Overview

overview

10

Static

static

10

deploy.ps1

windows7-x64

8

deploy.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    900s
  • max time network
    889s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2025 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    deploy.ps1

  • Size

    8KB

  • MD5

    8204fecf61d58baa25cea9e97c894bc3

  • SHA1

    bedf0300880e5f5cdd1643abdff6789ee50db35a

  • SHA256

    0e284d3446eef106b1557f50bbe83bbeda4557476bb88b89fcc01195db83d4b1

  • SHA512

    adc06b854f77734396fefcbc1c319efdb00f30c694a836ce721f5b91364533c410d40c5a07ef68d83d5e5e17c31b074009bc2a2b8823d0c1fd5eb7fbc73c43ea

  • SSDEEP

    96:LmbW8Mf47p7qCgr2CpXlwHZt3pXl4Cj+r1osIPjiTYSKYWrrG8cDd:Lmb4f47VHG2tt4osQe4Yg8J

Score
10/10
danabotbankercollectiondiscoveryexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535
Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot family
    danabot
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 21 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\deploy.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Users\Admin\AppData\Local\programs\ARC App Broker\AcroBroker.exe
      "C:\Users\Admin\AppData\Local\programs\ARC App Broker\AcroBroker.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:4728
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2180
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:636
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3416
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:4648
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:5116
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3848
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:464
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4688
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:2488
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:3636
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3376
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3444
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4132
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1004
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:5060
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:2260
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:748
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1996
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:508
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2168
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4108
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4796
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1812
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1432
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1052
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4976
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1372
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3404
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4732
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:3084
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4324
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4392
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1968
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:5028
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3608
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:4364
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3832
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:1340
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:904
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1096
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2588
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:2816
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:5040
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1704
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:3008
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:2972
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4540
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:552
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1064
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1680
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3780
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:3080
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1092
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:972
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2400
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4724
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3704
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3000
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:1476
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3536
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2604
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:2600
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:4012
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:2800
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:4212
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:3976
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:1328
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:2196
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:4548
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:2916
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:3792
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:3660
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        PID:3672
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
          PID:4192
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
          3⤵
          • Modifies registry class
          PID:4668
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
          3⤵
            PID:4524
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
            3⤵
            • Modifies registry class
            PID:1128
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
            3⤵
            • Modifies registry class
            PID:924
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
            3⤵
            • Modifies registry class
            PID:2512
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
            3⤵
            • Modifies registry class
            PID:3384
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\programs\ARC App Broker\AcroBroker.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4856
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\programs\ARC App Broker\AcroBroker.exe"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1388
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
            3⤵
              PID:2452

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        2
        T1552

        Credentials In Files

        1
        T1552.001

        Credentials in Registry

        1
        T1552.002

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Email Collection

        2
        T1114

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Fisefq
          Filesize

          40KB

          MD5

          ab893875d697a3145af5eed5309bee26

          SHA1

          c90116149196cbf74ffb453ecb3b12945372ebfa

          SHA256

          02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

          SHA512

          6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xhbrfjcu.dx5.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\AcroBroker.exe
          Filesize

          2.1MB

          MD5

          0b1e5dfd0c6bd72fb9f45fcaaab9518d

          SHA1

          22e59a332094e6253eb2d263ccc42eab8b5f6528

          SHA256

          46671a589785dda29d30e9209661169f360455ccbcddcfc209fc498ccffc6c42

          SHA512

          c7d8b027f22d37e2f787d7197434b847b0287ebabdac8cd38a6fca3f34b43ca56c5c6945e59a0d8999cbbd136dc6ac6af6e9533814e8116f8910def9c69b84b9

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\MSVCP140.dll
          Filesize

          436KB

          MD5

          c766ca0482dfe588576074b9ed467e38

          SHA1

          5ac975ccce81399218ab0dd27a3effc5b702005e

          SHA256

          85aa8c8ab4cbf1ff9ae5c7bde1bf6da2e18a570e36e2d870b88536b8658c5ba8

          SHA512

          ee36bc949d627b06f11725117d568f9cf1a4d345a939d9b4c46040e96c84159fa741637ef3d73ed2d01df988de59a573c3574308731402eb52bae2329d7bddac

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\Nutrition.db
          Filesize

          5.5MB

          MD5

          9768aa10293b4198fb4766fc5a50649b

          SHA1

          7918245b2ea76c725c20489ef4df82d7c6b71f6b

          SHA256

          de04d0ccbf564605ec85789ae1131238fad200bbb7873843517da7674a380804

          SHA512

          69f09b304ae4f4cf687a8278c6fe7c011e07d428016e50451f9d5f1dfd9ebf1e4d24fa3021e2fddea038d8cf7d0b3e0b5d71799120d174ba1b4398b1c371eee6

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\VCOMP140.DLL
          Filesize

          159KB

          MD5

          60bbda70d913181d91c934d59a7c50f3

          SHA1

          3f371462afcb63b8aae7dcc60f45c691d6863d85

          SHA256

          c554dd55523d0b04729d2d829bfe35c693c2815bf0b4b6c0668437b4e642b836

          SHA512

          a416b0ec335842f05babf5e86074064d7053b170cb57cac84858844304c677210ad47e184ac541a6836416c14b30a8a1d6c111aca1709f019d6d9a943d58a696

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\VCRUNTIME140.dll
          Filesize

          88KB

          MD5

          9c133b18fa9ed96e1aeb2da66e4a4f2b

          SHA1

          238d34dbd80501b580587e330d4405505d5e80f2

          SHA256

          c7d9dfddbe68cf7c6f0b595690e31a26df4780f465d2b90b5f400f2d8d788512

          SHA512

          d2d588f9940e7e623022adebebdc5af68421a8c1024177189d11df45481d7bfed16400958e67454c84ba97f0020da559a8dae2ec41950dc07e629b0fd4752e2f

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\prf-3.0.dll
          Filesize

          10.4MB

          MD5

          fdf10aa0257312ec8bce81650ccc84ab

          SHA1

          f5602d37900b97f9cf166a74c6288f02d3bde9ab

          SHA256

          6bac71d1c9538be2fee958c6cbdc098a72d9392d50534383e6b6dc09ba0393cf

          SHA512

          e328f1b299fdacc9513d4b3e22ff16f9d9c2dbe7583501f8d4db5cc4b6bbbdea19b45fba9cd1ee00c1a41874ffb27315d709916755e8d8ab197618625ec247eb

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\sqlite.dll
          Filesize

          522KB

          MD5

          ae10249e53fc53e293b455e41e195cb2

          SHA1

          d51037c565eb40664d751a6705dd73e9e2616f27

          SHA256

          6af0e5dc18fc112c2fdb0c796ed1a4435f9fffbf9738a5a4c3e6ce4d8c6fa71a

          SHA512

          3632ceebf23f8500d542c0a140bc7ca87656731cc64d19b7e5d6b7369f4356c901456fbaf7f3fcb236e9f21d813a943404224437a635c5e3bc6167592a67f37f

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\tracker.wav
          Filesize

          1.8MB

          MD5

          e5566926543957e5d40cabf30fb07f05

          SHA1

          f28aad1ad302d8f4c9ec9f20afaec6ce6396dd09

          SHA256

          a5938b355a9b987683ea4a0e477cdfbb2f4aedb47a9afd5ae2ea86df9cd7f4f1

          SHA512

          3c2b27a06caa673e7ff1e44d62b93c23c7103e563f7ce91bd584a7c93f1607bad96a1a4190ef45c797c2a5dcee2dbf5d37ff507d829ecd9fb1349e9041e7094f

          Download Submit

        • C:\Users\Admin\AppData\Local\programs\ARC App Broker\wp_type1ttf.dll
          Filesize

          560KB

          MD5

          3c7bbbf6b7ab0a128f6325a47c0b63a7

          SHA1

          8d9569027117564f15dae2a7a8d10ef209304235

          SHA256

          d74c570653e022e410053adf64e98b49696efe521ca1bf76ab34a21eb954eb80

          SHA512

          5fe8015ade8acf5e4dd56a45291921c9aa74df376f565e3ce60f63e9fe90231a951d45f6fdbf1ac5466cd2990a0efe48a0189ccbf49969791ec42fa44027d97f

