Overview

overview

10

Static

static

3

Crypt B.dll

windows7-x64

10

Crypt B.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2025, 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Crypt B.dll

  • Size

    5.5MB

  • MD5

    a3287c38bc4dc6621238f79c995f661f

  • SHA1

    05855c33f623c5de17c501ae023cd2e64c47c406

  • SHA256

    c17ee2b10cc91939b12592628b9cb79136c1fab261abc5ec19396ae50e0156c0

  • SHA512

    28b31da397bc8f8be23fb67281b4f31377abcbad8baeef2a78b71b990b651f29777618e2e46abace9a84284825c461f90c54662a4776669ae25c3dfe35955401

  • SSDEEP

    98304:qFprUM3pWeTtU1zs3QPzpltsGFc4uz0bsAWopU/:qFp9tTqS2zplFFO0blp

Score
10/10
danabotbankercollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot family
    danabot
  • Blocklisted process makes network request 39 IoCs
  • Uses browser remote debugging 2 TTPs 8 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 22 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 23 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Crypt B.dll",#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Crypt B.dll",#1
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Enumerates connected drives
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:3844
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4612
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
        3⤵
        • Uses browser remote debugging
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4860
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80746dcf8,0x7ff80746dd04,0x7ff80746dd10
          4⤵
            PID:4884
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2060,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2052 /prefetch:3
            4⤵
              PID:1548
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1752 /prefetch:2
              4⤵
                PID:2020
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2428,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2424 /prefetch:8
                4⤵
                  PID:3108
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3160 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:1648
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3136 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:4056
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4272 /prefetch:2
                  4⤵
                  • Uses browser remote debugging
                  PID:4712
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3856,i,5015325218373764183,8251458210842148214,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4544 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:2856
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                3⤵
                • Modifies registry class
                • Suspicious use of FindShellTrayWindow
                PID:1560
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
                3⤵
                • Uses browser remote debugging
                • Enumerates system info in registry
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of FindShellTrayWindow
                PID:2004
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffff90af208,0x7ffff90af214,0x7ffff90af220
                  4⤵
                    PID:4896
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2252,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
                    4⤵
                      PID:1308
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:2
                      4⤵
                        PID:4388
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2572,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:8
                        4⤵
                          PID:2524
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3580,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
                          4⤵
                          • Uses browser remote debugging
                          PID:6052
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3596,i,14009687897325526363,17008496284058535890,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
                          4⤵
                          • Uses browser remote debugging
                          PID:4332
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:5292
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1936
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:532
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:2168
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3568
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1656
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1464
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4760
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3596
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3444
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3896
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4972
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:640
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1676
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3232
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:456
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3172
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4252
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:5256
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1876
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4432
                  • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                    1⤵
                      PID:1920
                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                      1⤵
                        PID:2448

                      Network

                      MITRE ATT&CK Enterprise v15

                      Reconnaissance

                      Resource Development

                      Initial Access

                      Execution

                      Persistence

                      Modify Authentication Process

                      1
                      T1556

                      Privilege Escalation

                      Defense Evasion

                      Modify Authentication Process

                      1
                      T1556

                      Modify Registry

                      1
                      T1112

                      Subvert Trust Controls

                      1
                      T1553

                      Install Root Certificate

                      1
                      T1553.004

                      Credential Access

                      Credentials from Password Stores

                      1
                      T1555

                      Credentials from Web Browsers

                      1
                      T1555.003

                      Modify Authentication Process

                      1
                      T1556

                      Steal Web Session Cookie

                      1
                      T1539

                      Unsecured Credentials

                      2
                      T1552

                      Credentials In Files

                      1
                      T1552.001

                      Credentials in Registry

                      1
                      T1552.002

                      Discovery

                      Browser Information Discovery

                      1
                      T1217

                      Peripheral Device Discovery

                      1
                      T1120

                      Query Registry

                      4
                      T1012

                      System Information Discovery

                      4
                      T1082

                      System Location Discovery

                      1
                      T1614

                      System Language Discovery

                      1
                      T1614.001

                      Lateral Movement

                      Collection

                      Data from Local System

                      2
                      T1005

                      Email Collection

                      2
                      T1114

                      Command and Control

                      Exfiltration

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                        Filesize

                        80KB

                        MD5

                        84a12e3ab392762dbb1bb3f6e6ba3a8b

                        SHA1

                        c59c75fb26dddac5bbd48269e34ad4dcbd2e6a6d

                        SHA256

                        77596305652a2d18c3ba9370d2b5a6a06fa9f62a0b229ca42e5e1b340467d97a

                        SHA512

                        85e21f2858b4dbc9c2abfe13b3de8309eea951aa2fe6055031ae3beebc3a47672d4b4a5123f51cf4f13aa6cf308cdc7a5678a42a0d7795132f16d49bedf9fda6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                        Filesize

                        280B

                        MD5

                        60d40d2b37759323c10800b75df359b8

                        SHA1

                        f5890e7d8fc1976fe036fea293832d2e9968c05c

                        SHA256

                        c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0

                        SHA512

                        0c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                        Filesize

                        2B

                        MD5

                        d751713988987e9331980363e24189ce

                        SHA1

                        97d170e1550eee4afc0af065b78cda302a97674c

                        SHA256

                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                        SHA512

                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                        Filesize

                        40KB

                        MD5

                        05baa2c73b148a3f8b1b32a58ce627ad

                        SHA1

                        75c7ffc9f691ae2aace96c5db5a0293dba98cf23

                        SHA256

                        e06d782b4fa6f91664bdbe445964a182ad0c3eba74e5d98a80b6abf5394f9da7

                        SHA512

                        3be5240d700af1a7b45f0b7a0de38e639146181e23c7056a331b293148998c109024b55d6260f7b5d5cef362ec5eb2706baee1a29a667158642ea8b970f6d3cf

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip
                        Filesize

                        1.0MB

                        MD5

                        d39cfbf3a9ac37b2a817a50fcc5812f1

                        SHA1

                        054b89c910a54e2e5fc53aba563db9d7bd952607

                        SHA256

                        406c20f60039459cd0c6dcdf66445a0c04017a92a65a7682ad46c6a8961ed3f6

                        SHA512

                        649eba663ae5173fe09cc6972185481f798e9d542f1693d2b3807a94f0fbaeb1555099b809d3f8d0848d1a789cf4cc25c282d6b24f9d730b54fa4af83fff0819

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Hfdpdod
                        Filesize

                        40KB

                        MD5

                        ab893875d697a3145af5eed5309bee26

                        SHA1

                        c90116149196cbf74ffb453ecb3b12945372ebfa

                        SHA256

                        02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

                        SHA512

                        6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

                        Download Submit

                      • memory/1560-132-0x00007FF814780000-0x00007FF814781000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1560-133-0x000001D472890000-0x000001D4729D0000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1560-136-0x000001D470EB0000-0x000001D4710E8000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/1560-138-0x000001D470EB0000-0x000001D4710E8000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/1560-134-0x000001D472890000-0x000001D4729D0000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/3844-113-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-142-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-15-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-13-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-17-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-18-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-16-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-21-0x0000000003B30000-0x0000000003C70000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/3844-20-0x0000000003B30000-0x0000000003C70000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/3844-19-0x00000000049E0000-0x00000000049E1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3844-22-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-24-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-25-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-26-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-27-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-23-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-28-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-32-0x0000000005030000-0x0000000005031000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3844-33-0x0000000003B30000-0x0000000003C70000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/3844-34-0x0000000003B30000-0x0000000003C70000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/3844-3-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-38-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-4-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-2-0x0000000003B20000-0x0000000003B21000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3844-31-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-30-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-5-0x00000000775B2000-0x00000000775B3000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3844-6-0x0000000063280000-0x00000000634BE000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/3844-41-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-12-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-14-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-130-0x0000000003B30000-0x0000000003C70000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/3844-76-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-7-0x0000000002FD0000-0x0000000003553000-memory.dmp

                        Filesize

                        5.5MB

                        Download

                      • memory/3844-8-0x000000006E600000-0x000000006E69D000-memory.dmp

                        Filesize

                        628KB

                        Download

                      • memory/3844-105-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-106-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-104-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-103-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-107-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-110-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-109-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-108-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-111-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-112-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-0-0x0000000002FD0000-0x0000000003553000-memory.dmp

                        Filesize

                        5.5MB

                        Download

                      • memory/3844-131-0x0000000003B30000-0x0000000003C70000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/3844-1-0x00000000775B2000-0x00000000775B3000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3844-127-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-128-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-10-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-135-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-137-0x0000000003560000-0x0000000003AF1000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3844-11-0x000000006E600000-0x000000006E69D000-memory.dmp

                        Filesize

                        628KB

                        Download

                      • memory/3844-9-0x0000000063280000-0x00000000634BE000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/4612-62-0x000001B4B9CF0000-0x000001B4B9F28000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/4612-125-0x000001B4BEC00000-0x000001B4BEC60000-memory.dmp

                        Filesize

                        384KB

                        Download

                      • memory/4612-123-0x000001B4B9CF0000-0x000001B4B9F28000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/4612-74-0x000001B4B9CF0000-0x000001B4B9F28000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/4612-40-0x000001B4B9CF0000-0x000001B4B9F28000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/4612-39-0x000001B4B9CF0000-0x000001B4B9F28000-memory.dmp

                        Filesize

                        2.2MB

                        Download

                      • memory/4612-35-0x00007FF814780000-0x00007FF814781000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4612-36-0x000001B4BB6F0000-0x000001B4BB830000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/4612-37-0x000001B4BB6F0000-0x000001B4BB830000-memory.dmp

                        Filesize

                        1.2MB

                        Download