Malware Analysis Report

2025-06-15 21:03

Sample ID 221218-fxqhnsdf6t
Target 33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf
SHA256 33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf
Tags
danabot banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf

Threat Level: Known bad

The file 33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf was found to be: Known bad.

Malicious Activity Summary

danabot banker trojan

Danabot

Downloads MZ/PE file

Executes dropped EXE

Blocklisted process makes network request

Loads dropped DLL

Deletes itself

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-18 05:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-18 05:15

Reported

2022-12-18 05:17

Platform

win10-20220812-en

Max time kernel

150s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2D3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2140 set thread context of 4828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000092550732100054656d7000003a0009000400efbe0c554b88925507322e00000000000000000000000000000000000000000000000000089ae400540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2D3.exe
PID 2328 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2D3.exe
PID 2328 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2D3.exe
PID 1952 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\E2D3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\E2D3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\E2D3.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 4828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2140 wrote to memory of 4828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2140 wrote to memory of 4828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe

"C:\Users\Admin\AppData\Local\Temp\33b3b50a846405df3e1c7588e0b229e626ed14bc2a46ee5dd9d14d1fe0d461bf.exe"

C:\Users\Admin\AppData\Local\Temp\E2D3.exe

C:\Users\Admin\AppData\Local\Temp\E2D3.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20185

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 149.3.170.140:80 149.3.170.140 tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 13.89.178.26:443 tcp
N/A 211.40.39.251:80 xisac.com tcp
N/A 127.0.0.1:20185 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/2692-119-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-120-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-121-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-122-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-123-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-124-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-125-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-126-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-127-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-128-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-129-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-130-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-131-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-132-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-133-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-134-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-135-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-136-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-138-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-139-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-140-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-141-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-142-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-143-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-144-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-145-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-146-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-148-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-149-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-151-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-153-0x0000000000460000-0x00000000005AA000-memory.dmp

memory/2692-154-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2692-152-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-150-0x0000000000791000-0x00000000007A1000-memory.dmp

memory/2692-147-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-137-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/2692-155-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1952-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E2D3.exe

MD5 0bb2b15ca73128dbc816ea4ed583119c
SHA1 17d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512 d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375

memory/1952-158-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-159-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-160-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-161-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-162-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-163-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-164-0x0000000077840000-0x00000000779CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2D3.exe

MD5 0bb2b15ca73128dbc816ea4ed583119c
SHA1 17d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512 d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375

memory/1952-167-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-168-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-169-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-170-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-171-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-172-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-173-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-174-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-175-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-176-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-177-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-178-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-179-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-181-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-182-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-183-0x00000000026C0000-0x0000000002A45000-memory.dmp

memory/1952-184-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-185-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-186-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-187-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-180-0x0000000000BC0000-0x0000000000E14000-memory.dmp

memory/1952-188-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-189-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-190-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-191-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-192-0x0000000077840000-0x00000000779CE000-memory.dmp

memory/1952-211-0x0000000000400000-0x0000000000791000-memory.dmp

memory/2140-210-0x0000000000000000-mapping.dmp

memory/1952-217-0x00000000026C0000-0x0000000002A45000-memory.dmp

memory/1952-219-0x0000000000400000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 20ed93d0fd4c0d95a311a32d66d42f5f
SHA1 b4dfa9cf37ecfd8dd1968b80cd912c764633bcd3
SHA256 d6300d8819a9857d782671cca57e5f00ee62315da84b0e39886d93a90c2fec69
SHA512 31b223c815a19f95b91b48cc3656d6664e01c1681a2fb58451b3fe64f4052db022846dcde919f0e9a67ede923a4e8005666b15ef22757a55ac6c95775ab2f2bf

\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 20ed93d0fd4c0d95a311a32d66d42f5f
SHA1 b4dfa9cf37ecfd8dd1968b80cd912c764633bcd3
SHA256 d6300d8819a9857d782671cca57e5f00ee62315da84b0e39886d93a90c2fec69
SHA512 31b223c815a19f95b91b48cc3656d6664e01c1681a2fb58451b3fe64f4052db022846dcde919f0e9a67ede923a4e8005666b15ef22757a55ac6c95775ab2f2bf

memory/2140-266-0x0000000000400000-0x0000000000671000-memory.dmp

memory/2140-301-0x0000000000400000-0x0000000000671000-memory.dmp

memory/2140-318-0x0000000005DF0000-0x0000000006515000-memory.dmp

memory/4828-327-0x00007FF6DFD95FD0-mapping.dmp

memory/2140-332-0x0000000006659000-0x000000000665B000-memory.dmp

memory/4828-333-0x0000000000DC0000-0x0000000000FD9000-memory.dmp

memory/4828-334-0x000001C062130000-0x000001C06235A000-memory.dmp

memory/2140-335-0x0000000005DF0000-0x0000000006515000-memory.dmp