Malware Analysis Report

2025-06-15 21:03

Sample ID 221218-fkj55aaf69
Target 9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e
SHA256 9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e
Tags
danabot smokeloader backdoor banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e

Threat Level: Known bad

The file 9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader backdoor banker trojan

Danabot

Detects Smokeloader packer

SmokeLoader

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-18 04:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-18 04:55

Reported

2022-12-18 04:58

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3628 set thread context of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1A6.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009255122f100054656d7000003a0009000400efbe0c55ec989255182f2e00000000000000000000000000000000000000000000000000d2141e00540065006d007000000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 3452 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A6.exe
PID 3060 wrote to memory of 3452 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A6.exe
PID 3060 wrote to memory of 3452 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A6.exe
PID 3452 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\1A6.exe C:\Windows\SysWOW64\rundll32.exe
PID 3452 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\1A6.exe C:\Windows\SysWOW64\rundll32.exe
PID 3452 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\1A6.exe C:\Windows\SysWOW64\rundll32.exe
PID 3628 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3628 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3628 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe

"C:\Users\Admin\AppData\Local\Temp\9664d17da11b88cb1d33fdbcdb1ff40a56f0e314656c6d7dd5fadee222d4f21e.exe"

C:\Users\Admin\AppData\Local\Temp\1A6.exe

C:\Users\Admin\AppData\Local\Temp\1A6.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3452 -ip 3452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 696

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20188

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 104.80.225.205:443 tcp
N/A 149.3.170.140:80 149.3.170.140 tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 52.182.143.208:443 tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 8.248.5.254:80 tcp
N/A 8.248.5.254:80 tcp
N/A 8.248.5.254:80 tcp
N/A 127.0.0.1:20188 tcp
N/A 127.0.0.1:1312 tcp
N/A 23.236.181.126:443 tcp

Files

memory/2548-132-0x0000000000752000-0x0000000000763000-memory.dmp

memory/2548-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/2548-134-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2548-135-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3452-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1A6.exe

MD5 0bb2b15ca73128dbc816ea4ed583119c
SHA1 17d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512 d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375

C:\Users\Admin\AppData\Local\Temp\1A6.exe

MD5 0bb2b15ca73128dbc816ea4ed583119c
SHA1 17d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512 d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375

memory/3628-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 4a8a48955b386196047008af1afb6591
SHA1 b426ea81c5c27007bda10841dfe861f0204da0f8
SHA256 746968a3cd6e0d6e324520b1d7cee375a8a5ba60af444c227b553fb3bc5959e7
SHA512 721e7a14bf19a3cbf640ee95e65851a576a6d268c021e800b1141a680c8678f55253328ee0bd358b50edba024003adef183d8a1e863f38cce858956072575e4c

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 4a8a48955b386196047008af1afb6591
SHA1 b426ea81c5c27007bda10841dfe861f0204da0f8
SHA256 746968a3cd6e0d6e324520b1d7cee375a8a5ba60af444c227b553fb3bc5959e7
SHA512 721e7a14bf19a3cbf640ee95e65851a576a6d268c021e800b1141a680c8678f55253328ee0bd358b50edba024003adef183d8a1e863f38cce858956072575e4c

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 4a8a48955b386196047008af1afb6591
SHA1 b426ea81c5c27007bda10841dfe861f0204da0f8
SHA256 746968a3cd6e0d6e324520b1d7cee375a8a5ba60af444c227b553fb3bc5959e7
SHA512 721e7a14bf19a3cbf640ee95e65851a576a6d268c021e800b1141a680c8678f55253328ee0bd358b50edba024003adef183d8a1e863f38cce858956072575e4c

memory/3628-143-0x0000000001FE0000-0x0000000002251000-memory.dmp

memory/3452-144-0x0000000000BBB000-0x0000000000E06000-memory.dmp

memory/3452-145-0x00000000026B0000-0x0000000002A35000-memory.dmp

memory/3452-146-0x0000000000400000-0x0000000000791000-memory.dmp

memory/3628-147-0x0000000001FE0000-0x0000000002251000-memory.dmp

memory/3628-148-0x0000000001FE0000-0x0000000002251000-memory.dmp

memory/3628-149-0x00000000030A0000-0x00000000037C5000-memory.dmp

memory/3628-150-0x00000000030A0000-0x00000000037C5000-memory.dmp

memory/3628-151-0x00000000030A0000-0x00000000037C5000-memory.dmp

memory/3628-152-0x0000000003890000-0x00000000039D0000-memory.dmp

memory/3628-153-0x0000000003890000-0x00000000039D0000-memory.dmp

memory/3628-154-0x0000000003890000-0x00000000039D0000-memory.dmp

memory/3628-155-0x0000000003890000-0x00000000039D0000-memory.dmp

memory/3628-156-0x0000000003890000-0x00000000039D0000-memory.dmp

memory/3628-157-0x0000000003890000-0x00000000039D0000-memory.dmp

memory/2228-158-0x00007FF792136890-mapping.dmp

memory/2228-159-0x0000016298D10000-0x0000016298E50000-memory.dmp

memory/2228-160-0x0000016298D10000-0x0000016298E50000-memory.dmp

memory/2228-161-0x0000000000F60000-0x0000000001179000-memory.dmp

memory/2228-162-0x0000016297340000-0x000001629756A000-memory.dmp

memory/3628-163-0x00000000030A0000-0x00000000037C5000-memory.dmp