Malware Analysis Report

2025-06-15 21:02

Sample ID 221218-j55jcaea4s
Target 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b
SHA256 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b
Tags
danabot smokeloader backdoor banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b

Threat Level: Known bad

The file 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader backdoor banker persistence trojan

SmokeLoader

Danabot

Detects Smokeloader packer

Sets service image path in registry

Downloads MZ/PE file

Sets DLL path for service in the registry

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-18 08:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-18 08:16

Reported

2022-12-18 08:18

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D769.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ADelRCP\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\ADelRCP.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ADelRCP\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\ADelRCP.dll耀" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ADelRCP\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4216 set thread context of 3140 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\Microsoft\DropboxStorage.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Stamp.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\AdobeXMP.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\A3DUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\BIBUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D769.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009255154a100054656d7000003a0009000400efbe0c55199992551b4a2e000000000000000000000000000000000000000000000000005fb36100540065006d007000000014000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D769.exe
PID 2724 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D769.exe
PID 2724 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D769.exe
PID 632 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\D769.exe C:\Windows\SysWOW64\rundll32.exe
PID 632 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\D769.exe C:\Windows\SysWOW64\rundll32.exe
PID 632 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\D769.exe C:\Windows\SysWOW64\rundll32.exe
PID 4216 wrote to memory of 3140 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4216 wrote to memory of 3140 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4216 wrote to memory of 3140 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe

"C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe"

C:\Users\Admin\AppData\Local\Temp\D769.exe

C:\Users\Admin\AppData\Local\Temp\D769.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 632 -ip 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 484

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20223

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\adelrcp.dll",Xz4hQ04=

Network

Country Destination Domain Proto
N/A 87.248.202.1:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 149.3.170.140:80 149.3.170.140 tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 95.107.163.44:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 20.189.173.4:443 tcp
N/A 127.0.0.1:20223 tcp
N/A 127.0.0.1:1312 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:20223 tcp

Files

memory/2424-132-0x0000000000842000-0x0000000000853000-memory.dmp

memory/2424-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/2424-134-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2424-135-0x0000000000400000-0x0000000000460000-memory.dmp

memory/632-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D769.exe

MD5 6e10b6107066da8b83187a14c8b68b23
SHA1 bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05
SHA256 804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
SHA512 6f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461

C:\Users\Admin\AppData\Local\Temp\D769.exe

MD5 6e10b6107066da8b83187a14c8b68b23
SHA1 bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05
SHA256 804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
SHA512 6f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461

memory/632-139-0x0000000000B4E000-0x0000000000D99000-memory.dmp

memory/632-140-0x0000000002680000-0x0000000002A05000-memory.dmp

memory/4216-141-0x0000000000000000-mapping.dmp

memory/632-142-0x0000000000400000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 5f4ea66e5a0558784add458259f7e9c3
SHA1 11ca8a52f3a8b8ed410a82c4570e1a683a233d77
SHA256 7f3fde1c0be5b905db2839f85bcc5b406c2a242fa2831f1cb83f4681037bbb26
SHA512 77afd658be816646a63318de23c930f16b7cc16ad5498d4860a015f7d02587767799841c5ef5d21e17455c7047b936be5e964f1caf24484c23e8ea9cfd7b38ee

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

MD5 5f4ea66e5a0558784add458259f7e9c3
SHA1 11ca8a52f3a8b8ed410a82c4570e1a683a233d77
SHA256 7f3fde1c0be5b905db2839f85bcc5b406c2a242fa2831f1cb83f4681037bbb26
SHA512 77afd658be816646a63318de23c930f16b7cc16ad5498d4860a015f7d02587767799841c5ef5d21e17455c7047b936be5e964f1caf24484c23e8ea9cfd7b38ee

memory/4216-145-0x0000000000400000-0x0000000000671000-memory.dmp

memory/632-146-0x0000000000400000-0x0000000000791000-memory.dmp

memory/4216-147-0x0000000000400000-0x0000000000671000-memory.dmp

memory/4216-148-0x0000000003830000-0x0000000003F55000-memory.dmp

memory/4216-149-0x0000000003830000-0x0000000003F55000-memory.dmp

memory/4216-150-0x0000000003830000-0x0000000003F55000-memory.dmp

memory/4216-151-0x0000000004020000-0x0000000004160000-memory.dmp

memory/4216-152-0x0000000004020000-0x0000000004160000-memory.dmp

memory/4216-153-0x0000000004020000-0x0000000004160000-memory.dmp

memory/4216-154-0x0000000004020000-0x0000000004160000-memory.dmp

memory/4216-155-0x0000000004020000-0x0000000004160000-memory.dmp

memory/4216-156-0x0000000004020000-0x0000000004160000-memory.dmp

memory/3140-157-0x00007FF649ED6890-mapping.dmp

memory/3140-158-0x0000023A8B5E0000-0x0000023A8B720000-memory.dmp

memory/3140-159-0x0000023A8B5E0000-0x0000023A8B720000-memory.dmp

memory/3140-160-0x00000000002A0000-0x00000000004B9000-memory.dmp

memory/3140-161-0x0000023A8B730000-0x0000023A8B95A000-memory.dmp

memory/4216-162-0x0000000003830000-0x0000000003F55000-memory.dmp

memory/3140-163-0x0000023A8B730000-0x0000023A8B95A000-memory.dmp

\??\c:\program files (x86)\msbuild\microsoft\adelrcp.dll

MD5 3a16cbcfa6966c0a644f09430e39efe1
SHA1 18190824815ae411156806f7aa52b6dbceaa24f1
SHA256 298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA512 61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

memory/2232-167-0x0000000001800000-0x0000000001A71000-memory.dmp

C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll

MD5 3a16cbcfa6966c0a644f09430e39efe1
SHA1 18190824815ae411156806f7aa52b6dbceaa24f1
SHA256 298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA512 61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll

MD5 3a16cbcfa6966c0a644f09430e39efe1
SHA1 18190824815ae411156806f7aa52b6dbceaa24f1
SHA256 298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA512 61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

memory/2232-168-0x0000000001800000-0x0000000001A71000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml

MD5 6c2429d1fdb4a93ebca14340b9fb8fb7
SHA1 e757fc9e129850598fff1931d496fb7c7b21d4d6
SHA256 52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285
SHA512 bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

MD5 ca46edae2217279051a3ce83398427e5
SHA1 576f39dd50f1abe5e35b8a6ea5b8eedeef26154d
SHA256 f40fa45b6546a80688b10e168815bc7bd4ebd6d8d964305ba797555fc883ba82
SHA512 7662a2e2fc59aebf99e482227d0c8bedb9a89208013ec3c5b6ed47789ac8b3baebe909bf7e2c3d6eda6ea9bbc80c561d9f673e907d72cd354afe0e0f7def44f4

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

MD5 1600f66ce0d9c342eb6a49155a2f8c14
SHA1 e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07
SHA256 8dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27
SHA512 ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.officemui.msi.16.en-us.xml

MD5 35acff0f35559eac959647a7501385f7
SHA1 28e052e01fe4e0eac3eab461385460eff7efe271
SHA256 2669d714f126be033270a9f2919d6152f45c5bec970dc1ab8da09f41351234c0
SHA512 f3fa4e7499e15a63d2503355705eb08d15be0a3736145c3b46cc79a4fcf7e00df871f62af769090aff7692b34d93365cf413be7b86b27a9df0ecb8f481898ed2

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftLync2010.xml

MD5 701beb4f8c252fb3c9f5dbdc94648048
SHA1 556ba20475a502b68b7992454be6c64ab355b4ec
SHA256 620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67
SHA512 28c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf

memory/2232-174-0x0000000002160000-0x0000000002885000-memory.dmp

memory/2232-175-0x0000000002160000-0x0000000002885000-memory.dmp

C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

MD5 424b00848f1ce9633dec58f15c3d43b5
SHA1 c452da009ae3db8493131a11738975b4aadf928d
SHA256 21e8f0a4fbf065d15947cff2bea6d9625b8bad7a2969061ada9c240b397aaac9
SHA512 81be9ca04ef6cc6a6da58e0b79a793c1c959d1f68abff53cefc84b0f8313a88e99c480cd204d42f07a2017fe3712f7cb29bdcba334c0ad061a2bc8fad0ff26b7

memory/2232-178-0x0000000002160000-0x0000000002885000-memory.dmp

memory/3432-177-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll

MD5 3a16cbcfa6966c0a644f09430e39efe1
SHA1 18190824815ae411156806f7aa52b6dbceaa24f1
SHA256 298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA512 61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

memory/3432-181-0x0000000002490000-0x0000000002701000-memory.dmp

C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll

MD5 3a16cbcfa6966c0a644f09430e39efe1
SHA1 18190824815ae411156806f7aa52b6dbceaa24f1
SHA256 298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA512 61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

memory/3432-182-0x0000000002490000-0x0000000002701000-memory.dmp