danabot | hxxp://google[.]com

Analysis

max time kernel
234s
max time network
236s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

danabot banker botnet discovery trojan

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\DOWNLO~1\DanaBot.dll	family_danabot

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

125 436 rundll32.exe
126 436 rundll32.exe
128 436 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

DanaBot.exe

pid process

4328 DanaBot.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3096 regsvr32.exe
3096 regsvr32.exe
436 rundll32.exe
436 rundll32.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

122 raw.githubusercontent.com
123 raw.githubusercontent.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3816 4328 WerFault.exe DanaBot.exe

flow	pid	process
125	436	rundll32.exe
126	436	rundll32.exe
128	436	rundll32.exe

pid	process
4328	DanaBot.exe

pid	process
3096	regsvr32.exe
3096	regsvr32.exe
436	rundll32.exe
436	rundll32.exe

flow	ioc
122	raw.githubusercontent.com
123	raw.githubusercontent.com

pid	pid_target	process	target process
3816	4328	WerFault.exe	DanaBot.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DanaBot.exeregsvr32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{2E4FFBAC-D543-4D76-8098-ADE10E60A2D2}	msedge.exe

NTFS ADS 4 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 205927.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 833086.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 99631.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 391452.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
2768	msedge.exe
2768	msedge.exe
4224	msedge.exe
4224	msedge.exe
4412	identity_helper.exe
4412	identity_helper.exe
3516	msedge.exe
3516	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
212	msedge.exe
212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

msedge.exe

pid	process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4224 wrote to memory of 4312	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 4312	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2752	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2768	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2768	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 5116	4224	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd582646f8,0x7ffd58264708,0x7ffd58264718
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1604 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6856 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7284 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7376 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,1614190733416318981,13143965602481955622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Users\Admin\Downloads\DanaBot.exe
  "C:\Users\Admin\Downloads\DanaBot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@4328
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3096
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 460
    3⤵
    - Program crash
    PID:3816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4328 -ip 4328
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
122KB

MD5
aec7a249743f385b3c48f3b1d8b8682a

SHA1
4009f83a6f941e63fd02e4f7b577c952e0cb5cee

SHA256
4d632366b2df545e01b5a310104d67cdc3da45463e30f4dfba992694c0633ead

SHA512
32906c1b45aca4c3e854f5ef20bc1b4778df002b4f07bdf93bb9cf7f8c1c305756b92c418710d871b7f451c7b92a6170c9457a2342a1de90272b35304d4b12c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
41KB

MD5
00d4cc262b70dd3d386111ff78fb0812

SHA1
628d4dcee1e82d04ab3969c29e256cef10101407

SHA256
956916ddd6bb5ebde0f5df3605a524d1624ea335cdc6bd5bf26681d3a5ac5239

SHA512
12f3cf77c4ee58eb00b08ced394d35e35237da4bc9ca62b1408c6dca4350068aa94d3a0e98132aa0e6cbcbdb7dee9c2b9c5399ba7c4780442200ad37a4c2b1a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
1.2MB

MD5
027a77a637cb439865b2008d68867e99

SHA1
ba448ff5be0d69dbe0889237693371f4f0a2425e

SHA256
6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd

SHA512
66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
27KB

MD5
09ac9c9a95dde9d928585489b55a7a53

SHA1
a0930234469184cebbc08e399bc4d7ad9003b2a0

SHA256
a2b2e70072c91efc39fce757a94ccb51cb7de56c2e2accc7501947ef0509a612

SHA512
0b6d68f9b28439a56bd0fdbd391f8107023117e985a7087dee483e7dcb998897db2e7ec4cdbd551f6546ec648c2c1b8a4345562f9640bcad14fbedaf2730551a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2950260016c0ff94449ac5cf98a9f8d4

SHA1
181c8538a3de447e2b0d6440989f9ccd8adf6348

SHA256
cf249e75cbb218479d93976fc57d816a01433191457f941c1b7373f104093d19

SHA512
be17e087ce5b9d9036c0776502bcfb0ed21625a466fa1c8689a662a336198a6014dc755ccfee908b13a3ae7dd1e036e401ffc86a7e2631375abf21478fe614d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7444efcedf0016b34971c0e5947470c4

