Analysis
-
max time kernel
843s -
max time network
850s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
02-01-2025 16:17
General
-
Target
Eclipse Executor V4.exe
-
Size
10.0MB
-
MD5
0ec8e967e7957550741ea40f63696a27
-
SHA1
8445dbe749bf629cf2a20896611afcf0de2d4083
-
SHA256
45b1332b4be29ec0cabc9f9eeb5fa7d97a3a3ff0839e2246395d33fc47fbe9ad
-
SHA512
165609d84a68f03bca05e9b5eb98c16864b609a0ee5227d111422970431f6a9c527c884855e549b0dd398ccadd6243a39857da17351bb7d02e32edd1e7addea9
-
SSDEEP
49152:tCuGu1hX9vpSRGsbSXtHVYV86zzb9grRIkMKzd/7aK/KlyX:R+GsbSXt1n65grR/MK/KlW
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot family
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 56 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Eclipse Executor V4.exe"C:\Users\Admin\AppData\Local\Temp\Eclipse Executor V4.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SaveSelect.htm1⤵
- Enumerates system info in registry
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffa626646f8,0x7ffa62664708,0x7ffa626647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2b8,0x2bc,0x2c0,0x294,0x2c4,0x7ff796705460,0x7ff796705470,0x7ff7967054803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6176 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6184 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,14615363215633614363,475196237636670581,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6808 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@7003⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 4963⤵
- Program crash
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\3Rd-LevelHexEatracted.7z2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 700 -ip 7001⤵
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 4562⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4324 -ip 43241⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1482⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1508 -ip 15081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD523c881bd9ff24ec1e1c1388e1967d94d
SHA1cf340b91392671812c5d68f70a32b8b0768f4c75
SHA25660eb6975421a62b21622524ea781e64e7892294e65056ad6ca7766e1362b7156
SHA5125694ab40278f68cd46d12a39fd7c7883cb1268b9896f3f09a8283db4a4070147f7970f18902885b119848f532d04f662fb44ab8ad5a7cd47a473578a692da7f5
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
47KB
MD59f96d459817e54de2e5c9733a9bbb010
SHA1afbadc759b65670865c10b31b34ca3c3e000cd31
SHA25651b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609
SHA512aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307
-
Filesize
26KB
MD55dea626a3a08cc0f2676427e427eb467
SHA1ad21ac31d0bbdee76eb909484277421630ea2dbd
SHA256b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6
SHA512118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc
-
Filesize
18KB
MD57d54dd3fa3c51a1609e97e814ed449a0
SHA1860bdd97dcd771d4ce96662a85c9328f95b17639
SHA2567a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247
SHA51217791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896
-
Filesize
38KB
MD5c7b82a286eac39164c0726b1749636f1
SHA1dd949addbfa87f92c1692744b44441d60b52226d
SHA2568bf222b1dd4668c4ffd9f9c5f5ab155c93ad11be678f37dd75b639f0ead474d0
SHA512be7b1c64b0f429a54a743f0618ffbc8f44ede8bc514d59acd356e9fe9f682da50a2898b150f33d1de198e8bcf82899569325c587a0c2a7a57e57f728156036e5
-
Filesize
20KB
MD50b17fd0bdcec9ca5b4ed99ccf5747f50
SHA1003930a2232e9e12d2ca83e83570e0ffd3b7c94e
SHA256c6e08c99de09f0e65e8dc2fae28b8a1709dd30276579e3bf39be70813f912f1d
SHA51249c093af7533b8c64ad6a20f82b42ad373d0c788d55fa114a77cea92a80a4ce6f0efcad1b4bf66cb2631f1517de2920e94b8fc8cc5b30d45414d5286a1545c28
-
Filesize
26KB
MD573fc3bb55f1d713d2ee7dcbe4286c9e2
SHA1b0042453afe2410b9439a5e7be24a64e09cf2efa
SHA25660b367b229f550b08fabc0c9bbe89d8f09acd04a146f01514d48e0d03884523f
SHA512d2dc495291fd3529189457ab482532026c0134b23ff50aa4417c9c7ca11c588421b655602a448515f206fa4f1e52ee67538559062263b4470abd1eccf2a1e86b
-
Filesize
37KB
MD556690d717897cfa9977a6d3e1e2c9979
SHA1f46c07526baaf297c664edc59ed4993a6759a4a3
SHA2567c3de14bb18f62f0506feac709df9136c31bd9b327e431445e2c7fbc6d64752e
SHA512782ec47d86276a6928d699706524753705c40e25490240da92446a0efbfcb8714aa3650d9860f9b404badf98230ff3eb6a07378d8226c08c4ee6d3fe3c873939
-
Filesize
18KB
MD58bd66dfc42a1353c5e996cd88dc1501f
SHA1dc779a25ab37913f3198eb6f8c4d89e2a05635a6
SHA256ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839
SHA512203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6
-
Filesize
18KB
MD5f1dceb6be9699ca70cc78d9f43796141
SHA16b80d6b7d9b342d7921eae12478fc90a611b9372
SHA2565898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f
SHA512b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de
-
Filesize
58KB
MD56c1e6f2d0367bebbd99c912e7304cc02
SHA1698744e064572af2e974709e903c528649bbaf1d
SHA256d33c23a0e26d8225eeba52a018b584bb7aca1211cdebfffe129e7eb6c0fe81d8
SHA512ebb493bef015da8da5e533b7847b0a1c5a96aa1aeef6aed3319a5b006ed9f5ef973bea443eaf5364a2aaf1b60611a2427b4f4f1388f8a44fdd7a17338d03d64a
-
Filesize
39KB
MD5a2a3a58ca076236fbe0493808953292a
SHA1b77b46e29456d5b2e67687038bd9d15714717cda
SHA25636302a92ccbf210dcad9031810929399bbbaa9df4a390518892434b1055b5426
SHA51294d57a208100dd029ea07bea8e1a2a7f1da25b7a6e276f1c7ca9ba3fe034be67fab2f3463d75c8edd319239155349fd65c0e8feb5847b828157c95ce8e63b607
-
Filesize
53KB
MD52ee3f4b4a3c22470b572f727aa087b7e
SHA16fe80bf7c2178bd2d17154d9ae117a556956c170
SHA25653d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799
SHA512b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146
-
Filesize
88KB
MD576d82c7d8c864c474936304e74ce3f4c
SHA18447bf273d15b973b48937326a90c60baa2903bf
SHA2563329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8
SHA512a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46
-
Filesize
105KB
MD5b8b23ac46d525ba307835e6e99e7db78
SHA126935a49afb51e235375deb9b20ce2e23ca2134c
SHA2566934d9e0917335e04ff86155762c27fa4da8cc1f5262cb5087184827004525b6
SHA512205fb09096bfb0045483f2cbfe2fc367aa0372f9a99c36a7d120676820f9f7a98851ee2d1e50919a042d50982c24b459a9c1b411933bf750a14a480e063cc7f6
-
Filesize
16KB
MD55615a54ce197eef0d5acc920e829f66f
SHA17497dded1782987092e50cada10204af8b3b5869
SHA256b0ba6d78aad79eaf1ae10f20ac61d592ad800095f6472cfac490411d4ab05e26
SHA512216595fb60cc9cfa6fef6475a415825b24e87854f13f2ee4484b290ac4f3e77628f56f42cb215cd8ea3f70b10eebd9bc50edeb042634777074b49c129146ef6a
-
Filesize
619B
MD5df0838cf7c2b7570faa3236b1ff9b022
SHA15f66f2ea9cb60eaa214208a43fc2d02a1169d14c