          Download Submit

        • memory/636-198-0x00000261529E0000-0x0000026152C17000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/636-195-0x0000026152880000-0x00000261529C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/636-199-0x00000261529E0000-0x0000026152C17000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/636-194-0x0000026152880000-0x00000261529C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/636-193-0x00007FFDBA7E0000-0x00007FFDBA7E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1068-11-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-77-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-21-0x0000017F3E810000-0x0000017F3E81A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1068-20-0x0000017F3EB70000-0x0000017F3EB82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1068-19-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-16-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-15-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-14-0x00007FFD9EAD3000-0x00007FFD9EAD5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1068-13-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-12-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-2-0x0000017F3E690000-0x0000017F3E6B2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1068-0-0x00007FFD9EAD3000-0x00007FFD9EAD5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1388-1447-0x0000000007180000-0x0000000007191000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1388-1413-0x0000000002340000-0x0000000002376000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1388-1442-0x0000000006EE0000-0x0000000006F83000-memory.dmp

          Filesize

          652KB

          Download

        • memory/1388-1441-0x0000000006250000-0x000000000626E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1388-1431-0x000000006DEC0000-0x000000006DF0C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1388-1430-0x0000000006210000-0x0000000006242000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1388-1429-0x0000000005C80000-0x0000000005CCC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1388-1428-0x0000000005C50000-0x0000000005C6E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1388-1427-0x0000000005780000-0x0000000005AD4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1388-1417-0x0000000005610000-0x0000000005676000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1388-1416-0x00000000055A0000-0x0000000005606000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1388-1415-0x0000000004C90000-0x0000000004CB2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1388-1414-0x0000000004E00000-0x0000000005428000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1388-1443-0x0000000007610000-0x0000000007C8A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1388-1444-0x0000000006F90000-0x0000000006FAA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1388-1445-0x0000000007000000-0x000000000700A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1388-1446-0x00000000071F0000-0x0000000007286000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1388-1453-0x00000000072A0000-0x00000000072A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1388-1450-0x00000000071B0000-0x00000000071BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1388-1451-0x00000000071C0000-0x00000000071D4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1388-1452-0x00000000072B0000-0x00000000072CA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2180-134-0x000002B112BB0000-0x000002B112CF0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2180-138-0x000002B1111D0000-0x000002B111407000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/2180-132-0x00007FFDBA7E0000-0x00007FFDBA7E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2180-137-0x000002B1111D0000-0x000002B111407000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/2180-133-0x000002B112BB0000-0x000002B112CF0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4728-127-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-128-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-130-0x00000000068F0000-0x0000000006A30000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4728-136-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-129-0x0000000008220000-0x0000000008221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4728-135-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-169-0x00000000746C0000-0x000000007474F000-memory.dmp

          Filesize

          572KB

          Download

        • memory/4728-188-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-131-0x00000000068F0000-0x0000000006A30000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4728-196-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-197-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-125-0x0000000006B60000-0x00000000070F5000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-124-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-120-0x00000000054E0000-0x00000000054E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4728-192-0x00000000068F0000-0x0000000006A30000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4728-121-0x00000000068F0000-0x0000000006A30000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4728-191-0x00000000068F0000-0x0000000006A30000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4728-190-0x00000000088E0000-0x00000000088E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4728-189-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-122-0x00000000068F0000-0x0000000006A30000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4728-118-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-119-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-117-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-115-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-116-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-114-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-113-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-112-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-110-0x0000000063280000-0x00000000634BE000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4728-111-0x000000006E600000-0x000000006E69D000-memory.dmp

          Filesize

          628KB

          Download

        • memory/4728-109-0x0000000005A90000-0x000000000601F000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-108-0x0000000006B60000-0x00000000070F5000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-105-0x0000000006B60000-0x00000000070F5000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4728-107-0x00000000042C0000-0x00000000043AB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4728-101-0x00000000042C0000-0x00000000043AB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4728-102-0x00000000042C0000-0x00000000043AB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4728-97-0x00000000042C0000-0x00000000043AB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4728-92-0x00000000042C0000-0x00000000043AB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4728-94-0x00000000042C0000-0x00000000043AB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4728-85-0x00000000042C0000-0x00000000043AB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4728-84-0x00000000746C0000-0x000000007474F000-memory.dmp

          Filesize

          572KB

          Download