Analysis

  • max time kernel
    231s
  • max time network
    231s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 03:18

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot family
  • Danabot x86 payload 1 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Blocklisted process makes network request 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a4b946f8,0x7ff9a4b94708,0x7ff9a4b94718
      2⤵
        PID:3940
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        2⤵
          PID:3952
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2988
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
          2⤵
            PID:1224
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
            2⤵
              PID:4540
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
              2⤵
                PID:4880
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
                2⤵
                  PID:3596
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:848
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                  2⤵
                    PID:3392
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
                    2⤵
                      PID:3044
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                      2⤵
                        PID:1820
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                        2⤵
                          PID:3012
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8
                          2⤵
                            PID:376
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
                            2⤵
                              PID:3080
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                              2⤵
                                PID:4932
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2444
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5444 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1412
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1668
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:584
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:3148
                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
                                    1⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:900
                                    • C:\Windows\SysWOW64\regsvr32.exe
                                      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@900
                                      2⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:1356
                                      • C:\Windows\SysWOW64\rundll32.exe
                                        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f0
                                        3⤵
                                        • Blocklisted process makes network request
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:1752
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 460
                                      2⤵
                                      • Program crash
                                      PID:1032
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 900 -ip 900
                                    1⤵
                                      PID:4984
                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe
                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe"
                                      1⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2664
                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"
                                      1⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3048
                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2008
                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of SetWindowsHookEx
                                        PID:3432
                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2264
                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1128
                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1748
                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /main
                                        2⤵
                                        • Writes to the Master Boot Record (MBR)
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:4468
                                        • C:\Windows\SysWOW64\notepad.exe
                                          "C:\Windows\System32\notepad.exe" \note.txt
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2524

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      99afa4934d1e3c56bbce114b356e8a99

                                      SHA1

                                      3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

                                      SHA256

                                      08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

                                      SHA512

                                      76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      443a627d539ca4eab732bad0cbe7332b

                                      SHA1

                                      86b18b906a1acd2a22f4b2c78ac3564c394a9569

                                      SHA256

                                      1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

                                      SHA512

                                      923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2a547422-02e3-4619-80bf-0c034d2043be.tmp

                                      Filesize

                                      6KB

                                      MD5

                                      1010ea230a127f8cd5c0be8a95ec8812

                                      SHA1

                                      5b9c2eb72f2812237af1d361dd309525deeb2e30

                                      SHA256

                                      f9340a4f3e1da70593c516466406afaf3c5fbbadfde0d40a2a508a0c0ba056a1

                                      SHA512

                                      6c263c99ff8fb6c64550c9063314b5881814bfbb78cd4c977d71999b4ac1d0b5f015e78d4979bb7df36517732964edd02fd07376d1b726a9594b6873c782b659

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5a3d4368-59c0-4632-9e06-66339612950c.tmp

                                      Filesize

                                      1KB

                                      MD5

                                      0196d2196d71c477a1f78fbdb6beca16

                                      SHA1

                                      6033b4a8bed30963fbb2d9ddff0c2d2ea530d7c6

                                      SHA256

                                      c475f0f1c6c9fddebeb9d47cd3dd34d80184228818e95e0433603765ba98cbba

                                      SHA512

                                      0e629c0bdbc617b336e3c9fa15ea890c1bdd3eee7083776ededf6d4ecf68925fe8e7a103b1e3f9656d99756c2882e64c83821276e3471a345fdca526779fb03b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

                                      Filesize

                                      19KB

                                      MD5

                                      0b684c927d56c8f2a269fad2ce708bca

                                      SHA1

                                      b24881109b33ba68168308333840e1c7b03e7775

                                      SHA256

                                      0a1174c0168a1a056fc5a67ef229a4255b750131f9bfde84f8226f88a8f1f9fa

                                      SHA512

                                      68da39e77fde0e0e75a529e7452230230c99cebb61ac763d81136de4ee4b150442a076d96d0f9c4f431def094a225ec621b656c326e44e2b8e3d340278fba471

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      1KB

                                      MD5

                                      c9bd71e12da62c2dc05e40efe3c11f74

                                      SHA1

                                      8fdb8e1b70c0751d6239f9b2e0868b71a92ae03d

                                      SHA256

                                      90d3a36e648480b4d9a900176c5037764af75d3e1a8bb935b6dc76ad23e9ce4c

                                      SHA512

                                      ba407a62c7d0f488d69565fc6cca7889c3bc50fcf03ed8ea3e8fdd742a2c8daf129e837c73cb358b5a48ca2c63cfa667f5f4ec9e2fed900d3c254e1e800ff60c

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      1KB

                                      MD5

                                      e989488ee22fde83ab5cd93dd98a1d73

                                      SHA1

                                      b328cd928076323fc804b7a1ef71b658284e18cd

                                      SHA256

                                      a510bd68af52045c3198144be3d6453e43c0145fa888d63802d1255850b93d7c

                                      SHA512

                                      352eee651eb6d5f3db363c5b19c48bd141b49977fae1ca4fe44b9af570ebd31195dc66785b586874d32afc0f6b47696897f790170b703a9bc0da37b3fffd3225

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      573B

                                      MD5

                                      dd206986bfdd70ed07ec54b03c9ebc9b

                                      SHA1

                                      105f2e51ade310ea60a7c2cb11ce16dd480f81c2

                                      SHA256

                                      af184d0cceb2b815b953fb24970efe52c159fc7b30b9b0dcfb2b54a90376e971

                                      SHA512

                                      3717fe8d2d7c878b6fbc98c25e484659602c1aa50cf76c5df5af07e93132098831cd8a9c1b73b7114da656f848b8e104190d1b48863413e08e1027dd7728fc75

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      b782d650b6745e52e4cf18ad655e6614

                                      SHA1

                                      0cf35c044590d0b3b8cf710c7229226538213954

                                      SHA256

                                      8805b5a94705db869c7379433d2df4ed29b6777cbcbb7a5d013705e07b4a36f5

                                      SHA512

                                      16e4bc6b88a9e648711b57be8c76812194324ade931f871db8cb3b486916d896198f56bf7cc4066a4ec5390d0cf6efccd25e10bb49c006e7cd7198585cf2aba7

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      39472468edf12a72c52fc189aec9030b

                                      SHA1

                                      22db2bf6b8af3602ad7e1f731053c60a8870a2d5

                                      SHA256

                                      2dc2eeba1f13568e230150c414b3f9386d21de32c2150ec337e39437b24ff0cd

                                      SHA512

                                      513f2f945fc3bd5bcb3e3ce83ef1066fb2300c5b41e8bf5da365793c57e3b70b28dd136e5aa2bf1cbbbe4e7cb522536f0947b4140f50ee174f65b6d45c080d12

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                      Filesize

                                      1KB

                                      MD5

                                      4c182ec1145a10fa611c3b8168e5fe75

                                      SHA1

                                      ec89a52d20c6489853c1e93add43d7dd91abc53b

                                      SHA256

                                      87ca33c3bf1711bc98e9a87b5a5d4b441a0a5d0ba06950938823b42ba9cfcb91

                                      SHA512

                                      d8cd3753645d73c33f35782674743a8e3101db102f5cc8052057f3d5871715049e5d748c4502574140bbf439fb9aab08b6df3f8d58f42a89a3dc957cd5371a6b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                      Filesize

                                      1KB

                                      MD5

                                      656ac8628b42ffe51ee4ffb2fa4cd80e

                                      SHA1

                                      c27c853a24577e72fde3f2c962371d84dc43a82d

                                      SHA256

                                      0879ad3c54eae01d03ad34300464555706631257575dd035d2f5db4cc017d8e6

                                      SHA512

                                      896d1f10771c8059392050d998bb7b31713525d3a3a54eccc3d9c210f6c3ccdbd0531dcef61e94d2002118538c6a31a124517add26a9089b2ab6dbd0f0a9f649

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58266f.TMP

                                      Filesize

                                      874B

                                      MD5

                                      485a4d6094d09b4664ac07e4c4b6d8ec

                                      SHA1

                                      e33a2f5fa1ba8bf7c47d0a3fa1bbb6bdad1727d9

                                      SHA256

                                      cd5bb581965a122571a9dcbdd4ce8b41ae235f38d6ac1a3c9179178fb789f7ae

                                      SHA512

                                      95a6a7c0b5513cb4717d608d73183b7f0d01200e2bdb1233c0c643674c0618709ef0d1e33fc32d267b12c68fec81bbacf9c6d49a037c0cb7dc0b5638ab4432f8

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      206702161f94c5cd39fadd03f4014d98

                                      SHA1

                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                      SHA256

                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                      SHA512

                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      246a7e242748bf2d2adec00ba6229264

                                      SHA1

                                      44bd193c1c2ea4dc4ad2a00132e53cbd42bb5b3f

                                      SHA256

                                      f6763c5622e21fa19adcb45f107b30ddcb652783b9abd0b58ae14009e6960318

                                      SHA512

                                      99d61eb8d635b5cca5a07cbd6f3eefe4b45fc2fddf112e15208dba9911e34b52d5f94a7622198e187db4f277a9e48279f7627360576b7ca70685d81eb2dde38e

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      791e52b3f00e8947fb685a23107c54ac

                                      SHA1

                                      b953e59f5a4146d74c60eac48dfac31a86a34555

                                      SHA256

                                      1bedf787ba7b4db549079ee2f7cd3bfcc2a18997b29ebdda4609e47d76aeea95

                                      SHA512

                                      c235305b4bf174d0f1a6c917fe6359e3a2c8ab7f4ba5da372bb2c0acc6242feda95b606e9bf1244e1094079e9db86130e802db37ab529115c24dd3dd4f7c07ab

                                    • C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll

                                      Filesize

                                      2.4MB

                                      MD5

                                      7e76f7a5c55a5bc5f5e2d7a9e886782b

                                      SHA1

                                      fc500153dba682e53776bef53123086f00c0e041

                                      SHA256

                                      abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

                                      SHA512

                                      0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

                                    • C:\note.txt

                                      Filesize

                                      218B

                                      MD5

                                      afa6955439b8d516721231029fb9ca1b

                                      SHA1

                                      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

                                      SHA256

                                      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

                                      SHA512

                                      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

                                    • memory/900-373-0x0000000000400000-0x0000000000AAD000-memory.dmp

                                      Filesize

                                      6.7MB

                                    • memory/1752-376-0x0000000000400000-0x000000000066B000-memory.dmp

                                      Filesize

                                      2.4MB

                                    • memory/1752-389-0x0000000000400000-0x000000000066B000-memory.dmp

                                      Filesize

                                      2.4MB