danabot | 98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe
Size

218KB
MD5

21c0bcafdc20d06ed7b61c1ed8f4f84c
SHA1

d5673c3b26cb6e1d2670f3be381eca1793beac34
SHA256

98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6
SHA512

90e42d54f2eef007743ea03bb23ded489678a9beda5a9bc1aff817c25932397d65c5ed3e7eb82f51e1d90394a224c78cc44fab1c341ef72cf630b93914a2e66b
SSDEEP

3072:4yP6uL95fiHRY7a0OAYehzchDMfOn7b/2uLNHCDml:4Q6uLXfTXcFDfuupCa

Score

10^/10

danabot smokeloader systembc backdoor banker discovery trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/876-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

54 1888 rundll32.exe
72 1888 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

2451.exe4FE6.exehqikm.exe

pid process

4596 2451.exe
4068 4FE6.exe
2424 hqikm.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1888 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1888 set thread context of 2576 1888 rundll32.exe rundll32.exe
Drops file in Windows directory 2 IoCs

Processes:

4FE6.exe

description ioc process

File created C:\Windows\Tasks\hqikm.job 4FE6.exe
File opened for modification C:\Windows\Tasks\hqikm.job 4FE6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2336 4596 WerFault.exe 2451.exe
2268 4068 WerFault.exe 4FE6.exe

flow	pid	process
54	1888	rundll32.exe
72	1888	rundll32.exe

pid	process
4596	2451.exe
4068	4FE6.exe
2424	hqikm.exe

pid	process
1888	rundll32.exe

description	pid	process	target process
PID 1888 set thread context of 2576	1888	rundll32.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\hqikm.job	4FE6.exe
File opened for modification	C:\Windows\Tasks\hqikm.job	4FE6.exe

pid	pid_target	process	target process
2336	4596	WerFault.exe	2451.exe
2268	4068	WerFault.exe	4FE6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094559c66100054656d7000003a0009000400efbe0c551d9c94559d662e0000000000000000000000000000000000000000000000000024986a00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2228

pid	process
2228

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe

pid	process
876	98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe
876	98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2228
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe

pid process

876 98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe

pid	process
2228

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

2576 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2228
2228

pid	process
2576	rundll32.exe

pid	process
2228
2228

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2451.exerundll32.exe

description	pid	process	target process
PID 2228 wrote to memory of 4596	2228		2451.exe
PID 2228 wrote to memory of 4596	2228		2451.exe
PID 2228 wrote to memory of 4596	2228		2451.exe
PID 4596 wrote to memory of 1888	4596	2451.exe	rundll32.exe
PID 4596 wrote to memory of 1888	4596	2451.exe	rundll32.exe
PID 4596 wrote to memory of 1888	4596	2451.exe	rundll32.exe
PID 2228 wrote to memory of 4068	2228		4FE6.exe
PID 2228 wrote to memory of 4068	2228		4FE6.exe
PID 2228 wrote to memory of 4068	2228		4FE6.exe
PID 1888 wrote to memory of 2576	1888	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2576	1888	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2576	1888	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe
"C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:876

C:\Users\Admin\AppData\Local\Temp\2451.exe
C:\Users\Admin\AppData\Local\Temp\2451.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14137
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 476
2⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4596 -ip 4596
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\4FE6.exe
C:\Users\Admin\AppData\Local\Temp\4FE6.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 492
2⤵
- Program crash
PID:2268

C:\ProgramData\obkref\hqikm.exe
C:\ProgramData\obkref\hqikm.exe start
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4068 -ip 4068
1⤵
PID:4348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:3220

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\apple-touch-icon-57x57-precomposed.dll",e0U2NVNJ
2⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.dll
Filesize
797KB

MD5
90f4135ed3f0327686923564d377f4ef

SHA1
8368b3d9bc52c1a2b4dbeafa240fe6e17b0da99b

SHA256
796291f8e9fbec5c1192d90f31d58b671dac3d120ddb42b517c8e1ccfdbf1e0d

SHA512
50a5bf97f2a8acec0471f7443c3362f1409601f0bd8a14241a704c939845a8c2cc6cb1ba1e8355b35e085dccd983c1879269f5697a5ddb3bc9a8827fe0abcf42

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.dll
Filesize
797KB

MD5
90f4135ed3f0327686923564d377f4ef

SHA1
8368b3d9bc52c1a2b4dbeafa240fe6e17b0da99b

SHA256
796291f8e9fbec5c1192d90f31d58b671dac3d120ddb42b517c8e1ccfdbf1e0d

SHA512
50a5bf97f2a8acec0471f7443c3362f1409601f0bd8a14241a704c939845a8c2cc6cb1ba1e8355b35e085dccd983c1879269f5697a5ddb3bc9a8827fe0abcf42

Download Submit
C:\ProgramData\obkref\hqikm.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\obkref\hqikm.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Active.GRL
Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
7b0dc7fa52f0e2eb87712c85088a160d

SHA1
15ac439ebfa32a2ef4d2de3a92eb761ef4e57d20

SHA256
b76fac7c062c2c1d2fbc9f83eb9816c8db7c408817d3920f68e654afe2a91ebe

SHA512
551bf4954aa8b19c73b80ab1208fe45467b76f5b0d3c98e05517ca8de99818dc581be1adf93c0ca48500aa291bf1319d10c81ac701b54db636e0ef919f909f0a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
820B

MD5
09eb72768015735e81d549d7a5087631

SHA1
0dc0de9d9f1f94a73b760e13dbfb033d58b2962c

SHA256
803200facef08eb731bceb63813c1c873628a271ada9661dda6bb4b638ccb5f8

SHA512
240680b7e01215938623781f3431fb5ae8a2630590285a824f7e41e63e8e06f6fa79e641f4ace6d9dcb96f0c3fe3e928f5ac0eb2992158bda8cb83e95c7e916a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2010Win32.xml
Filesize
71KB

MD5
b08a8c2f6941a1a12aa05180aec1dbb9

SHA1
c09f9207502aca3866b182d79221addcca76f4d1

SHA256
843f89d7b8b11907ee5dea2e0108dbb10ce3883d3b7505c55f4e1082db879d3f

SHA512
8de3748bd731835154f3d371ca0174c2b17da64fd39d479b132947304e6ff1d7f95e344aad64b6b9aa831ae37b3ed00d3a05efaf6aed67619e9d69a1e9b89bf7

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\d42cc0c3858a58db2db37658219e6400_9be0bf4d-f8db-4af4-be85-dc38433c9501
Filesize
1KB

MD5
8199f8d3d0c851c1cdc0fcac1f626d97

SHA1
f35267182b284975a9ef0a359670573e12a504b9

SHA256
27cbbea4e7ba38dd50f895ab8139c47d3fb3b469f11db0d4710de44e5bf62a7d

SHA512
31676860806f44e0dabbdb29ddd1c3b7a9de90006cee670c5c871c7ca22fdd750ec64b064dd4ac3253875d0651b25b72361192ebf8fd646cabc873be8721d090

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\print_pref.ico
Filesize
56KB

MD5
a52a082f2b18811deaf3138d27c57af8

SHA1
317bf685e50de705818bff26f032e7f593830509

SHA256
6b4b668a30271d7853257b5752dc429b39c7b264e77ff3533196e6fd03fbeb88

SHA512
0d6f4bbb993b4e9a0069ddd0503ceb45d8a1cc6f6453cc2faf91cb137fa49e15eeaa3d77cb9954cc07701153932da51977d467c54b1e0fcfe74b6670cac47d99

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\user-40.png
Filesize
525B

MD5
3bde564b05fe619b8082900b5c83b536

SHA1
656b402ff5e478471b1053e50ed8e5bfcc011a11

SHA256
1fa751b71307c22ceb94e3af09688c0e123b26ae8c16e1c521510f309bca4308

SHA512
00303409ca69ee71e6e2702d8f06a8ee5418d01e2e0f726394042b0af4b6a5b35f66d5a70664f031feb7e28d13c124b5d08e4b3998b443a2cba3574c4996ca0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2451.exe
Filesize
1.1MB

MD5
be1369ec379e0ec8dd84be3d5a26ac00

SHA1
ee6832ff5c366b22291778d8c314f0d4ec6b1225

SHA256
4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912

SHA512
4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171

Download Submit
C:\Users\Admin\AppData\Local\Temp\2451.exe
Filesize
1.1MB

MD5
be1369ec379e0ec8dd84be3d5a26ac00

SHA1
ee6832ff5c366b22291778d8c314f0d4ec6b1225

SHA256
4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912

SHA512
4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FE6.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FE6.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\apple-touch-icon-57x57-precomposed.dll
Filesize
797KB

MD5
90f4135ed3f0327686923564d377f4ef

SHA1
8368b3d9bc52c1a2b4dbeafa240fe6e17b0da99b

SHA256
796291f8e9fbec5c1192d90f31d58b671dac3d120ddb42b517c8e1ccfdbf1e0d

SHA512
50a5bf97f2a8acec0471f7443c3362f1409601f0bd8a14241a704c939845a8c2cc6cb1ba1e8355b35e085dccd983c1879269f5697a5ddb3bc9a8827fe0abcf42

Download Submit
memory/876-136-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/876-135-0x0000000000718000-0x0000000000729000-memory.dmp

Filesize
68KB

Download
memory/876-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/876-132-0x0000000000718000-0x0000000000729000-memory.dmp

Filesize
68KB

Download
memory/876-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/1748-184-0x0000000000000000-mapping.dmp

Download
memory/1888-140-0x0000000000000000-mapping.dmp

Download
memory/1888-157-0x0000000004F50000-0x0000000005090000-memory.dmp

Filesize
1.2MB

Download
memory/1888-159-0x0000000004F50000-0x0000000005090000-memory.dmp

Filesize
1.2MB

Download
memory/1888-156-0x0000000004F50000-0x0000000005090000-memory.dmp

Filesize
1.2MB

Download
memory/1888-158-0x0000000004F50000-0x0000000005090000-memory.dmp

Filesize
1.2MB

Download
memory/1888-155-0x0000000004F50000-0x0000000005090000-memory.dmp

Filesize
1.2MB

Download
memory/1888-154-0x0000000004F50000-0x0000000005090000-memory.dmp

Filesize
1.2MB

Download
memory/1888-163-0x0000000004FC9000-0x0000000004FCB000-memory.dmp

Filesize
8KB

Download
memory/1888-153-0x0000000006200000-0x0000000006925000-memory.dmp

Filesize
7.1MB

Download
memory/1888-169-0x0000000006200000-0x0000000006925000-memory.dmp

Filesize
7.1MB

Download
memory/1888-152-0x0000000006200000-0x0000000006925000-memory.dmp

Filesize
7.1MB

Download
memory/2424-171-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2424-170-0x00000000006F3000-0x0000000000703000-memory.dmp

Filesize
64KB

Download
memory/2576-160-0x00007FF795F26890-mapping.dmp

Download
memory/2576-162-0x0000023603A60000-0x0000023603BA0000-memory.dmp

Filesize
1.2MB

Download
memory/2576-165-0x0000000000DE0000-0x0000000000FF9000-memory.dmp

Filesize
2.1MB

Download
memory/2576-168-0x0000023602090000-0x00000236022BA000-memory.dmp

Filesize
2.2MB

Download
memory/2576-164-0x0000023603A60000-0x0000023603BA0000-memory.dmp

Filesize
1.2MB

Download
memory/3220-177-0x0000000003490000-0x0000000003BB5000-memory.dmp

Filesize
7.1MB

Download
memory/4068-172-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4068-161-0x00000000006D9000-0x00000000006EA000-memory.dmp

Filesize
68KB

Download
memory/4068-173-0x00000000006D9000-0x00000000006EA000-memory.dmp

Filesize
68KB

Download
memory/4068-151-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4068-150-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/4068-149-0x00000000006D9000-0x00000000006EA000-memory.dmp

Filesize
68KB

Download
memory/4068-146-0x0000000000000000-mapping.dmp

Download
memory/4596-145-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4596-144-0x0000000002350000-0x0000000002480000-memory.dmp

Filesize
1.2MB

Download
memory/4596-143-0x0000000002254000-0x0000000002343000-memory.dmp

Filesize
956KB

Download
memory/4596-137-0x0000000000000000-mapping.dmp

Download