Overview

overview

10

Static

static

3

46a1eec81e...58.dll

windows7-x64

10

46a1eec81e...58.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2025, 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46a1eec81e8b0d889b6fde07a85405874d4b21da998b34e8b91fd852d1ddb458.dll

  • Size

    5.5MB

  • MD5

    8d252f7a6ff4f929d86cf7feb95a5b08

  • SHA1

    fa67e72ea1f9a6018407490359007022c784bdf8

  • SHA256

    46a1eec81e8b0d889b6fde07a85405874d4b21da998b34e8b91fd852d1ddb458

  • SHA512

    297ab8de6d887c1807bbbb49a04fe83c74874bf8647ab16e69f1680551c4dc50153affc92395c6c0705309df33a035c3368eba67d17220562f3c8c98a5c27f29

  • SSDEEP

    98304:DW0704A7pKmwDNRdBYaAGmOGio38um37R6BJZO4A5cfebV/FkZQ:DW044gnwPnbAGmO83OR6BJZ9ATF

Score
10/10
danabotbankercollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot family
    danabot
  • Blocklisted process makes network request 36 IoCs
  • Uses browser remote debugging 2 TTPs 8 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 22 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\46a1eec81e8b0d889b6fde07a85405874d4b21da998b34e8b91fd852d1ddb458.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5500
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\46a1eec81e8b0d889b6fde07a85405874d4b21da998b34e8b91fd852d1ddb458.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Enumerates connected drives
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:6084
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3896
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
        3⤵
        • Uses browser remote debugging
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7fff5615f208,0x7fff5615f214,0x7fff5615f220
          4⤵
            PID:620
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2908,i,6003210583772483325,17596027891009489153,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2912 /prefetch:3
            4⤵
              PID:2608
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2880,i,6003210583772483325,17596027891009489153,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2376 /prefetch:2
              4⤵
                PID:2204
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2932,i,6003210583772483325,17596027891009489153,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2904 /prefetch:8
                4⤵
                  PID:2220
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3608,i,6003210583772483325,17596027891009489153,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:1868
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3628,i,6003210583772483325,17596027891009489153,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:3040
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
                3⤵
                • Uses browser remote debugging
                • Enumerates system info in registry
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                PID:5176
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff46eedcf8,0x7fff46eedd04,0x7fff46eedd10
                  4⤵
                    PID:1028
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2552,i,5167455887402560517,2827034345343703646,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2544 /prefetch:2
                    4⤵
                      PID:4824
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2576,i,5167455887402560517,2827034345343703646,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2564 /prefetch:3
                      4⤵
                        PID:4012
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2776,i,5167455887402560517,2827034345343703646,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2760 /prefetch:8
                        4⤵
                          PID:4740
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,5167455887402560517,2827034345343703646,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:1
                          4⤵
                          • Uses browser remote debugging
                          PID:5084
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,5167455887402560517,2827034345343703646,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3236 /prefetch:1
                          4⤵
                          • Uses browser remote debugging
                          PID:3964
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4236,i,5167455887402560517,2827034345343703646,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4232 /prefetch:2
                          4⤵
                          • Uses browser remote debugging
                          PID:4876
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,5167455887402560517,2827034345343703646,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4676 /prefetch:1
                          4⤵
                          • Uses browser remote debugging
                          PID:4612
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4188
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1580
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:2420
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3916
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4888
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4644
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4392
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1236
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:5128
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:6104
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:2504
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:4396
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1224
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:1928
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:5708
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3624
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:5680
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:2540
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:3996
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:5276
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                        3⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        PID:2848
                  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                    1⤵
                      PID:2164
                    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                      1⤵
                        PID:4784
                      • C:\Windows\system32\backgroundTaskHost.exe
                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                        1⤵
                          PID:2204

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Persistence

                        Modify Authentication Process

                        1
                        T1556

                        Privilege Escalation

                        Defense Evasion

                        Modify Authentication Process

                        1
                        T1556

                        Modify Registry

                        1
                        T1112

                        Subvert Trust Controls

                        1
                        T1553

                        Install Root Certificate

                        1
                        T1553.004

                        Credential Access

                        Credentials from Password Stores

                        1
                        T1555

                        Credentials from Web Browsers

                        1
                        T1555.003

                        Modify Authentication Process

                        1
                        T1556

                        Steal Web Session Cookie

                        1
                        T1539

                        Unsecured Credentials

                        2
                        T1552

                        Credentials In Files

                        1
                        T1552.001

                        Credentials in Registry

                        1
                        T1552.002

                        Discovery

                        Browser Information Discovery

                        1
                        T1217

                        Peripheral Device Discovery

                        1
                        T1120

                        Query Registry

                        4
                        T1012

                        System Information Discovery

                        4
                        T1082

                        System Location Discovery

                        1
                        T1614

                        System Language Discovery

                        1
                        T1614.001

                        Lateral Movement

                        Collection

                        Data from Local System

                        2
                        T1005

                        Email Collection

                        2
                        T1114

                        Command and Control

                        Exfiltration

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                          Filesize

                          2KB

                          MD5

                          79663a72053226abc12936ca4f180a76

                          SHA1

                          2cbba634bb3a3630146cebc4733478211427052e

                          SHA256

                          718f2bb81ed1a55a722042b962a62d14065e994679bfc4c6e5c310b03c117901

                          SHA512

                          34be95dd4a85c7712e9ce75ab1203d0464e3036949dfc670948fc8a4c251a4578a0fb800e1f67adc504a0d0c1abcc1c504d70b305d2ffc18f6c272fd689e5bea

