danabot | hxxps://www[.]torproject[.]org/download/

Analysis

max time kernel
590s
max time network
591s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 11:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.torproject.org/download/

Score

10^/10

danabot banker botnet discovery persistence trojan upx

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral1/files/0x0007000000023783-878.dat	family_danabot

Blocklisted process makes network request 2 IoCs

flow	pid	Process
171	1748	rundll32.exe
172	1748	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
4604	regsvr32.exe
1748	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4412-884-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/4412-907-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2503326475 = "C:\\Users\\Admin\\2503326475\\2503326475.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2503326475_del = "cmd /c del \"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Trojan\\HMBlocker.exe\""	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2848	2732	WerFault.exe	146
5064	1748	WerFault.exe	153

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HMBlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{EABE3972-9915-4E01-8323-B9233B0D3705}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
2028	msedge.exe
2028	msedge.exe
3836	identity_helper.exe
3836	identity_helper.exe
4900	msedge.exe
4900	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1444	shutdown.exe
Token: SeRemoteShutdownPrivilege	1444	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1048	2028	msedge.exe	84
PID 2028 wrote to memory of 1048	2028	msedge.exe	84
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 3620	2028	msedge.exe	85
PID 2028 wrote to memory of 4596	2028	msedge.exe	86
PID 2028 wrote to memory of 4596	2028	msedge.exe	86
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87
PID 2028 wrote to memory of 3024	2028	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.torproject.org/download/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b2b846f8,0x7ff9b2b84708,0x7ff9b2b84718
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,11455968285725267231,4341776398962655359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x470
1⤵
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2832

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2732
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@2732
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4604
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 920
      4⤵
      Program crash
      PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 464
  2⤵
  - Program crash
  PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2732 -ip 2732
1⤵
PID:4708

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:4632

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\HMBlocker.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\HMBlocker.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4412
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 6 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\HMBlocker.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3268
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\HMBlocker.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1748 -ip 1748
1⤵
PID:2592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
41KB

MD5
c79d8ef4fd2431bf9ce5fdee0b7a44bf

SHA1
ac642399b6b3bf30fe09c17e55ecbbb5774029ff

SHA256
535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8

SHA512
6b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
1.2MB

MD5
771f4dc9c62dd576d8433571a857a40c

SHA1
7b4fecb308d4640cbac12494809d82426607122f

SHA256
5cb56ef854300e6c5be352cf1ffd360f4fdf272edf69ce95b9b3fd4c6473c3be

SHA512
ffc953bccd24128e7a04bcf64a17a50ba21e460efceac4308206eee9aee86a46d1a02a7cb7e3faa4f554c2ee12e8222acf281478651c1b70e06550ee5fb8b090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
325f9b7b8a1a8c2c85336b77f57e7ac2

SHA1
19a84b8b870a9af119bce33ad7755b11794aa153

SHA256
f8d7d0fe4ea46d8618c74e359e8b050570738af5d0123ba0d69189d78bc2261a

SHA512
2afbcc00cc312721b5219eb784c9278785b31b11250879c465d4081828b2537f3453ce988f5c116deb5a93e2645ae20f23b15c2dab39a079d2092633dbdf5abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
74d95045dbc24472165289e2258769d5

SHA1
b510ba40ce088b71a46f08123f6ba2cd4f609eb7

SHA256
7cd1419e78520a3bab7080a6e3fed42a445d1dc02d44934ba8dd53e69a7ba022

SHA512
38a543d31dc0f4752addf90f57a360ee584f188c3bc22cf80d43e43cab12d9281da03413e942d5cbc3d83a7f06a131a007cbaad52405ece110723eed28f8490d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e161661b6356075abff9bbd239a1dbb3

SHA1
b14e3d669aa7a0eacd8c600c0f0d9642d4b1a508

SHA256
187e771aa95a9b4c9491756088beea493008e57eb24a877c5dd9a85d6d6036a4

SHA512
52cbc88d18631f7dc943e4def67e2dbd2f984fc6a9a731f954b8a7aa8575ee85ea9b87dabbe740fcec12c5d74dbf6c4ac2b0eedcf3e199eb657b53dc10ef6369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
09e19a4e54d406eb75241f0f101c4556

SHA1
b5b87d0cf61b6875de050450d2b20caa95865c45

SHA256
7c59e2ace422877fb1c54dc18060476fcdf412c9cb8f6b614e8e7e1e626bbb19

SHA512
ebfe0adf6f9c0a6fb9b9e7eeaacd39a41830b238ed43e4fb8094615546f8297c6e62d445b705da625d62628a2c3383850c97c2860c935c530a4e73a1eb6607b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b90e0eec7b089dc5aad5b69a5ca30c36

SHA1
5d24092ecb313e616470edf0f42655b662b3a1ec

SHA256
788831752f44057512996171ef0ded7829ea67a3f6badddebd6f0e91a021bb9c

SHA512
3bda45735a4c4de499c9a3817309dfa1792286895fc45c9584204f0375153a95f78a06f890c9d01ee1135a946c0b3bae65873e9d01ac6cf3054ce1a9431a3310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5c3ed93499389e988027d8543a070a8d

SHA1
2b21b221e790fc739455d8299a48381541832b38

SHA256
bec5196a7b4313a6cec8388a19bc96f15c9fb8067afa4a568ee8698a5188b438

SHA512
ed2a9c43315d9df82526a80a36bb4a2adb77896258d410d451d7f21235db1a7c42db23b0a56b2e751843ef7a907d000612308a63fffc368d0b883bd9829a008c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a6729d786558b1a5e4d171087e097f00

SHA1
2ece4b48d7a13a013419105cf07692354909c4b8

SHA256
b03ce3d312e6ae1788013216231b0683b61cc92a4df34a318cf923da2bb420a5

SHA512
a4758bca3f802d1c3b601240e94fb7e15b7e1955956c32df07d523b984d9c9011b13e6bdd1dda3e6347d10f7a7a4d9f17802085126a94355ebb55e8987d9b36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ad116c94cc3bd3b41c48bab397fb2f0

SHA1
f0e4f290aa061c986f5f5297cc5260c784580220

SHA256
95855c3d1b00a44884d9cb2e960eec60dde5a07d7d50728f87f84fd12e1232ff

SHA512
c15c63f56bb77ad1d94ec153a72829370f10712d820f088e1f30712f87aa5584d2cf4454cf805f08c6944a9aaccd233728f8163ed6c912e4199db6e10c597556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ffb4168a04a65dcf04aadfceece42367

SHA1
7c9a97b417a1eb865553c63f99f5d6e27a329f36

SHA256
4dc40a73140a8f232ec6aa26a9dffa0e9a154b934940e73ae914c37db4fdc7a9

SHA512
051cc049eb1e343300523ff94beff65abde999aeadd1b8e28318efd9931505279d68e21de2d5bd7b9c41f0ec5cc736401055405015437d7af85bde5aaa41137c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2bf672d750fcd41be8f3f59e767d2c8f

SHA1
0a6312878c6f25d53c61374183b63acf381db727

SHA256
b2bab6321fe1ac610846ebd82a82da7f9516c8e021fdf931e31722d2d8414e78

SHA512
dc409de2cac91c68f2a5cdef03288c37f1ef518c60f210a02f54d54621e7660096048a06e81ef8e861d18cb818c613b9d753e63c4238a82df49a95fd5fc1423d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e9af006f5c4f360d5601a7605767759

SHA1
d034214d2b484f3e98f999830095f134d4c98285

SHA256
02c591697049fb576172c9d40b174f704217cb5731e00931ebf50d31eb585d0f

SHA512
ebc8c1d771d927d533d40d9e3452b6b40e8c4c203e7fe02bda9b80c7b486751eced689df9485360314df3e043a2b8f46c882aa69147c4cbd535e633330327156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
be46c0b8dd9b1bd090a31c265bfb69c1

SHA1
8349873d06824d14a4560d806157c9fd33115947

SHA256
0ce5722d1e6cced8bc7b97cb5af61ab63d3347d067bff24da1dc3823c8abc1df

SHA512
61b950430afd444af4cd2296d200edbeef0aea0105a340ba2287a0140611ef88ccbb8cb0abefe259887350bd27432824cfed24c7d7719bf2abfc179cdadf5f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6979f26bc95847bbecd4f730f87ee44e

SHA1
c29e215fb5996152bdb190fa5a2520c25e3276c8

SHA256
94825758eb9714561d65af17274a285aacef9d7137b0b1f378595f27c7bcca3f

SHA512
634b4264368ae722868409380a848ede9f3ff784e0e4d3239431d1ba68296175cdb6284a1b6b54ac4102c011dd83dce3a8dbf9ebf8e7a68063fdeac7fac314d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce1ca6ba3de4ef23bf11cc738fb8994d

SHA1
3a216ce77382da119db6ed55b91f500ff84ed713

SHA256
351126cbc782675d5efd7116578fa2cc3575881f3ea37072efb4ba5378788285

SHA512
59edf1b7e744e64ab719d351d7093ba88c22c859d394bba5346b5f514f55e66ab16a4c7235db3c0a7fc4180d25dbfd12f0eb2ab09a4c485eb3d9d871b4867c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
adcfaf24227f202824fcac78c0dcb06f

SHA1
48beadf449ebdd3b551ec50643a329463101a3b3

SHA256
bbea9b14bd1317c161106b4665f8f0554cf4aa1c8463f31ec2a9f3e93927e037

SHA512
dec8952579117245f37060be97182827bbaa78d2e10ddbcc7aa66e9ab4055fb19f714f6a38e69648644a4a09d92ffc11d5fef47578edaccad9716381d778ef48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4eb714e257978c2ba7bc984d97f7729e

SHA1
43e2fbeec8ecf78d6be4be2205451ed46cc8b885

SHA256
e3210fca6992c5e5c0ec081eca1b151acd354a1ec96d775455c92de9de35be02

SHA512
25c26b7a6fbc6d3002298628e8de0443328b730e396592b066814c6bc243e7c5ee2739fe9c67031ce3e438e52a6e2a838607acc38e550f16bbd709930121d396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58078d.TMP

Filesize
202B

MD5
52abdc4a61f7f8f42cbeeb9c91acb74a

SHA1
b2f50e832aee0175f03665b2cff60ec182c30001

SHA256
95e6e9fb5f3894e15c94b49d05016ffa10c27671e20ec09f4241484646bed2af

SHA512
a76424b1591bab734c9e303dc97434d5030a67e70dae922eec9ec21c9ff6e11ddcc4596dd59022d283b71a806de71209e846f07ce71ab9fffb2b322bea68ea64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2586a22611845e53d7b541d8a28b8a50

SHA1
2ecee570917920bcc2526d6092b94408c2c822d2

SHA256
1d47344536131ec4df12ba708d0818fab6f3b93be15b29f7265f10f945c23259

SHA512
a5cca64138327e80546ff04e28fb9632c345b6b5a23713112b4c17886a6f43ebf2cb697b85da91cc1e7e866c0ae93caadb4c9fd7438e162c312a5ed3e6ec6126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98e9c0b8aa3f5cdca8e42fa2b894532b

SHA1
2f89787279daf6841e033514ac7f263ef3e0a3cb

SHA256
652f3edd5f7c4eb79ad93e44c3df382ce58745d54a873959896e5e586f0dbb2c

SHA512
73bbcd2a52ed7a70b1b9e18a7d131990cde1e78ab3843ad43e6582b62586df860cae8a8e9eb77d29c19c45855b4fd6cc649086a2dbd1707acc71cedf99d39099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e66a8a40a38611fd792353f30c0d1aef

SHA1
a70c8058a28aa4b5e06977b00a978f2b38c1b1db

SHA256
f9439ab44d01bd5955ecbe8932e44edf7b601519a8aa32619d9bf3267ed5eeae

SHA512
148ef633d4963ab3a269604c6882255b7459ca9ca252aca650a2933bd1d19a7e7c3fa384f81ac85640b36ec2230b50a79449849ff56ec86a360a77007e6318e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
62e141f88664af44cc7bc50225b396a9

SHA1
2a84409a01326e507c7f2df42d0b7332b4454443

SHA256
973878ab4e674bfd0d113330381a7afd312ae656a499015d98da900b03fefc3b

SHA512
892e2aecde4aca756ff70a587e7e0dfdc2f87d0cee0699299950b85782af6ba079a87ac6955f47b7521ef9f54710f5a82bef40419959780e9e4ee58383d00311

Download Submit
C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
memory/1748-882-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1748-908-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/2732-881-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/4412-887-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4412-886-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4412-885-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4412-884-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4412-907-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads