Analysis Overview
SHA256
451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Detects Smokeloader packer
Danabot
SmokeLoader
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-18 07:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-18 07:49
Reported
2022-12-18 07:51
Platform
win7-20220812-en
Max time kernel
150s
Max time network
46s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
Files
memory/1208-54-0x0000000000588000-0x0000000000599000-memory.dmp
memory/1208-55-0x0000000075D01000-0x0000000075D03000-memory.dmp
memory/1208-57-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1208-56-0x0000000000588000-0x0000000000599000-memory.dmp
memory/1208-58-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1208-59-0x0000000000400000-0x000000000045F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-18 07:49
Reported
2022-12-18 07:51
Platform
win10v2004-20221111-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Danabot
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C9EC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uiidtww | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1304 set thread context of 2816 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C9EC.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\uiidtww | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\uiidtww | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\uiidtww | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000092553946100054656d7000003a0009000400efbe6b55586c925541462e0000000000000000000000000000000000000000000000000058f7cf00540065006d007000000014000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uiidtww | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2596 wrote to memory of 3804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C9EC.exe |
| PID 2596 wrote to memory of 3804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C9EC.exe |
| PID 2596 wrote to memory of 3804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C9EC.exe |
| PID 3804 wrote to memory of 1304 | N/A | C:\Users\Admin\AppData\Local\Temp\C9EC.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3804 wrote to memory of 1304 | N/A | C:\Users\Admin\AppData\Local\Temp\C9EC.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3804 wrote to memory of 1304 | N/A | C:\Users\Admin\AppData\Local\Temp\C9EC.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1304 wrote to memory of 2816 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 1304 wrote to memory of 2816 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 1304 wrote to memory of 2816 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\C9EC.exe
C:\Users\Admin\AppData\Local\Temp\C9EC.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3804 -ip 3804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 480
C:\Users\Admin\AppData\Roaming\uiidtww
C:\Users\Admin\AppData\Roaming\uiidtww
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20209
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
Network
| Country | Destination | Domain | Proto |
| N/A | 31.13.83.36:443 | tcp | |
| N/A | 31.13.83.17:443 | tcp | |
| N/A | 157.240.201.35:443 | tcp | |
| N/A | 8.8.8.8:53 | dowe.at | udp |
| N/A | 91.195.240.101:80 | dowe.at | tcp |
| N/A | 8.8.8.8:53 | xisac.com | udp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 149.3.170.140:80 | 149.3.170.140 | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 23.236.181.126:443 | 23.236.181.126 | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 190.117.75.91:80 | xisac.com | tcp |
| N/A | 20.50.73.10:443 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 127.0.0.1:20209 | tcp | |
| N/A | 127.0.0.1:1312 | tcp | |