SHA256078c9232370d99b44b9a0a0130e29994e7413499a6424bdb967374a448dbf4b2
SHA51287f4dddc3c3502cc356538e105486a21e7fcd52b869cd4b69cda250dac10e19029a3a8baabacc3f510cda758c664a3bbc82b65540371b0de80001f2c64dca207
-
Filesize
1KB
MD5c1fe2902f998f7450711a7f31fac94b9
SHA1ac4a94432369cb7407e285d108316169d5d5b3b7
SHA2569301fb8508a33e68660075dac8393e5984ab26af6596e17909a197f98774aa9e
SHA512c1724a8afc22bcdff359918ec823550b0f2ddc5e3f60d37ef140225d5b1988899134f42550d02c80db6a4a8c04c0850fd9b5101343a726a357a18bacb72984a0
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
1KB
MD548ba2c44416051b768020bb09df28187
SHA1691100de119a39883188ab6340e4753ca87f25df
SHA2560597287eb6da38f1b531972e62e7baac317c351bf5f5bb9e405677706a61b1c6
SHA512c310b4c880ce69ef46c477652f00999762a094e038f811f4707e908845b0aa36d411818e21bb5e8bdcd4722e078a27be5e048e6eb6a29e613cd1d89bfb84a91b
-
Filesize
1KB
MD500b811e4241215e48a17b53012c10e82
SHA16da485c43cd6734475f6f3086c87cf0a3baae106
SHA256252286996b40f46bc6c1f0ed307db203f69fb9b408ef38437953ce78f6078028
SHA5126e243a24e0b1759a08114caa984b7531f22477ace17dfa61b6b8012ca1471652b1a0d192b3a4034c9ee66bc0fa3f098f8895eacabe3b97e352abac89b6baae37
-
Filesize
1KB
MD547f965d092e18e70c8b1a3b4a0ae722d
SHA1010a73a5a9c897234bb9802d951b3cca12c7f12d
SHA256879ca718fa943ab01b794bb4601169bf93950c18aeb8e8c9614cb39a8acf806a
SHA5128b33c12e7fa05866fcaae5a09bc6eb2492904b15da9b64044613de3eb632b92fdcbc42e7bd6ca5561ba5fd880efca28b53189e278c07bfe90cddf43d55caa13b
-
Filesize
1KB
MD565cc0f974f9819187cc3b2ef577f31e5
SHA106700ee21d92f94a3e0775df3ca487be8fd6d329
SHA256c112764e45058c75d7a1f734ae8ba3f50544b3711b35fd68b7259a7db7849a63
SHA512dca9dc720ba7056b40270baa5c3bbcc4136f8ff1cd63c5fe166ea3732d91d62035df4e8885d3e7abcf6856cbe4a5711dfe8987ba00c4ba0c33121f8f303a4626
-
Filesize
1KB
MD512cee63afdec0e3714e0b5c2715ef65c
SHA1908c29ec0a26f342ac6fb66b0a52d29e791c530a
SHA2562d999af7e93fba61cc97bd11dfd99cfb2ed175f44e93fddfba52ad50fb2efef3
SHA512544a7320901bdf6169f0907ddf0461a3134e80c35e07cc3cfabf364888c5ba12a541053d6a13549d2fc9d538d5ae0fbea28c833282063b582749de8da06c1db7
-
Filesize
1KB
MD56c321380000565f3ea69409218ac1c28
SHA110ba0e05527c7001d7df0d43d4a2a2b43757f53c
SHA256be0276d091dc256770796baf23f72e7143dccafd2b8285e378a11b2ceebf6635
SHA51244a55267c73b1e10a01ea6c99526ceb90ec10751745854c36cd99ca08dea66e4d1d2d288154045473f688c5554bd9aa59310c4b227b4d5408936755d5417366f
-
Filesize
1KB
MD523e96c7ef5aa1a9f41aeb3bf6ff08093
SHA11116f37d987d54bcbf8fa79b9c812699db956010
SHA256126fac148c45015547c0e3512d21b2524e713ad393d407a880d7a57ba792f4f0
SHA512e468aa9f90f90b517867eb2ec134ab20622c988e566c71322451ef074474a27f6bcba3d42b4b2b23ed3366801d7660f43a4ea8e15bd2aad8aa61090cc0fc0491
-
Filesize
1KB
MD575f99b8c99d255f5b0378c63d0555c51
SHA186c1fcde1c68aea0319087c66021443a2b645f91
SHA256cb5b51e154892d119cf9fecaf0ebeb44ba5e7a2ecb038faf09d16fee864bdf6a
SHA512a30c9c84b9672e4cd0b99a139d57aad1d26e0e343c1f1d07dfa975ae90f84f0f608017f3a391f3e534bca6000d4f5b841d36d29b015409ee5b06906606dd5324
-
Filesize
1KB
MD55dc02b26635dd7b9118334056d0f6887
SHA15ab527673d170c70206dc601e0ed5a2fde10615d
SHA256afbd77e4d08099510a14c8b0f120785db5775e3673a672038fd5927791d8ef6c
SHA51247fdf4248b8e415a6959c899a9e4597db6dcedc18923aad4858dae43d97ab968246f38129a1952a9bc1086eec44f52c40b6faac336281405555629dbd557e9f4
-
Filesize
1KB
MD530e84a8cf0b6a46ba7199e49ce015b63
SHA14e44984ccb3266d6424d4ed02c99193dac454747
SHA256593c4f8c1db5cc782f5bf1c162e9aab68ef46d31960baf959bc8f1e88c22df6a
SHA5124e2e89933d590d496f49e5b17d4ca58649b0e225d37ac4bdc58b1983daef40ee27e439d89d0e1dc893cf5bc1bf021b164a3100444b5070a6a83fb06d0c3b7645
-
Filesize
1KB
MD5a8f5c048447b1cb590c6eacb4bfaa891
SHA109c7d51d682d3d581e4cd690d79e166eb1738dd0
SHA256fdfff07f732a5dc8efc81fc697efa859369478732a5dc4e396d244fb9e918323
SHA5122ad7d848e59e9cb3450be0e9ef0e2bb3b8d35a39f825c80c57eff22d0be3953ff75bd35dc445a03a2596a2426c9a142dece25c4469e8133a5726a2de37be8e1d
-
Filesize
1KB
MD570e133f5016c1c1c27def66ad4101cc5
SHA125dd1fb5cdb14e56696c0b18c7153dde72ea9948
SHA256dce8293c04a3bf6c5da7211cfe6729fe0ab7820e72c43b494fd8903eb9dee060
SHA512001fe144ef5991be177a69fcedd890790e90930c1eaa892fbc37a2813eccbca2305f4473b2232581698e10889a892d627fddc5f00ac10fb9dd0c27bec51542bf
-
Filesize
1KB
MD5637bc0b0fae89e53695884fa3625eb01
SHA14710df28939a229bcdb5cfb1a6b2b1c6a4517ac4
SHA25645447853ce491e4a24da7bfa0a324335938e1ff9279229dfdc6080f52c273561
SHA512b4ce4b86d1fd4f5cb384ac311f5e2d379071aa3c0c7ec740027bd3b2fd548f6d2b57235875036f794e424e50debbafefd5254f65471e0e1d10ea75e1435a9726
-
Filesize
1KB
MD5607d7b75dd7e19180735e96bc9e1f62d
SHA1ddcd002dcd59fca152d0cdb726902731f76fa244
SHA2564d53b64f56cc12cbbaa138ea7b1585f7e8f3b620adcafccfe996cb7f5c776b6b
SHA512b4470de95852b01abf623e676035eafa8796d09799b4e642e250a5b802ddb14d40b03b1509a3e5ee39d1b120e48fdbf92c69cfd3595d646e5e34eeb1f18f76ff
-
Filesize
1KB
MD53a8f56d27ee9847d561639979863039d
SHA12efe1ec315d179d14b68f0b201e848a89123e57b
SHA2564b67fc865e007053cd9e6c3d0621f66273d542b2f30d59609a01618dc3ea6598
SHA5123d0924056112d6129e5ee1298b9f43ad14f18a1b0431415ce22222cc8399c30312c4be9053aec1f7a9ebd5ed17d8f08f4c7cf5efff0030a370a462f5e7bb6cef
-
Filesize
1KB
MD5ed6518acbfeb9988f0ddf51467959e0e
SHA1b343d156d95e016583a4efdcc9edf9b3cb7dc52e
SHA25617671c8220baa0da9778fbbc50db2a5572d363f341e03d526dad524467d31325
SHA512de438a774872d03de00eb41f8c0f0028a76d3b05eb6e67284ca59de71aeed97c72c49ebba6734547adb8e1949c36553e206b8851e81ed9add4ac72e46bfde04d
-
Filesize
1KB
MD59b243e6c8f717109c0a15a948277be8e
SHA12e99be993c504d5eda610296449be4797b392a6b
SHA256f424bcaa510c9e2589519766a295b741fb6682ef160dd9a922df9981f16588b1
SHA5125549b5cafceb2d5d10a3df1f5213074eefffc80f44a987a91aa1436ba7acdfb6468dae48f60b6f3c7f347c5ee283bffba21ee093b1e2a3d390ded91843ad96f9
-
Filesize
1KB
MD58aec79ff10cad32aeb0e255a09bdb2b7
SHA1e97683cd528bd5369266a6d060a25b254ffc7071
SHA256db7f8e0f7ab922d9e752fa8736c635e589c9440780a32afbbee079006d777915
SHA512b3cc9d1e8770a953ed2968dc7bc3963297b3776c86eeab56d8626b0cea82d6c41a34cbc17116da50a2fe03f22e97973bee599bde27c867dcad8297633e702071
-
Filesize
534B
MD55dff661daedf6a2ea4af41e8a50b4214
SHA1af1050e00f5e0f84f7df74eab105b23db5f5cb76
SHA25672a2d4028253314ac624453e109615324e45391a770ee2e425c33fee5d6dadf0
SHA512e818257b01547a4daa4f88458f8f8f3d8a0da3ced02aca829c396933e1d4f05adbba9554a587b7cf3f94a0b3291333a77ae2cf51fddab1aad6cbffc6ccd96dbf
-
Filesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.0MB
-
Filesize
10.8MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB