d69e1569122

SHA1
636feecd3649e95011a93e895d87f331c318f9cf

SHA256
97adc37d6e6898bd1ec60f48b2396d9fdfefe32e601a393fdc11b19523a2a60b

SHA512
8607695e4ef0ae3d7011a3ae6e1596a9b1354cb915594b666bb4d46127ffda2f25676e1f4643f89dfbd95c28325ae01c7182008f0c48d341385bc3fb17343fb7

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDDom.dll
Filesize
726KB

MD5
15745b23180e915070cd3d69e1569122

SHA1
636feecd3649e95011a93e895d87f331c318f9cf

SHA256
97adc37d6e6898bd1ec60f48b2396d9fdfefe32e601a393fdc11b19523a2a60b

SHA512
8607695e4ef0ae3d7011a3ae6e1596a9b1354cb915594b666bb4d46127ffda2f25676e1f4643f89dfbd95c28325ae01c7182008f0c48d341385bc3fb17343fb7

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDDom.dll
Filesize
726KB

MD5
15745b23180e915070cd3d69e1569122

SHA1
636feecd3649e95011a93e895d87f331c318f9cf

SHA256
97adc37d6e6898bd1ec60f48b2396d9fdfefe32e601a393fdc11b19523a2a60b

SHA512
8607695e4ef0ae3d7011a3ae6e1596a9b1354cb915594b666bb4d46127ffda2f25676e1f4643f89dfbd95c28325ae01c7182008f0c48d341385bc3fb17343fb7

Download Submit
\Program Files (x86)\Windows Media Player\en-US\PDDom.dll
Filesize
726KB

MD5
15745b23180e915070cd3d69e1569122

SHA1
636feecd3649e95011a93e895d87f331c318f9cf

SHA256
97adc37d6e6898bd1ec60f48b2396d9fdfefe32e601a393fdc11b19523a2a60b

SHA512
8607695e4ef0ae3d7011a3ae6e1596a9b1354cb915594b666bb4d46127ffda2f25676e1f4643f89dfbd95c28325ae01c7182008f0c48d341385bc3fb17343fb7

Download Submit
\Program Files\Mozilla Firefox\firefox.exe
Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe
Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe
Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe
Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
memory/1128-88-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1128-120-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1128-89-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1128-86-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1356-119-0x0000000000000000-mapping.dmp

Download
memory/1632-76-0x00000000021C0000-0x0000000002300000-memory.dmp

Filesize
1.2MB

Download
memory/1632-79-0x0000000001DF0000-0x000000000201A000-memory.dmp

Filesize
2.2MB

Download
memory/1632-80-0x000007FEFC361000-0x000007FEFC363000-memory.dmp

Filesize
8KB

Download
memory/1632-78-0x00000000001D0000-0x00000000003E9000-memory.dmp

Filesize
2.1MB

Download
memory/1632-75-0x00000000FF3C3CEC-mapping.dmp

Download
memory/1632-77-0x00000000021C0000-0x0000000002300000-memory.dmp

Filesize
1.2MB

Download
memory/1632-70-0x00000000001D0000-0x00000000003E9000-memory.dmp

Filesize
2.1MB

Download
memory/1692-59-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1692-121-0x0000000000000000-mapping.dmp

Download
memory/1692-55-0x00000000763A1000-0x00000000763A3000-memory.dmp

Filesize
8KB

Download
memory/1692-57-0x0000000000520000-0x00000000005F6000-memory.dmp

Filesize
856KB

Download
memory/1692-58-0x0000000001E40000-0x0000000001F55000-memory.dmp

Filesize
1.1MB

Download
memory/1692-54-0x0000000000520000-0x00000000005F6000-memory.dmp

Filesize
856KB

Download
memory/1908-104-0x0000000000000000-mapping.dmp

Download
memory/1908-111-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1908-114-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1908-113-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/2024-67-0x0000000004AF0000-0x0000000004C30000-memory.dmp

Filesize
1.2MB

Download
memory/2024-68-0x00000000043C0000-0x0000000004AE5000-memory.dmp

Filesize
7.1MB

Download
memory/2024-63-0x00000000043C0000-0x0000000004AE5000-memory.dmp

Filesize
7.1MB

Download
memory/2024-65-0x00000000043C0000-0x0000000004AE5000-memory.dmp

Filesize
7.1MB

Download
memory/2024-66-0x0000000004AF0000-0x0000000004C30000-memory.dmp

Filesize
1.2MB

Download
memory/2024-69-0x0000000005480000-0x00000000055C0000-memory.dmp

Filesize
1.2MB

Download
memory/2024-56-0x0000000000000000-mapping.dmp

Download
memory/2024-72-0x0000000005480000-0x00000000055C0000-memory.dmp

Filesize
1.2MB

Download
memory/2024-73-0x0000000004AF0000-0x0000000004C30000-memory.dmp

Filesize
1.2MB

Download
memory/2024-74-0x0000000004AF0000-0x0000000004C30000-memory.dmp

Filesize
1.2MB

Download
memory/2024-81-0x00000000043C0000-0x0000000004AE5000-memory.dmp

Filesize
7.1MB

Download