| N/A | 172.217.168.237:443 | tcp | |
| N/A | 142.251.36.42:443 | tcp | |
| N/A | 216.58.208.100:443 | tcp | |
| N/A | 142.251.36.3:443 | tcp | |
| N/A | 142.250.179.142:443 | tcp | |
| N/A | 142.251.36.3:443 | tcp | |
| N/A | 142.251.39.97:443 | tcp | |
| N/A | 8.8.4.4:443 | tcp | |
| N/A | 142.250.179.174:443 | tcp | |
| N/A | 142.250.179.195:443 | tcp | |
| N/A | 142.250.179.131:443 | tcp | |
| N/A | 8.8.4.4:443 | tcp | |
| N/A | 142.251.36.3:443 | tcp | |
| N/A | 142.250.179.195:443 | tcp | |
| N/A | 23.236.181.126:443 | tcp |
Files
memory/3928-132-0x0000000000543000-0x0000000000554000-memory.dmp
memory/3928-133-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/3928-134-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3928-135-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3804-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C9EC.exe
| MD5 | 0bb2b15ca73128dbc816ea4ed583119c |
| SHA1 | 17d05964d9208ca1a27fd007ad5f41752cfa893e |
| SHA256 | 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8 |
| SHA512 | d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375 |
C:\Users\Admin\AppData\Local\Temp\C9EC.exe
| MD5 | 0bb2b15ca73128dbc816ea4ed583119c |
| SHA1 | 17d05964d9208ca1a27fd007ad5f41752cfa893e |
| SHA256 | 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8 |
| SHA512 | d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375 |
memory/1304-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
| MD5 | 2f2aafdd0fbd8d5e72ebee47f37fdf52 |
| SHA1 | b0c823f7b2f8a567672dff368017ab7bbdf4aad1 |
| SHA256 | 3d95cd18fa999b60a32edcc761100f6fdb276c68f23dadc03c7173de7c6594c0 |
| SHA512 | f835ba1691110d744220202c11c9fcdaac7724b1018e1c3931a2407569ea5351c72dc33ec34e1f2c0c6691debcc40d0f7d3719dc83ac00fdf14fb095c4636525 |
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
| MD5 | 2f2aafdd0fbd8d5e72ebee47f37fdf52 |
| SHA1 | b0c823f7b2f8a567672dff368017ab7bbdf4aad1 |
| SHA256 | 3d95cd18fa999b60a32edcc761100f6fdb276c68f23dadc03c7173de7c6594c0 |
| SHA512 | f835ba1691110d744220202c11c9fcdaac7724b1018e1c3931a2407569ea5351c72dc33ec34e1f2c0c6691debcc40d0f7d3719dc83ac00fdf14fb095c4636525 |
memory/3804-142-0x0000000000AD7000-0x0000000000D22000-memory.dmp
memory/3804-143-0x00000000026D0000-0x0000000002A55000-memory.dmp
memory/3804-144-0x0000000000400000-0x0000000000791000-memory.dmp
memory/1304-145-0x0000000000400000-0x0000000000671000-memory.dmp
memory/1304-146-0x0000000000400000-0x0000000000671000-memory.dmp
memory/1304-147-0x0000000003680000-0x0000000003DA5000-memory.dmp
memory/1304-148-0x0000000003680000-0x0000000003DA5000-memory.dmp
memory/1304-149-0x0000000003680000-0x0000000003DA5000-memory.dmp
memory/1304-150-0x0000000003E70000-0x0000000003FB0000-memory.dmp
memory/1304-151-0x0000000003E70000-0x0000000003FB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\uiidtww
| MD5 | 94ce7e3bc61e8f5825b3416dccd1c481 |
| SHA1 | 699b3330bbcdb08df4e5ee3c4e2343b33bb957bd |
| SHA256 | 451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa |
| SHA512 | 1caf1d8d4ebdf2caafa092484d03653823c85e394531cea2e00937f5b38c75fe17b1ba86d810bdc6f95f0e5b0d8f6b21afdad260f278331e211095262649f8e9 |
C:\Users\Admin\AppData\Roaming\uiidtww
| MD5 | 94ce7e3bc61e8f5825b3416dccd1c481 |
| SHA1 | 699b3330bbcdb08df4e5ee3c4e2343b33bb957bd |
| SHA256 | 451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa |
| SHA512 | 1caf1d8d4ebdf2caafa092484d03653823c85e394531cea2e00937f5b38c75fe17b1ba86d810bdc6f95f0e5b0d8f6b21afdad260f278331e211095262649f8e9 |
memory/2568-154-0x0000000000693000-0x00000000006A4000-memory.dmp
memory/2568-155-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1304-156-0x0000000003E70000-0x0000000003FB0000-memory.dmp
memory/1304-157-0x0000000003E70000-0x0000000003FB0000-memory.dmp
