Resubmissions
24-02-2024 23:16
240224-29fd5ahd4w 1024-02-2024 22:21
240224-191jmage7y 1024-02-2024 22:06
240224-11gedsfe93 1024-02-2024 22:03
240224-1yt8gafe62 124-02-2024 21:54
240224-1sjjsagb7z 724-02-2024 21:50
240224-1pv4eagb3v 10Analysis
-
max time kernel
300s -
max time network
322s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
24-02-2024 22:21
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot x86 payload 3 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Blocklisted process makes network request 5 IoCs
-
Disables Task Manager via registry modification
-
Loads dropped DLL 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd9a246f8,0x7fffd9a24708,0x7fffd9a247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5080 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=180 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"1⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.exe@22002⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 9324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 4562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2200 -ip 22001⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\000.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\000.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa396e855 /state1:0x41c64e6d1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5056 -ip 50561⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5360dd5debf8bf7b89c4d88d29e38446c
SHA165afff8c78aeb12c577a523cb77cd58d401b0f82
SHA2563d9debe659077c04b288107244a22f1b315bcf7495bee75151a9077e71b41eef
SHA5120ee5b81f0acc82befa24a4438f2ca417ae6fac43fa8c7f264b83b4c792b1bb8d4cecb94c6cbd6facc120dc10d7e4d67e014cdb6b4db83b1a1b60144bb78f7542
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56fbbaffc5a50295d007ab405b0885ab5
SHA1518e87df81db1dded184c3e4e3f129cca15baba1
SHA256b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6
SHA512011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD517619ebbc2a9e23bd42089af941377ba
SHA1df5b99766c2bccddaedbc7fff396107ad404d540
SHA2562a952c25133c73047ded5c079b9a62e4eb82a6b4fa01412fd582930eee5276f0
SHA5123eebcc0272dee529dbc81581f277b5e1c88a083f5a40837af08d0de96fe1b2adf55f805d2d57b7eb182f2b68f55e93b10fee0bfc49714298a43391c03d0df1e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
573B
MD5463f615865d92339eb68e23cb603e539
SHA11caff5854dcc2665be53c36fafe53602f39fbadb
SHA256a71ea36b4801d34a72d4cf2e6697acb39eb69abbf866461cc64d84133710759f
SHA512f77f957a18753ea34c90d48bc81ed4a6ff65a8c42036d2ebc622ea4e5bb7a4d76eb1e9e6367d765edba69e83c973dac2670a97cbee3f95d08259ef667cc8b5a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD502a52d028f2060da31e00bf220ee1c18
SHA1f76f947fd7206938423954e93819648923c600f2
SHA256ac74c4cc39dc43e74a01e3429fcb9554ddb0807f69c5ab2b0a82c76f91a2a822
SHA512f547dd5f82985fe5420e9c09473a5c053306c1da6b0fcf32565568f60987cdab5d4c00bcaee0f27274d5e65f606bb3c8bf7de55736fa08db362e1e89651e53aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a7d02366b3db69201e2c6fc9859abd2c
SHA13f31a048d2ed69824fe420c572a37e3376659a5f
SHA25617e03b4b76626283aa1733050249e724e1c9377ebd5935ef216a58611db773da
SHA512a34872d1dd931db09f6e98d32eb003e83db0dba9ad35d29d0d7e90869d62bccf3c5645075d7275ad21b4c94180c403abea6f4fc4462d51a660344b9ba8e8de9d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a77c5832aa8eb35ac0d93c8cfd9d47d5
SHA1674425b27060fd873334f168797d9fc04705b0be
SHA256ae10a3d45bf64a288f88a09d8902698bee57630e506b81fe408c05f1111e1abc
SHA5126ad988425c92048c11cea7d4c198e2403615010fa176c11304f84e915f043a33faa6ce59705ba173d5a241601999201c785d2a34ca87e72db923e9071bff0b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD53d0f981090f5cdbc9fe709a7db0675e9
SHA189c066894a0c41257259ad76d04faea009e1c5a1
SHA256a5dd73c2fd3b0940d863d37afb3f8c188082de1c49ec56bee3c1daff85f1a9bb
SHA5126b042e5671cc4e349067b89baf39361cf7432b0389d5b90b2f6e392529771701e255ffa4b869f91277d5bf6a7e57710d42249e0af1f77720e77b1b8115691247
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c78663f9f2962f11b6da45f4048e54ac
SHA13b1bd9eacb119829175aca260b5581d79fe3ef4a
SHA256818d8e5c652c93f8bb064d77e8b8f133a6949d68543179b416acf718522c002e
SHA5129cbc209dbc5a9b83af315b9fb0b7cbcb7b9b616feaa43583c2dd1253311496bec5dc773f4148551dd162985aa2dc0c0c0692a67acaaf616d02e7928400a422d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54cde5e50534f8a4a15cbf43e1644f66c
SHA12bfe90f51ba196016bbd184b144135b7c754f01b
SHA256f3c8aa3a266a5e1c5ce1f5941ae1fb01d2552e1210f27952f224c2264c8dc530
SHA512313b9c295ed982b86e27c1e1975ea0264824932616a27f45885e6e39c8db0b1bc2c2a33944aff37175c7971aab4baaf289d5064ed07aa2b4764b5a5f535bfb67
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c4c481538d074de8818e9844ca609927
SHA18291b91dd52378e65482d507c290359e8dafb80b
SHA256486238bb15c79d9554939e873247d3f690daaf3c49f2ade099109db366948e5c
SHA5129795adf490f795a84304842c28cca309e6a8b15ffe0db2274ebd67d8ee3cf063c54b2937b7f9402187eb2a913e5991ba9afbd2050858191cd15cc49ffc92ccf5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5cf76c46265b18576d8706151dcc976d6
SHA17a825afdb7cd6a8b207d59602684a8390e481230
SHA25689c5ea6c7c08d4c51172fc8ad7fb95b144bc8c46554862f743d30da27add7152
SHA512a1fc199aaa4b3ff14e8fdb184942938a494f740ee48f57ac22612410bf14f9f6414858deb36eeb9528919ffdcb93800a34b5bffbadf535ed01df9e5eb39fb6d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585d0f.TMPFilesize
874B
MD5603d5b44c22a81a109e2fadd7aaa8363
SHA160193dc9ace47f98f155a97d8350f178bedf54ca
SHA256db7528ec4a78179548c56630f2a808cd6882bebf45792cc5646777267202d6a4
SHA512aa53845632cfd7f49d02bae5920495d0f459f6e57fc06ed282a9fe447fe9303f01af6eb21d935f7e56796b4432cc71d0beea799173af3d2a0f440afdc507bca9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54df3ba0382579c119ca690339a8c9482
SHA1e3ce6003a850dafa73cfb17c65344ce1658627e3
SHA2566f522a03444105c507a6b303a9d93ea3a4b01dd682f4024e8c1cbccb7c034b89
SHA5122fb6d84dbb2a94b8fbaaf3436cb058ee0d9eb4234a6f3f40cc15febc1692711731b1c67783bc60a8b99731ebbcfe16003a26a5c39d277d76a70a274a972be24e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5abc2ebd8ea182f3b3c581746bd9d5179
SHA10aba2f71823db098e662534edb13b17633d02fc7
SHA2567cb0f258835167172936b962167a8d681c993fdba6f791a2677b91b2c2cf8ca5
SHA512a0a1698765a11741fd2ad0c11ecb7e414b6682cd8e339680e16fcf65b3d1e7acacc45c262a9249f94269271e49d0839f4f0331c272f7e82e7f80dd863f00ba0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55564f0289ca7d59c97b5a9005b698cca
SHA19943c9d8d375cd74f323d76447c1c5a78c431180
SHA256d1271dfad34aae38cb191c693a3c1fdf282a16eb845a929f28b82b3cc7224937
SHA5122ec8d433a0dab19ff92eb2f951eb85c24d1b0361a8fb20932550dd4059bfad9c0030b6d77dee5c065b8d4e0357b2b08704513dd2ec291590a76e9a768037113f
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
896KB
MD5c122e131aa74cac02dca5bfe778853fe
SHA1b9f94624c0ab8940e2e24ac06daf0b02daf3261a
SHA256d15edf3b7ca1ae334d0a7d901e136beee6a62e5e3d7a6da3867fab869ebc04f0
SHA51289d25f2195929cddb9da2f3b988b01769f1216f93bb26b83e71a19ba52944519232859e898672dcc5f4e613aa5197befb0a878a003709d4566e64d81b4d98aa7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.2\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dllFilesize
2.1MB
MD5d116c8e38a7f61397a0974552ed05ef2
SHA1f7d03237dff9914ba249996c636048f64340353c
SHA2567854f5a9c39aec7c9f61b275be8ff54ef86582edb0c39e472aa19a1a9f2a92b0
SHA512e803f92eb9cad3e500b31b9aa4bbc306c801ff0e893b79bcac1f0cc0dcec63656094bacd2cd7f245985645df2908f9dcdc19b139aac1114a664df770e606e97b
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.dllFilesize
1.9MB
MD52422becc54661742e9b6d3c8f48286a3
SHA130d9b5335ae5a78ca537ebb02b38e3fcfe7db993
SHA25629c1a05a25ee4ba54bf1bc20054611662f887f49057d7a379698654b7e2bd690
SHA5126a6c45d0221210c134789e14ffbad32732959bad64d79db6e30c54811a46803c04560067235478dbe6e230c3d82662940742cb223bd8894a50621ed9243398c0
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.dllFilesize
932KB
MD5b4eec45673c11a1afb04ea40d4760f70
SHA12017e4d8d37d6ab50df3cd61ed0ac456fa088fc9
SHA256f38001962121bf6afbf0845583c5870a0be22626fbbe7af5397f3602b09dcab0
SHA51295f946ec795cae47ff26f55dfebe645cce717fbcc69d87a45f0303ef00715356cc01bb17b611bde41f503cad168d468c73d2110f7767a2aa3e20f504fcd4f23f
-
C:\Users\Admin\AppData\Local\Temp\one.rtfFilesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
C:\Users\Admin\AppData\Local\Temp\rniw.exeFilesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
C:\Users\Admin\AppData\Local\Temp\text.txtFilesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
C:\Users\Admin\AppData\Local\Temp\v.mp4Filesize
81KB
MD5d2774b188ab5dde3e2df5033a676a0b4
SHA16e8f668cba211f1c3303e4947676f2fc9e4a1bcc
SHA25695374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443
SHA5123047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131
-
C:\Users\Admin\AppData\Local\Temp\windl.batFilesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zipFilesize
2.5MB
MD599533bed5c0cef1bc73e6ffe13c5ff8f
SHA10065a5e99c4a83c2fc916dadb473ad184aa46364
SHA25674e0fb7d85761d7444c70df3e493c6a988bf9b61b650f0fcd290d17d3b4e6cc7
SHA512b60bc1e65b31542a91418ba84797fee4f71a41f32634ced7038b23ecadecabb09afa79801f084945108e034ae315e1d731b5410a64e3cea003cc640713056c5d
-
\??\pipe\LOCAL\crashpad_1620_WOFDHZVOBOWOFEZWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/872-333-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-331-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-332-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-330-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-335-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-334-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-336-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-326-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-325-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-324-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/1444-320-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/2200-314-0x00000000029F0000-0x0000000002C7D000-memory.dmpFilesize
2.6MB
-
memory/2200-323-0x00000000029F0000-0x0000000002C7D000-memory.dmpFilesize
2.6MB
-
memory/2200-313-0x0000000002770000-0x00000000029EA000-memory.dmpFilesize
2.5MB
-
memory/2200-315-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/2200-316-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/2200-322-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/3980-1188-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-1192-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-766-0x0000000009FB0000-0x0000000009FE8000-memory.dmpFilesize
224KB
-
memory/3980-773-0x0000000009F80000-0x0000000009F8E000-memory.dmpFilesize
56KB
-
memory/3980-1180-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1182-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1183-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1184-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1185-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1186-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1187-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-346-0x00000000067D0000-0x0000000006D74000-memory.dmpFilesize
5.6MB
-
memory/3980-1189-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1265-0x00000000736E0000-0x0000000073E90000-memory.dmpFilesize
7.7MB
-
memory/3980-1193-0x0000000006120000-0x0000000006130000-memory.dmpFilesize
64KB
-
memory/3980-1194-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1195-0x0000000006120000-0x0000000006130000-memory.dmpFilesize
64KB
-
memory/3980-1191-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1190-0x00000000736E0000-0x0000000073E90000-memory.dmpFilesize
7.7MB
-
memory/3980-1196-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-1197-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-345-0x0000000006120000-0x0000000006130000-memory.dmpFilesize
64KB
-
memory/3980-343-0x00000000736E0000-0x0000000073E90000-memory.dmpFilesize
7.7MB
-
memory/3980-344-0x0000000000FB0000-0x000000000165E000-memory.dmpFilesize
6.7MB
-
memory/3980-355-0x0000000006120000-0x0000000006130000-memory.dmpFilesize
64KB
-
memory/5056-339-0x0000000000400000-0x000000000066B000-memory.dmpFilesize
2.4MB
-
memory/5056-337-0x0000000000400000-0x000000000066B000-memory.dmpFilesize
2.4MB
-
memory/5056-1266-0x0000000000400000-0x000000000066B000-memory.dmpFilesize
2.4MB