SHA1
b7dc1fb6b3b90d936626bf6ec5182abb1be1aaa3

SHA256
9c1d5676b8d23aef2df4785074ca1050b40e67658b8760f4b5ea3d2f4a3c6305

SHA512
3bc195d3047370abc9bead2f086de9f13c25a19263f133d7a503568086f561216f5517d990c32a8cec78e5fcd6862d79871eff7977f952a848d070a1d98004fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
c36c37505c26375280d3b03fe002eed8

SHA1
58497f54a91af34fddaddc4976c2bcb6cbd1a8ab

SHA256
b1873d3ba6b5a7dc95650c06ada7bc65beb234c68895d260104b978c3478c9cb

SHA512
4d5b1fc944b07dc78c098103cd305976ff19eb051629f0abfcd65981b6730cf2ce8b6275bbf5fa995769b19e666c6988c223009836deca325e176b75a93c0270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d56266b72de050c0a1c19e5be2a53153

SHA1
7b3f308b50408446931351eac4f89dfec065bf15

SHA256
a7bbf9292c0a4c8e33c69fd90bf58bedcccb3348891c96b6023346757570b916

SHA512
10a64655e41ab29379bcd2108ff270d3eb26dab6755e18c7151fb4a9b4e0f3f2950008048a9b0c3911b5a32327e2db3a1a8a0084f0f954b4cbb56fa181533fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0e330ddcf1737e2390546dea8454af0e

SHA1
527989278a35ad5f75fcc1a6cd8c06b1639abb4d

SHA256
c0aeee7448e504bbece48496e2fcc73e20700e12d083cef7dbe8b1f635e62918

SHA512
c3a506d628609e0564f9c42095da6acb8d87e2bffbc59c1c9e07bec219cf88f3be3bf708e4e37c14ff7d658ec51e121d0e9812dad041ec4668103d14e8478eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
89c71fd800541d3c8796653079de313a

SHA1
df07a09840c5379aaed665885639ef92e3573736

SHA256
39eece20d20fda439aec7348c5dce15417b53392b133dcd2c462170ca5cd2d5f

SHA512
df7d3fbea8ac039f98fa0df26a2b4f3126162d67a0816a13bcc846f041a5fde78e260b292735825f404a5788da0f662d4901831213f7dea6eb173d6ac1af9c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3d29eb0b1b4c25f3b10616a356ac86fb

SHA1
198e75a55b7a70868c6a272739502888b453e973

SHA256
d15112060083d5becbe5cb86069ca675f38ec65e051dfc398b0c993908d3278f

SHA512
d4c51b0483c6ff5db3767d53ca4cfe67ab539c0b76387333adce9612bd64fd8592f0ad02b92d78733c357197ca34f40ecb47fa3a9c6f3acb46e94d8d575b1380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fdc59dcdc32766d57e580e877a117ac3

SHA1
86897422d9dfca33fcc1b31d1cb5ee31f9bc181a

SHA256
b83b653fc19f054740496bb8ba060642a4cfe02e680d99c9cbf49efadac46c2a

SHA512
07f9914534d23af4c45ad96c550e62e3916dd9be58ff2b8f4914e5575a18a3b92c96476ddecf7cd88b7b650969b7d0b28db4cd6157b1ab591824d0be9ba781b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ecde8308fe8f27bf71083cf2f5aa9ae4

SHA1
13a91b0ac3cd53b503241f903d0cf746474bf6c3

SHA256
e7402868ba3e2b84289071c818a06bbba5f9c827ae65d044fa4ebd932fa51088

SHA512
0d4948a436398a73caefc49cda7c2825af2f5af6ad62eb7a935f1da5a1b2c0f80afea6fe244888171a5cbf94c857e948f3d7bd1f38e5e44495ad88e9065569c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1e4906a4e64957cd74c208ce8619475

SHA1
cf2c6878f9c2843dde9a07e20f307eecbbf45df3

SHA256
122bba17792632636776af62bf99434c3e6645551830ddf41262b8e237cbe85d

SHA512
3afe7f152a12d72dca8f0072288e81b47e1f7eecfed759dbc6fa01ce2f8e9463224e69a2f31e5c29679f639a594d05ce2782e2532c31fec639a127f334d6eec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7fb65f4fadef8d596a17a12f22fed7f3

SHA1
25ee0632cae66d342510be0be907b6d77f58d42f

SHA256
115811e44986abba4fcf9e414e86631ce2f2494ca8d69f8ab25b0ef153f11f11

SHA512
8da32ea26f035c92f26f17b4cb17cc7b34c382105ecddfb99353ccec0d1f8d6f2fedd49256a3a8d4f76472d49d00e2a7850bab0ce5ccb8afb7991351f1bc2d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e97a4786d84de3247ca06cd1acaf820d

SHA1
1a6f26ff999fb945ea41d8a94781b66ac2f97e17

SHA256
cbbcde005169d50eeb57baa43ea2964b21a553b773caac60e6c3f6d7ed4b7609

SHA512
a1f9ded16175578f7f43fe709a953530464059989b570153c9c0797b33e4a03cda61fbe23326deb8b552576c16b18315fd0ea4a8e9c9aff8e04a27cb6763a3c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ca5d03942b9de4826303f405ef2703bb

SHA1
7d061d3e390f5fb0e0c08404eeafc844d8de378c

SHA256
d15a5dcf52e8fe02e16b66850a7bb2fbe295d170e3a3e00356554afaf727b24a

SHA512
411658f4ee218b914d81154ea39207914052b2a1684b35f41bf19444f467c3d6712dbea190d12cd0ee5cf7f386b1bd756961d20684a771156334d82223f35dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2b3b58ff4f3e90b0fbac545afb09ee9e

SHA1
36b2e1383d8bf0abc33e5154aff03f68fb51bb7a

SHA256
3a79f2c8b6f2a32f9b04d6aceb781bacc4d840c420ac771031c7d2228dc6b95a

SHA512
7adc5936fe871947f85346ae3c7f187f755891e74a1b1587b5306700ba89912db81597bf5370df1b2042144c4b1c5971fd2896b9867e31b5995f10bf958a12b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
55c3be29a8aa5044f7c8077571fdfb78

SHA1
b9b42606e4f755f21e3d01bbde0d608e8d7ed8de

SHA256
714a166a9d1fd3135e9d3eb70b5d0b0b00d62e14fd8b54983cc9a7665c31b2e2

SHA512
2c8ae7f00959e325645e655aef5409ad5fe23d76947c8b855d9477535966fd299b84f04c69d5cdefdc317a5e207cf729f749b172a63c892a62c68c6fe765f872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e3fe7298aae416e2a60a5795737b8d09

SHA1
44af65e458381c9730988067534ade1d555e77b8

SHA256
fced714f7002d719d8d47af148d731fa802b77d7185c3f3f7b96ac7feb23368a

SHA512
e7c1c545ef999f4eb7a58d87a7188d6a3b2f3a6fe467e107efda08b89173ee659a419236b9b4e7041a3032890683e30b1ca9bb51a504414cb47c48c330f5de74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
11ece9631ad971fe40b5349289174344

SHA1
c46ae1c2078c42b1babb8c3d6f2e0e20f0298d78

SHA256
067910411af349724fc9973bde96a09ab676dc8cac6d4e2e653141ca467792b7

SHA512
c3be2009adf0d7a4a25c705c0671279fe5c7644e30ba4effa21cf9b66be505bd0f0cc76572cb00b7791b04fdd54fd4e67113db7a7eedb8c127419dea27ae37c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f1b7a7a2038194b9dd8b28e7c63ff65c

SHA1
23434e773ad9107d1948421fad993f33ef502bda

SHA256
d0de4b825c894c747ee09314c11e4d8a2f37265d809cd62ed3a22a5bcd4b8236

SHA512
6e395b8e4a38919ff53444eacdf9e95658c771b0e9a98dc0918c7237c1265e1647374bb69e572def9016b574ae4357090f7f5eda386961cd57ff716b993ce344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
cc18ba7aa3f9bb458cd4cb50cfaa0836

SHA1
40245c85ae132f8b6dae0c096815c7575b92d221

SHA256
4bcf235a90bb404f1dfe5ce1579fa94778c1da3ba7e2522d5e823d6312cc069d

SHA512
af23f48b7da8fae89fe0791a5fc970fc6e902cd7534cfd5599480fb28ab390b77118fc154a27612ef498d15c6169360c9f0e79a43c5a1e06b4919f7f0fcbf8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e02806dd6be9f8362b7c20930f4c9e5

SHA1
dcd915f22ff406f2535889de60f04c908a0359ae

SHA256
9d5fa92624c8694288ec031394c1c796116fc573a3ba796e29dd980364f1f6ae

SHA512
9abed7efb10a789d0361484edbffaeb3b06e7a247e733f757f2e299a857707d808787d0f102ba16809a4d095456adcc1f79cc9d8d95ffa18563197482bde7c48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c2cde915cc666ffe9b7bbc1acb2f14ef

SHA1
7788b3d832080e430e66ef30bc649b0dd2e0d73b

SHA256
33a857fc3720ad007eea896ea28cf407cf8c6fd99fc11c2640934f707f5eb447

SHA512
4fe2cec6136161f03c3fd912d98068375d8052a28f837ebb0ec97ad16a0cd3cf769638b53f493045048e7651598ce1dabe042bb5ea5308fdf35ac4336088ae72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591582.TMP

Filesize
536B

MD5
30bbeab392982f247029a8093749d10d

SHA1
6c7adbd9922bb131eff6d379ef873a7f8b8f4b5d

SHA256
e0af57d2f09ef9f1ee548427fa671e44a30203a33392249b4d4a77cf8ab9fe5c

SHA512
5432c8247a9ca470843d465c8f0fd081c618ef5f19ec7246f99aa613a28fa57b6d5823968c31be44f5b2c5c55939132cd1fdc5fcc396f23d382c2645738e2f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85a80fe4649aeb93fd6f33a49202d7d3

SHA1
0ed6bc51f91b0914d0b140bddad0f34d8ba0f3ab

SHA256
d2355b25a9bd79e20ca1872701547358a8b65f47e0f0c52cb5735e3472eaea53

SHA512
f6bf1f89318a71b2cc851712c5ce5eb856e6ef50be55f67efce1a14cedfc2d401d1990e969a51a60492e885e905cc1c93d44ed009ecf8faae3eca26b1553a918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
95e1c57ee1b5c72f1904efb360c136e5

SHA1
fe034ed3c78c34ce1815123744f191dda375e78f

SHA256
42c11a54b29186a6c712fe8d6c6368bd29d154aecff0b6b72d8097486f667ac9

SHA512
efb4916aec1ff3551339eb8ad54261a41b225f9e24cb9263edf7d284541d75808e07df9e6012cde0ce022f2bec66c8bbdeec56faa7e14a7f93fb4adb9d1801ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\DOWNLO~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\6ce383bb-b2f2-45a7-b748-be3dfcf1f699.tmp

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
\??\pipe\LOCAL\crashpad_4224_ACLEODLMFRTDEDCZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-902-0x00000000025A0000-0x000000000280B000-memory.dmp

Filesize
2.4MB

Download
memory/436-933-0x00000000025A0000-0x000000000280B000-memory.dmp

Filesize
2.4MB

Download
memory/436-939-0x00000000025A0000-0x000000000280B000-memory.dmp

Filesize
2.4MB

Download
memory/3096-899-0x0000000002630000-0x000000000289B000-memory.dmp

Filesize
2.4MB

Download
memory/4328-903-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download