memory/1304-158-0x0000000003E70000-0x0000000003FB0000-memory.dmp
memory/1304-159-0x0000000003E70000-0x0000000003FB0000-memory.dmp
memory/2816-160-0x00007FF7C8116890-mapping.dmp
memory/2816-161-0x000001799FB50000-0x000001799FC90000-memory.dmp
memory/2816-162-0x000001799FB50000-0x000001799FC90000-memory.dmp
memory/1304-163-0x0000000003EE9000-0x0000000003EEB000-memory.dmp
memory/2816-164-0x0000000000840000-0x0000000000A59000-memory.dmp
memory/2816-165-0x000001799FCB0000-0x000001799FEDA000-memory.dmp
memory/2568-166-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1304-167-0x0000000003680000-0x0000000003DA5000-memory.dmp
\??\c:\program files (x86)\msbuild\microsoft\license..dll
| MD5 | 5ca5707a8b51e7d74370eb290de91a8d |
| SHA1 | ea53e90aafbcb923baecb6d6da7faa8efd3e2e0b |
| SHA256 | 6f78d195080c2d192a329d1725c2be7a0d770fd4c918b3d51613ee7829471100 |
| SHA512 | 0aa1386fa0b4ce677ea2b11c2c6ed2df72c74a853c8e15d8d4e331f95364764adc8b046c02fd5dddd8b042a07c37ed75c3eb1f0b7e5201fb10711ef077370097 |
C:\Program Files (x86)\MSBuild\Microsoft\license..dll
| MD5 | 5ca5707a8b51e7d74370eb290de91a8d |
| SHA1 | ea53e90aafbcb923baecb6d6da7faa8efd3e2e0b |
| SHA256 | 6f78d195080c2d192a329d1725c2be7a0d770fd4c918b3d51613ee7829471100 |
| SHA512 | 0aa1386fa0b4ce677ea2b11c2c6ed2df72c74a853c8e15d8d4e331f95364764adc8b046c02fd5dddd8b042a07c37ed75c3eb1f0b7e5201fb10711ef077370097 |
C:\Program Files (x86)\MSBuild\Microsoft\license..dll
| MD5 | 5ca5707a8b51e7d74370eb290de91a8d |
| SHA1 | ea53e90aafbcb923baecb6d6da7faa8efd3e2e0b |
| SHA256 | 6f78d195080c2d192a329d1725c2be7a0d770fd4c918b3d51613ee7829471100 |
| SHA512 | 0aa1386fa0b4ce677ea2b11c2c6ed2df72c74a853c8e15d8d4e331f95364764adc8b046c02fd5dddd8b042a07c37ed75c3eb1f0b7e5201fb10711ef077370097 |
memory/2976-171-0x0000000001500000-0x0000000001771000-memory.dmp
memory/2976-172-0x0000000001500000-0x0000000001771000-memory.dmp
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml
| MD5 | 996f11041df0526341cebbbd40a98390 |
| SHA1 | 37f652515ef8c662840086d743f7f68d327cce52 |
| SHA256 | bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e |
| SHA512 | 6cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03 |
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.officemui.msi.16.en-us.xml
| MD5 | 35acff0f35559eac959647a7501385f7 |
| SHA1 | 28e052e01fe4e0eac3eab461385460eff7efe271 |
| SHA256 | 2669d714f126be033270a9f2919d6152f45c5bec970dc1ab8da09f41351234c0 |
| SHA512 | f3fa4e7499e15a63d2503355705eb08d15be0a3736145c3b46cc79a4fcf7e00df871f62af769090aff7692b34d93365cf413be7b86b27a9df0ecb8f481898ed2 |
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\resource.xml
| MD5 | 66963736ebb1e54dc596701206eaed3f |
| SHA1 | 18bc8dfc779d407398af193f3d265ff93f253bc2 |
| SHA256 | fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b |
| SHA512 | 96aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598 |
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp
| MD5 | 887acb127f0aa79ae28a71a481d81289 |
| SHA1 | f108748718844492a56686c53424fbe675359743 |
| SHA256 | 9197f8d53e2e648a22d9e652ae22f5ae91e95bd686b1b4fc5450c9c76fa53f32 |
| SHA512 | bb142431f89e847578c8a41e27ed40f70d15a5015357efc8b0e4e0a4eaf35f79524070d55a3906fca630caa7a5e78212e46fc45a37748408200bef962751846c |
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe.xml
| MD5 | 53e4d87ce4e7b6a4c5b2d84c60a70984 |
| SHA1 | ad381e6e2d67970b34c356259fa86fa8c3c1de78 |
| SHA256 | 8e5dd7465c39d653c1ba79e4b154321413b4f3dd7b62f485848a5122fbb868b6 |
| SHA512 | 2f984aa666cc9458450a6215d333ca3be4ba04a711d2bf4f257fca4e28007b25d0801cacdcd02f8f0b8d9f6f867a89478dd023faf672a88b95eda65091a03b71 |
memory/2976-178-0x0000000001E60000-0x0000000002585000-memory.dmp