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          80KB

                          MD5

                          44aa3f5b6fe3e7da05561b74e712220f

                          SHA1

                          5b2c4558be81e16aeab9df7de9066843e7bc47a9

                          SHA256

                          abfc091c6d9202a834745d98d4bffde2a32aec20be9bf7e18e7a0d8ce4747923

                          SHA512

                          26a61f60b377094ab81548becdb392c418a950dde87f09479e710a9d1915dc5599fffb6e58f3ff98d786529d5e3040a6459b833b282241dc0e55bb0757e37479

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          280B

                          MD5

                          c37f9d2c357647fca20f2eaa89c18edd

                          SHA1

                          cfd1035ed2d057c317b48546f467209cbbe15f2e

                          SHA256

                          2ea3a0b7e6145fd110653b1a77cb827ad7e4a145c29378344bd3d28f595b2072

                          SHA512

                          3563f4aca9e47f35de8cb38e42a3c0448bb3ec4c9183fa392abc28fee4ca08bf16da028ffbf31cf0c0f8301ed810238961e745590e5c71621bc5a2a889dd12f7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                          Filesize

                          40KB

                          MD5

                          b1494364c9adaa3cf7cf15f495d7ed05

                          SHA1

                          b0a88f3cbd0326be5362490fdc7b5583525dbd96

                          SHA256

                          b59891434e3f09dfeecc67ede5d43ae94184443e011c0e5a9c49b1bd86ecedcb

                          SHA512

                          bc41489f2ad164cf61f964d6ceb488025009eeece9f0163677f216a2c05cbaddceba3e4a0556862dae8cde8d3944f9407ea6328bd2c28c6e57c40927a73889c0

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip
                          Filesize

                          746KB

                          MD5

                          1f3ea8d57d89c45f2ead13bc02fcfb93

                          SHA1

                          7e9dfa5b36333dbeaddec1266db07246577af2fe

                          SHA256

                          af8d3dbf01d2e8caf5bb94b13c791a1a34cadb229375fdb5df1fffdd17d11582

                          SHA512

                          fb0ec00abed1b7e90aff6e93a80d8adaf31229be259c8394f600b15cb1210832625eef7de0fe4019db8a14221fd4b65ca9aceeb82d1310e244ad31ec662b52d4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\Yourseref
                          Filesize

                          40KB

                          MD5

                          ab893875d697a3145af5eed5309bee26

                          SHA1

                          c90116149196cbf74ffb453ecb3b12945372ebfa

                          SHA256

                          02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

                          SHA512

                          6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

                          Download Submit

                        • memory/3896-169-0x0000021426470000-0x00000214266A8000-memory.dmp

                          Filesize

                          2.2MB

                          Download

                        • memory/3896-85-0x0000021426470000-0x00000214266A8000-memory.dmp

                          Filesize

                          2.2MB

                          Download

                        • memory/3896-63-0x0000021426470000-0x00000214266A8000-memory.dmp

                          Filesize

                          2.2MB

                          Download

                        • memory/3896-38-0x0000021427E50000-0x0000021427F90000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/3896-36-0x00007FFF62380000-0x00007FFF62381000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3896-37-0x0000021427E50000-0x0000021427F90000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/3896-40-0x0000021426470000-0x00000214266A8000-memory.dmp

                          Filesize

                          2.2MB

                          Download

                        • memory/3896-42-0x0000021426470000-0x00000214266A8000-memory.dmp

                          Filesize

                          2.2MB

                          Download

                        • memory/6084-39-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-87-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-19-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-22-0x0000000003AC0000-0x0000000003C00000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/6084-21-0x0000000003AC0000-0x0000000003C00000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/6084-20-0x0000000004870000-0x0000000004871000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/6084-17-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-23-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-25-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-26-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-24-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-27-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-28-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-29-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-31-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-32-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-35-0x0000000003AC0000-0x0000000003C00000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/6084-33-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/6084-16-0x0000000074B20000-0x00000000750AA000-memory.dmp

                          Filesize

                          5.5MB

                          Download

                        • memory/6084-0-0x0000000002EA0000-0x0000000003423000-memory.dmp

                          Filesize

                          5.5MB

                          Download

                        • memory/6084-15-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-41-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-14-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-13-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-12-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-34-0x0000000003AC0000-0x0000000003C00000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/6084-7-0x0000000063280000-0x00000000634BE000-memory.dmp

                          Filesize

                          2.2MB

                          Download

                        • memory/6084-11-0x0000000063280000-0x00000000634BE000-memory.dmp

                          Filesize

                          2.2MB

                          Download

                        • memory/6084-10-0x000000006E600000-0x000000006E69D000-memory.dmp

                          Filesize

                          628KB

                          Download

                        • memory/6084-18-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-9-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-8-0x000000006E600000-0x000000006E69D000-memory.dmp

                          Filesize

                          628KB

                          Download

                        • memory/6084-6-0x0000000002EA0000-0x0000000003423000-memory.dmp

                          Filesize

                          5.5MB

                          Download

                        • memory/6084-120-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-122-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-123-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-121-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-119-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-116-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-118-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-5-0x0000000077642000-0x0000000077643000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/6084-117-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-147-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-149-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-148-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-146-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-160-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-158-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-161-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-162-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-4-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-185-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-186-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-187-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/6084-3-0x0000000003430000-0x00000000039C1000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/6084-1-0x0000000077642000-0x0000000077643000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/6084-2-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

                          Filesize

                          4KB

                          Download