Resubmissions
24-02-2024 23:16
240224-29fd5ahd4w 1024-02-2024 22:21
240224-191jmage7y 1024-02-2024 22:06
240224-11gedsfe93 1024-02-2024 22:03
240224-1yt8gafe62 124-02-2024 21:54
240224-1sjjsagb7z 724-02-2024 21:50
240224-1pv4eagb3v 10Analysis
-
max time kernel
300s -
max time network
322s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 22:21
Static task
static1
URLScan task
urlscan1
Errors
General
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot x86 payload 3 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll family_danabot C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.dll family_danabot C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.dll family_danabot -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 76 5056 rundll32.exe 77 5056 rundll32.exe 79 5056 rundll32.exe 80 5056 rundll32.exe 85 5056 rundll32.exe -
Disables Task Manager via registry modification
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 1444 regsvr32.exe 5056 rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
000.exedescription ioc process File opened (read-only) \??\B: 000.exe File opened (read-only) \??\G: 000.exe File opened (read-only) \??\J: 000.exe File opened (read-only) \??\K: 000.exe File opened (read-only) \??\Q: 000.exe File opened (read-only) \??\A: 000.exe File opened (read-only) \??\L: 000.exe File opened (read-only) \??\P: 000.exe File opened (read-only) \??\T: 000.exe File opened (read-only) \??\V: 000.exe File opened (read-only) \??\W: 000.exe File opened (read-only) \??\Y: 000.exe File opened (read-only) \??\I: 000.exe File opened (read-only) \??\R: 000.exe File opened (read-only) \??\O: 000.exe File opened (read-only) \??\H: 000.exe File opened (read-only) \??\M: 000.exe File opened (read-only) \??\N: 000.exe File opened (read-only) \??\S: 000.exe File opened (read-only) \??\U: 000.exe File opened (read-only) \??\X: 000.exe File opened (read-only) \??\Z: 000.exe File opened (read-only) \??\E: 000.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
000.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\Wallpaper 000.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1268 2200 WerFault.exe DanaBot.exe 1332 5056 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4052 taskkill.exe 1532 taskkill.exe -
Modifies registry class 3 IoCs
Processes:
msedge.exe000.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" 000.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3844919115-497234255-166257750-1000\{4ADC3674-80FE-4044-B57B-3A2E5477A32C} 000.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exetaskmgr.exepid process 4992 msedge.exe 4992 msedge.exe 1620 msedge.exe 1620 msedge.exe 4112 identity_helper.exe 4112 identity_helper.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 4556 msedge.exe 4556 msedge.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 872 taskmgr.exe Token: SeSystemProfilePrivilege 872 taskmgr.exe Token: SeCreateGlobalPrivilege 872 taskmgr.exe Token: SeDebugPrivilege 4052 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeIncreaseQuotaPrivilege 1844 WMIC.exe Token: SeSecurityPrivilege 1844 WMIC.exe Token: SeTakeOwnershipPrivilege 1844 WMIC.exe Token: SeLoadDriverPrivilege 1844 WMIC.exe Token: SeSystemProfilePrivilege 1844 WMIC.exe Token: SeSystemtimePrivilege 1844 WMIC.exe Token: SeProfSingleProcessPrivilege 1844 WMIC.exe Token: SeIncBasePriorityPrivilege 1844 WMIC.exe Token: SeCreatePagefilePrivilege 1844 WMIC.exe Token: SeBackupPrivilege 1844 WMIC.exe Token: SeRestorePrivilege 1844 WMIC.exe Token: SeShutdownPrivilege 1844 WMIC.exe Token: SeDebugPrivilege 1844 WMIC.exe Token: SeSystemEnvironmentPrivilege 1844 WMIC.exe Token: SeRemoteShutdownPrivilege 1844 WMIC.exe Token: SeUndockPrivilege 1844 WMIC.exe Token: SeManageVolumePrivilege 1844 WMIC.exe Token: 33 1844 WMIC.exe Token: 34 1844 WMIC.exe Token: 35 1844 WMIC.exe Token: 36 1844 WMIC.exe Token: SeIncreaseQuotaPrivilege 1844 WMIC.exe Token: SeSecurityPrivilege 1844 WMIC.exe Token: SeTakeOwnershipPrivilege 1844 WMIC.exe Token: SeLoadDriverPrivilege 1844 WMIC.exe Token: SeSystemProfilePrivilege 1844 WMIC.exe Token: SeSystemtimePrivilege 1844 WMIC.exe Token: SeProfSingleProcessPrivilege 1844 WMIC.exe Token: SeIncBasePriorityPrivilege 1844 WMIC.exe Token: SeCreatePagefilePrivilege 1844 WMIC.exe Token: SeBackupPrivilege 1844 WMIC.exe Token: SeRestorePrivilege 1844 WMIC.exe Token: SeShutdownPrivilege 1844 WMIC.exe Token: SeDebugPrivilege 1844 WMIC.exe Token: SeSystemEnvironmentPrivilege 1844 WMIC.exe Token: SeRemoteShutdownPrivilege 1844 WMIC.exe Token: SeUndockPrivilege 1844 WMIC.exe Token: SeManageVolumePrivilege 1844 WMIC.exe Token: 33 1844 WMIC.exe Token: 34 1844 WMIC.exe Token: 35 1844 WMIC.exe Token: 36 1844 WMIC.exe Token: SeIncreaseQuotaPrivilege 3296 WMIC.exe Token: SeSecurityPrivilege 3296 WMIC.exe Token: SeTakeOwnershipPrivilege 3296 WMIC.exe Token: SeLoadDriverPrivilege 3296 WMIC.exe Token: SeSystemProfilePrivilege 3296 WMIC.exe Token: SeSystemtimePrivilege 3296 WMIC.exe Token: SeProfSingleProcessPrivilege 3296 WMIC.exe Token: SeIncBasePriorityPrivilege 3296 WMIC.exe Token: SeCreatePagefilePrivilege 3296 WMIC.exe Token: SeBackupPrivilege 3296 WMIC.exe Token: SeRestorePrivilege 3296 WMIC.exe Token: SeShutdownPrivilege 3296 WMIC.exe Token: SeDebugPrivilege 3296 WMIC.exe Token: SeSystemEnvironmentPrivilege 3296 WMIC.exe Token: SeRemoteShutdownPrivilege 3296 WMIC.exe Token: SeUndockPrivilege 3296 WMIC.exe Token: SeManageVolumePrivilege 3296 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe 872 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
000.exepid process 3980 000.exe 3980 000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1620 wrote to memory of 1208 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1208 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4888 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4992 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 4992 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe PID 1620 wrote to memory of 1128 1620 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd9a246f8,0x7fffd9a24708,0x7fffd9a247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5080 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=180 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2256,13424531597855084862,1449078325604923183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"1⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.exe@22002⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 9324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 4562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2200 -ip 22001⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\000.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\000.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa396e855 /state1:0x41c64e6d1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5056 -ip 50561⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5360dd5debf8bf7b89c4d88d29e38446c
SHA165afff8c78aeb12c577a523cb77cd58d401b0f82
SHA2563d9debe659077c04b288107244a22f1b315bcf7495bee75151a9077e71b41eef
SHA5120ee5b81f0acc82befa24a4438f2ca417ae6fac43fa8c7f264b83b4c792b1bb8d4cecb94c6cbd6facc120dc10d7e4d67e014cdb6b4db83b1a1b60144bb78f7542
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56fbbaffc5a50295d007ab405b0885ab5
SHA1518e87df81db1dded184c3e4e3f129cca15baba1
SHA256b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6
SHA512011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD517619ebbc2a9e23bd42089af941377ba
SHA1df5b99766c2bccddaedbc7fff396107ad404d540
SHA2562a952c25133c73047ded5c079b9a62e4eb82a6b4fa01412fd582930eee5276f0
SHA5123eebcc0272dee529dbc81581f277b5e1c88a083f5a40837af08d0de96fe1b2adf55f805d2d57b7eb182f2b68f55e93b10fee0bfc49714298a43391c03d0df1e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
573B
MD5463f615865d92339eb68e23cb603e539
SHA11caff5854dcc2665be53c36fafe53602f39fbadb
SHA256a71ea36b4801d34a72d4cf2e6697acb39eb69abbf866461cc64d84133710759f
SHA512f77f957a18753ea34c90d48bc81ed4a6ff65a8c42036d2ebc622ea4e5bb7a4d76eb1e9e6367d765edba69e83c973dac2670a97cbee3f95d08259ef667cc8b5a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD502a52d028f2060da31e00bf220ee1c18
SHA1f76f947fd7206938423954e93819648923c600f2
SHA256ac74c4cc39dc43e74a01e3429fcb9554ddb0807f69c5ab2b0a82c76f91a2a822
SHA512f547dd5f82985fe5420e9c09473a5c053306c1da6b0fcf32565568f60987cdab5d4c00bcaee0f27274d5e65f606bb3c8bf7de55736fa08db362e1e89651e53aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a7d02366b3db69201e2c6fc9859abd2c
SHA13f31a048d2ed69824fe420c572a37e3376659a5f
SHA25617e03b4b76626283aa1733050249e724e1c9377ebd5935ef216a58611db773da
SHA512a34872d1dd931db09f6e98d32eb003e83db0dba9ad35d29d0d7e90869d62bccf3c5645075d7275ad21b4c94180c403abea6f4fc4462d51a660344b9ba8e8de9d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a77c5832aa8eb35ac0d93c8cfd9d47d5
SHA1674425b27060fd873334f168797d9fc04705b0be
SHA256ae10a3d45bf64a288f88a09d8902698bee57630e506b81fe408c05f1111e1abc
SHA5126ad988425c92048c11cea7d4c198e2403615010fa176c11304f84e915f043a33faa6ce59705ba173d5a241601999201c785d2a34ca87e72db923e9071bff0b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD53d0f981090f5cdbc9fe709a7db0675e9
SHA189c066894a0c41257259ad76d04faea009e1c5a1
SHA256a5dd73c2fd3b0940d863d37afb3f8c188082de1c49ec56bee3c1daff85f1a9bb
SHA5126b042e5671cc4e349067b89baf39361cf7432b0389d5b90b2f6e392529771701e255ffa4b869f91277d5bf6a7e57710d42249e0af1f77720e77b1b8115691247
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c78663f9f2962f11b6da45f4048e54ac
SHA13b1bd9eacb119829175aca260b5581d79fe3ef4a
SHA256818d8e5c652c93f8bb064d77e8b8f133a6949d68543179b416acf718522c002e
SHA5129cbc209dbc5a9b83af315b9fb0b7cbcb7b9b616feaa43583c2dd1253311496bec5dc773f4148551dd162985aa2dc0c0c0692a67acaaf616d02e7928400a422d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54cde5e50534f8a4a15cbf43e1644f66c
SHA12bfe90f51ba196016bbd184b144135b7c754f01b
SHA256f3c8aa3a266a5e1c5ce1f5941ae1fb01d2552e1210f27952f224c2264c8dc530
SHA512313b9c295ed982b86e27c1e1975ea0264824932616a27f45885e6e39c8db0b1bc2c2a33944aff37175c7971aab4baaf289d5064ed07aa2b4764b5a5f535bfb67
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c4c481538d074de8818e9844ca609927
SHA18291b91dd52378e65482d507c290359e8dafb80b
SHA256486238bb15c79d9554939e873247d3f690daaf3c49f2ade099109db366948e5c
SHA5129795adf490f795a84304842c28cca309e6a8b15ffe0db2274ebd67d8ee3cf063c54b2937b7f9402187eb2a913e5991ba9afbd2050858191cd15cc49ffc92ccf5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5cf76c46265b18576d8706151dcc976d6
SHA17a825afdb7cd6a8b207d59602684a8390e481230
SHA25689c5ea6c7c08d4c51172fc8ad7fb95b144bc8c46554862f743d30da27add7152
SHA512a1fc199aaa4b3ff14e8fdb184942938a494f740ee48f57ac22612410bf14f9f6414858deb36eeb9528919ffdcb93800a34b5bffbadf535ed01df9e5eb39fb6d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585d0f.TMPFilesize
874B
MD5603d5b44c22a81a109e2fadd7aaa8363
SHA160193dc9ace47f98f155a97d8350f178bedf54ca
SHA256db7528ec4a78179548c56630f2a808cd6882bebf45792cc5646777267202d6a4
SHA512aa53845632cfd7f49d02bae5920495d0f459f6e57fc06ed282a9fe447fe9303f01af6eb21d935f7e56796b4432cc71d0beea799173af3d2a0f440afdc507bca9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54df3ba0382579c119ca690339a8c9482
SHA1e3ce6003a850dafa73cfb17c65344ce1658627e3
SHA2566f522a03444105c507a6b303a9d93ea3a4b01dd682f4024e8c1cbccb7c034b89
SHA5122fb6d84dbb2a94b8fbaaf3436cb058ee0d9eb4234a6f3f40cc15febc1692711731b1c67783bc60a8b99731ebbcfe16003a26a5c39d277d76a70a274a972be24e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5abc2ebd8ea182f3b3c581746bd9d5179
SHA10aba2f71823db098e662534edb13b17633d02fc7
SHA2567cb0f258835167172936b962167a8d681c993fdba6f791a2677b91b2c2cf8ca5
SHA512a0a1698765a11741fd2ad0c11ecb7e414b6682cd8e339680e16fcf65b3d1e7acacc45c262a9249f94269271e49d0839f4f0331c272f7e82e7f80dd863f00ba0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55564f0289ca7d59c97b5a9005b698cca
SHA19943c9d8d375cd74f323d76447c1c5a78c431180
SHA256d1271dfad34aae38cb191c693a3c1fdf282a16eb845a929f28b82b3cc7224937
SHA5122ec8d433a0dab19ff92eb2f951eb85c24d1b0361a8fb20932550dd4059bfad9c0030b6d77dee5c065b8d4e0357b2b08704513dd2ec291590a76e9a768037113f
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
896KB
MD5c122e131aa74cac02dca5bfe778853fe
SHA1b9f94624c0ab8940e2e24ac06daf0b02daf3261a
SHA256d15edf3b7ca1ae334d0a7d901e136beee6a62e5e3d7a6da3867fab869ebc04f0
SHA51289d25f2195929cddb9da2f3b988b01769f1216f93bb26b83e71a19ba52944519232859e898672dcc5f4e613aa5197befb0a878a003709d4566e64d81b4d98aa7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.2\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dllFilesize
2.1MB
MD5d116c8e38a7f61397a0974552ed05ef2
SHA1f7d03237dff9914ba249996c636048f64340353c
SHA2567854f5a9c39aec7c9f61b275be8ff54ef86582edb0c39e472aa19a1a9f2a92b0
SHA512e803f92eb9cad3e500b31b9aa4bbc306c801ff0e893b79bcac1f0cc0dcec63656094bacd2cd7f245985645df2908f9dcdc19b139aac1114a664df770e606e97b
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.dllFilesize
1.9MB
MD52422becc54661742e9b6d3c8f48286a3
SHA130d9b5335ae5a78ca537ebb02b38e3fcfe7db993
SHA25629c1a05a25ee4ba54bf1bc20054611662f887f49057d7a379698654b7e2bd690
SHA5126a6c45d0221210c134789e14ffbad32732959bad64d79db6e30c54811a46803c04560067235478dbe6e230c3d82662940742cb223bd8894a50621ed9243398c0
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.dllFilesize
932KB
MD5b4eec45673c11a1afb04ea40d4760f70
SHA12017e4d8d37d6ab50df3cd61ed0ac456fa088fc9
SHA256f38001962121bf6afbf0845583c5870a0be22626fbbe7af5397f3602b09dcab0
SHA51295f946ec795cae47ff26f55dfebe645cce717fbcc69d87a45f0303ef00715356cc01bb17b611bde41f503cad168d468c73d2110f7767a2aa3e20f504fcd4f23f
-
C:\Users\Admin\AppData\Local\Temp\one.rtfFilesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
C:\Users\Admin\AppData\Local\Temp\rniw.exeFilesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
C:\Users\Admin\AppData\Local\Temp\text.txtFilesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
C:\Users\Admin\AppData\Local\Temp\v.mp4Filesize
81KB
MD5d2774b188ab5dde3e2df5033a676a0b4
SHA16e8f668cba211f1c3303e4947676f2fc9e4a1bcc
SHA25695374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443
SHA5123047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131
-
C:\Users\Admin\AppData\Local\Temp\windl.batFilesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zipFilesize
2.5MB
MD599533bed5c0cef1bc73e6ffe13c5ff8f
SHA10065a5e99c4a83c2fc916dadb473ad184aa46364
SHA25674e0fb7d85761d7444c70df3e493c6a988bf9b61b650f0fcd290d17d3b4e6cc7
SHA512b60bc1e65b31542a91418ba84797fee4f71a41f32634ced7038b23ecadecabb09afa79801f084945108e034ae315e1d731b5410a64e3cea003cc640713056c5d
-
\??\pipe\LOCAL\crashpad_1620_WOFDHZVOBOWOFEZWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/872-333-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-331-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-332-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-330-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-335-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-334-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-336-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-326-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-325-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/872-324-0x000002856F9A0000-0x000002856F9A1000-memory.dmpFilesize
4KB
-
memory/1444-320-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/2200-314-0x00000000029F0000-0x0000000002C7D000-memory.dmpFilesize
2.6MB
-
memory/2200-323-0x00000000029F0000-0x0000000002C7D000-memory.dmpFilesize
2.6MB
-
memory/2200-313-0x0000000002770000-0x00000000029EA000-memory.dmpFilesize
2.5MB
-
memory/2200-315-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/2200-316-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/2200-322-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/3980-1188-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-1192-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-766-0x0000000009FB0000-0x0000000009FE8000-memory.dmpFilesize
224KB
-
memory/3980-773-0x0000000009F80000-0x0000000009F8E000-memory.dmpFilesize
56KB
-
memory/3980-1180-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1182-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1183-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1184-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1185-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1186-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1187-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-346-0x00000000067D0000-0x0000000006D74000-memory.dmpFilesize
5.6MB
-
memory/3980-1189-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1265-0x00000000736E0000-0x0000000073E90000-memory.dmpFilesize
7.7MB
-
memory/3980-1193-0x0000000006120000-0x0000000006130000-memory.dmpFilesize
64KB
-
memory/3980-1194-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1195-0x0000000006120000-0x0000000006130000-memory.dmpFilesize
64KB
-
memory/3980-1191-0x000000000CA50000-0x000000000CA60000-memory.dmpFilesize
64KB
-
memory/3980-1190-0x00000000736E0000-0x0000000073E90000-memory.dmpFilesize
7.7MB
-
memory/3980-1196-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-1197-0x000000000CB30000-0x000000000CB40000-memory.dmpFilesize
64KB
-
memory/3980-345-0x0000000006120000-0x0000000006130000-memory.dmpFilesize
64KB
-
memory/3980-343-0x00000000736E0000-0x0000000073E90000-memory.dmpFilesize
7.7MB
-
memory/3980-344-0x0000000000FB0000-0x000000000165E000-memory.dmpFilesize
6.7MB
-
memory/3980-355-0x0000000006120000-0x0000000006130000-memory.dmpFilesize
64KB
-
memory/5056-339-0x0000000000400000-0x000000000066B000-memory.dmpFilesize
2.4MB
-
memory/5056-337-0x0000000000400000-0x000000000066B000-memory.dmpFilesize
2.4MB
-
memory/5056-1266-0x0000000000400000-0x000000000066B000-memory.dmpFilesize
2.4MB