Resubmissions

21-11-2024 08:59

241121-kx44aazrhv 3

21-11-2024 08:54

241121-kt7d8svncp 10

21-11-2024 08:52

241121-kspsssvnbj 3

21-11-2024 08:49

241121-kq1saazrdw 3

Analysis

  • max time kernel
    277s
  • max time network
    279s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 08:54

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot family
  • Danabot x86 payload 1 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Blocklisted process makes network request 10 IoCs
  • Drops startup file 26 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 14 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 20 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff553246f8,0x7fff55324708,0x7fff55324718
      2⤵
        PID:2128
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        2⤵
          PID:4984
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2116
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
          2⤵
            PID:4664
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
            2⤵
              PID:404
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
              2⤵
                PID:5004
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
                2⤵
                  PID:4836
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1932
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4800 /prefetch:8
                  2⤵
                    PID:1564
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                    2⤵
                      PID:1368
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
                      2⤵
                        PID:2996
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
                        2⤵
                          PID:4836
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
                          2⤵
                            PID:4720
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
                            2⤵
                              PID:2032
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:376
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6204 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4068
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1652
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1404
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:4460
                                • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
                                  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
                                  1⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1224
                                  • C:\Windows\SysWOW64\regsvr32.exe
                                    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@1224
                                    2⤵
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:2464
                                    • C:\Windows\SysWOW64\rundll32.exe
                                      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f0
                                      3⤵
                                      • Blocklisted process makes network request
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:2308
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 460
                                    2⤵
                                    • Program crash
                                    PID:1548
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1224 -ip 1224
                                  1⤵
                                    PID:1972
                                  • C:\Windows\system32\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
                                    1⤵
                                      PID:1320
                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe
                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe"
                                      1⤵
                                      • Adds Run key to start application
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1872
                                    • C:\Windows\system32\AUDIODG.EXE
                                      C:\Windows\system32\AUDIODG.EXE 0x510 0x4cc
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:764
                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe
                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe"
                                      1⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2460
                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe
                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe"
                                      1⤵
                                      • Drops startup file
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4848
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Brontok.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2732
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Bugsoft.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:180
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lacon.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2360
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:8
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3392
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2448
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2324
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1012
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4836
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Ana.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1344
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:892
                                    • C:\Users\Admin\AppData\Roaming\Axam.exe
                                      "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4520

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Autoexec.bat

                                      Filesize

                                      302B

                                      MD5

                                      3565a089a0f8b2b5afb04ec4379b44dc

                                      SHA1

                                      4075ac633db35b158e4142860a2fd4f331780f9c

                                      SHA256

                                      941689078f2ed21767fd0aa5ad330df33b8a0ac96acccb2020f307558d6087cb

                                      SHA512

                                      112538d7d1af9c02536db20acfc6cea3225341d0f1468ad49ab980a65c74c9111fbf2514776e4e40bd2fbb13d1703dc47cc647b780dc503be99f6fa712c925a5

                                    • C:\Autoexec.bat

                                      Filesize

                                      453B

                                      MD5

                                      3c134fc18e7bdaf02d63571d193799ad

                                      SHA1

                                      7e6f22569d16202195410f29e6c74d093f1fa930

                                      SHA256

                                      087f1acb6ed4d7563daaf6f0e1110dc7b3d5b4d6130ba19389cdf3eb90e9d347

                                      SHA512

                                      5b02fda689e01d570fced10841daea8f543467b9a0ea138149c486c6d9fd56a0684901af16cbf2b3ad7f1d0b6cf6b08bc36288afcec4d5552b5863ef854570d6

                                    • C:\Autoexec.bat

                                      Filesize

                                      604B

                                      MD5

                                      9ec5dcbc21f0309fc9c7c545063986b5

                                      SHA1

                                      eaea4f607aeefc9f6081d4b122ebaec421e7029b

                                      SHA256

                                      273c2c218dd1d27bca1ad23115deb50ee860332b724f7a1b1aa906e055d0d38d

                                      SHA512

                                      e2044e50dd09b7df76b76ae96f1fbfea85a73e5055891df4b464b8cf981f5ef623fa660f6b5c3beda289d4166cb39a38e3153a1ed6e4e74fda7ea0914a3ea935

                                    • C:\Autoexec.bat

                                      Filesize

                                      755B

                                      MD5

                                      c73f3203dbe2960f84a494e1662db2c9

                                      SHA1

                                      27835a0be12637153e54411bea70546c1de82770

                                      SHA256

                                      60683424722818828849fcd2e3893265de28c94d660d64b8cb1d1f31a20026c2

                                      SHA512

                                      4cbb057b8d9760f0e16bfc110405f2f239c52b0559a59759e310266fc6bf96e84fd5798a30bcbea56e748890ce335825845e0df1c269ca03501cf7f32e0cb1cc

                                    • C:\Autoexec.bat

                                      Filesize

                                      906B

                                      MD5

                                      73e598672cece33b0c27f3a2f8d3501d

                                      SHA1

                                      cb1955298a70cd5cc2f55fe127a56dfc6fbbccfc

                                      SHA256

                                      0250e34f90f6e94dde2cab734f5ac2cb9c6aa9fe1b91d7e9e651f20645296363

                                      SHA512

                                      4094ba8f8b335133b836702d58c6660d2edc74d869f5bbcc1bc5a4a30f4f60e79ed4937464f0ec2f10daa4b1d866ade04c179b14450d0cb3f73ccf4b2c00fcb6

                                    • C:\Autoexec.bat

                                      Filesize

                                      1KB

                                      MD5

                                      3b1cc48b2addf796ebde1c6d0c020bea

                                      SHA1

                                      53b249bef441ad8dff4f5a90ef149ab10803cfdf

                                      SHA256

                                      d8c19dae05edffa4dd0957dcfa45eac44273842b1364c5a999a0a21c1108ccf8

                                      SHA512

                                      525cac7d2070540abdfa8b6ea43631610f9c7440346f319b90c1826d73d7d125d165a2718a04f82eac1b47202afa1b6c6f2576af0fa76b03f9058bd21fa90f77

                                    • C:\Autoexec.bat

                                      Filesize

                                      1KB

                                      MD5

                                      64fd1f107fe39a118a1e0df6a2231c21

                                      SHA1

                                      1757c6e25e245eebd74994acefc148a55ca85675

                                      SHA256

                                      a671cbd881a552e34f8c7594f6dbfd1442d5a702ed914fead3cd0fcc5f37d51e

                                      SHA512

                                      450e1a6ef677bd192fac285af9aa2e71267d1a8ba138fd3a5a1da9f3267540fa951a1e9c4e2b3bf724f326d5c20eb51113005660c7865158ad0669089c16b53f

                                    • C:\Autoexec.bat

                                      Filesize

                                      1KB

                                      MD5

                                      d1a3d2a396b79cd871f99665b134a49a

                                      SHA1

                                      2ab15e630b751e94d72362f2b55f60c4d7f35f40

                                      SHA256

                                      7ba07c3784813a0f9cc1ff90f54c5517e288bde40d5ccbe8b098af4975c16ee6

                                      SHA512

                                      d88ddaa9e3e9213e7f9bc19da72011e51c66199b10557e79e2edc5e50f0879a51216817a9dbede8807c8ec8b8b9457482f49ad00576c0c214e0bac2d034b79c7

                                    • C:\Autoexec.bat

                                      Filesize

                                      1KB

                                      MD5

                                      865a45b31cb7baefb3b71ae51eb67308

                                      SHA1

                                      42094765f9627e713f573b2e6a203183068a6159

                                      SHA256

                                      99f2f70a9e34a9c63f6107b8308e41b83139f62b72a2f2ffd2394b0063ec79e2

                                      SHA512

                                      70ba8d348e1954b90a078ff47b9d63ca7663b9ae7c0c8e32f50b53acfd928465f91cb36760a1560d80d33ca07e7e815e18905b0b104ae52de80e5a58fdc73d1f

                                    • C:\Autoexec.bat

                                      Filesize

                                      1KB

                                      MD5

                                      f66b8249919fa2b7bb00beddfffa2f9a

                                      SHA1

                                      321e81d7eead2350c57600ebc6ff0a9b4a4e06b2

                                      SHA256

                                      8ebb03500bb9833bda093b9d8ababd2bb633a0b97913765e05191ea51ac4adcc

                                      SHA512

                                      1034bb1e17c26c928a9b2cbb5f7615754af844883980922adf7f81e10821e6851780d49ee4edc8de955cc3d50e84f4ad7b57b90c96d9ca7f4f63acabd9449d9f

                                    • C:\Autoexec.bat

                                      Filesize

                                      1KB

                                      MD5

                                      b7922b0709a026f2188f725dae20b6e8

                                      SHA1

                                      4b91513018aa95f062f4ed4b5b9f88032b7ccbe2

                                      SHA256

                                      0e81b90f3c97c85cdd3b4734667ecd140045cd795e89b6b3fb28bdbc1d0fc015

                                      SHA512

                                      02f6afa56f7ec2fb4664d0e9522a5a5d0a1912e4f830d8b4bc9c186322d0fc21cfa0f2e65567057ba8da1cf1dbd44e886b9b393a0fe47a7b60665d36b6790fe1

                                    • C:\Autoexec.bat

                                      Filesize

                                      1KB

                                      MD5

                                      f97e2548b10247a8f61605db9a7f5946

                                      SHA1

                                      6ef69ffb824a6842f6bedb2f800cf3e31ca0135a

                                      SHA256

                                      3cd268a890a1e10796a4d9c43e7d678baf8ff25b614c8cf45f23f18c0bd3fbff

                                      SHA512

                                      e4a68819058b08e55000462a177f137575ebb741c021ce8ae471335bbc0678e095e6fb4e499ba7e3ec18deead014d83b2fea7c2f378ec67888aaf0ebef0734b0

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      d7cb450b1315c63b1d5d89d98ba22da5

                                      SHA1

                                      694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                      SHA256

                                      38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                      SHA512

                                      df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      37f660dd4b6ddf23bc37f5c823d1c33a

                                      SHA1

                                      1c35538aa307a3e09d15519df6ace99674ae428b

                                      SHA256

                                      4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                      SHA512

                                      807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      1KB

                                      MD5

                                      3e6c62c7af266183a4ccfd16266487f1

                                      SHA1

                                      eb3e5604b47e246d1da72b031fc900d1804d06ed

                                      SHA256

                                      7fa48e73b1191b9dfd1961cd04655846558adb123ebfc0257455975392e5ce32

                                      SHA512

                                      9749df82ca288d17d117eee5a3791a82b968c75c0fff799fc7f94380e0308cda29229f82191d7c3335a83073ca4e87478dfd00e09779eec57910f54a127cb832

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      573B

                                      MD5

                                      a6d346f58cbec0a6e4015327b25f1537

                                      SHA1

                                      750056e65a8b1c20b1a6051f5adcdf35821a6ac1

                                      SHA256

                                      1a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56

                                      SHA512

                                      74e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      13fa65aa57bae63ddd4722f53c73e401

                                      SHA1

                                      eb452d24b8791133f7384bc3e7986eb246570a0f

                                      SHA256

                                      d988b4737a1afe1b4ff50229fa2db258a56ce14a22060072aaf28fb03f9af7a1

                                      SHA512

                                      8f5041653a2d3413d756a8c0a240bd243337aa2e60a0296bb98db17f4cf33548c1adbc7052a183881a03f68effe2481381cc24893b8ea9ad2a02ad8d8ca7d80e

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      ae1a84a2fe2dc794e8954fc9eeba79af

                                      SHA1

                                      a3c83d6318148c149f38209af567fea2635e1500

                                      SHA256

                                      647e9246ba8ab5bd0d7d649563f3646868713b2ccb9856099afc244cc9fbb58b

                                      SHA512

                                      b945720b312d6c0c58585edc38ccaee0706d27e074556d41661b7f9dcb31d4a16d39a765f2273d86ac224527b61c7fad3696fe875666311eb4101d76f4bca717

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      6e7bcb276bdd59fefa899dda72b2254a

                                      SHA1

                                      f3b5eed26ccbe215c828218e93e0806a107a2d98

                                      SHA256

                                      1c4fd7871619ff138175a152c42631355925bbf714e9dd51a0ae9f315045fafe

                                      SHA512

                                      5d152b8e0c81b5ac09ed51cc47849ec49a5cd1ed3d69c3c2d75f1bd578d56c7f05faea7067d8ce2fc0e214f16e9b243e520df87a74c1f73f00c918334dd92a48

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      10a9cfc613bdb2f9907f50b73458435e

                                      SHA1

                                      0925ab9398ecc8297199e4af2b509b4e5ea1f2c5

                                      SHA256

                                      3b7c7e973988b675a125b994c71d4699937d39c4a8d516969842a0c7a027900a

                                      SHA512

                                      3f286b93896c7dad4637f64672b1995132fe5d4a962bfaf7930267163db7ac45b27d780b431e3bd8cc9e262f829d0fe02f946827fe7b2cc65541edea2950c8cd

                                    • C:\Users\Admin\AppData\Roaming\Axam.exe

                                      Filesize

                                      11KB

                                      MD5

                                      0fbf8022619ba56c545b20d172bf3b87

                                      SHA1

                                      752e5ce51f0cf9192b8fa1d28a7663b46e3577ff

                                      SHA256

                                      4ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74

                                      SHA512

                                      e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb

                                    • C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll

                                      Filesize

                                      2.4MB

                                      MD5

                                      7e76f7a5c55a5bc5f5e2d7a9e886782b

                                      SHA1

                                      fc500153dba682e53776bef53123086f00c0e041

                                      SHA256

                                      abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

                                      SHA512

                                      0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

                                    • C:\Windows\Messenger.exe

                                      Filesize

                                      50KB

                                      MD5

                                      47abd68080eee0ea1b95ae31968a3069

                                      SHA1

                                      ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

                                      SHA256

                                      b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

                                      SHA512

                                      c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

                                    • memory/8-389-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/180-350-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/892-469-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1012-417-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1224-273-0x0000000000400000-0x0000000000AAD000-memory.dmp

                                      Filesize

                                      6.7MB

                                    • memory/1344-444-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1872-400-0x0000000000400000-0x000000000040E000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/1872-291-0x0000000000400000-0x000000000040E000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/2308-274-0x0000000000400000-0x000000000066B000-memory.dmp

                                      Filesize

                                      2.4MB

                                    • memory/2308-280-0x0000000000400000-0x000000000066B000-memory.dmp

                                      Filesize

                                      2.4MB

                                    • memory/2324-412-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2360-363-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2448-409-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2732-342-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/3392-397-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4520-457-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4520-478-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4836-436-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4848-321-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4848-339-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB