Malware Analysis Report

2025-05-28 14:51

Sample ID 221219-ntal2seh56
Target 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007
SHA256 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007
Tags
danabot smokeloader backdoor banker discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007

Threat Level: Known bad

The file 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007 was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader backdoor banker discovery trojan

Detects Smokeloader packer

SmokeLoader

Danabot

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-19 11:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 11:40

Reported

2022-12-19 11:43

Platform

win10v2004-20221111-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C614.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 224 set thread context of 4060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.png C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\createpdf.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\ExtendScript.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\forms_distributed.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\info.gif C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\C614.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093552e65100054656d7000003a0009000400efbe6b557d6c935533652e00000000000000000000000000000000000000000000000000f7d43600540065006d007000000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 3436 N/A N/A C:\Users\Admin\AppData\Local\Temp\C614.exe
PID 2584 wrote to memory of 3436 N/A N/A C:\Users\Admin\AppData\Local\Temp\C614.exe
PID 2584 wrote to memory of 3436 N/A N/A C:\Users\Admin\AppData\Local\Temp\C614.exe
PID 3436 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\C614.exe C:\Windows\SysWOW64\rundll32.exe
PID 3436 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\C614.exe C:\Windows\SysWOW64\rundll32.exe
PID 3436 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\C614.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 4060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 224 wrote to memory of 4060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 224 wrote to memory of 4060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe

"C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe"

C:\Users\Admin\AppData\Local\Temp\C614.exe

C:\Users\Admin\AppData\Local\Temp\C614.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3436 -ip 3436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 536

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23949

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\back-arrow-down.dll",HwkWVTFWUlpS

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 23.106.123.49:80 23.106.123.49 tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 209.197.3.8:80 tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 109.102.255.230:80 xisac.com tcp
N/A 104.80.225.205:443 tcp
N/A 40.79.189.58:443 tcp
N/A 127.0.0.1:23949 tcp
N/A 127.0.0.1:1312 tcp
N/A 8.238.21.126:80 tcp
N/A 23.236.181.126:443 tcp

Files

memory/4332-132-0x0000000000558000-0x000000000056D000-memory.dmp

memory/4332-133-0x0000000000520000-0x0000000000529000-memory.dmp

memory/4332-134-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4332-135-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3436-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C614.exe

MD5 8a4cb873c04ffe6859dd5bb381fed9b2
SHA1 c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512 352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd

C:\Users\Admin\AppData\Local\Temp\C614.exe

MD5 8a4cb873c04ffe6859dd5bb381fed9b2
SHA1 c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512 352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd

memory/224-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/3436-142-0x0000000002054000-0x000000000212A000-memory.dmp

memory/3436-143-0x0000000002290000-0x00000000023A5000-memory.dmp

memory/3436-144-0x0000000000400000-0x0000000000517000-memory.dmp

memory/224-145-0x00000000046A0000-0x0000000004DC5000-memory.dmp

memory/224-146-0x00000000046A0000-0x0000000004DC5000-memory.dmp

memory/224-148-0x0000000004E90000-0x0000000004FD0000-memory.dmp

memory/224-147-0x0000000004E90000-0x0000000004FD0000-memory.dmp

memory/224-149-0x0000000004E90000-0x0000000004FD0000-memory.dmp

memory/224-150-0x0000000004E90000-0x0000000004FD0000-memory.dmp

memory/224-151-0x0000000004E90000-0x0000000004FD0000-memory.dmp

memory/224-152-0x0000000004E90000-0x0000000004FD0000-memory.dmp

memory/4060-153-0x00007FF6E9C96890-mapping.dmp

memory/224-154-0x0000000004F09000-0x0000000004F0B000-memory.dmp

memory/4060-155-0x000001D6507F0000-0x000001D650930000-memory.dmp

memory/4060-156-0x000001D6507F0000-0x000001D650930000-memory.dmp

memory/4060-157-0x0000000000AE0000-0x0000000000CF9000-memory.dmp

memory/4060-158-0x000001D64EE20000-0x000001D64F04A000-memory.dmp

memory/224-159-0x00000000046A0000-0x0000000004DC5000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\back-arrow-down.dll

MD5 d28fbb67ac9d3d1d4ab4a4842c70f678
SHA1 c9b7d11f272555535f5bcfe56dde17742c4c6ef4
SHA256 0e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df
SHA512 59923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

MD5 81ec934abf4fc9bd7b3ebb4486d56e7a
SHA1 a4e6a1e6575ff17175b20aee68c4042831dc7650
SHA256 d83702cfc2e4e74bce1ca31f12d644861bbe6759bab88c495e420dcc663e2d2e
SHA512 1dead0ce0db06c508f7cb83c7bd4ee8ea515e2f7bf762e8e218afd2e9f7da5795031e923ab16f67a9cff30c6250cd71578b0814a3a05297ecf334c0047b1660e

C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.dll

MD5 d28fbb67ac9d3d1d4ab4a4842c70f678
SHA1 c9b7d11f272555535f5bcfe56dde17742c4c6ef4
SHA256 0e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df
SHA512 59923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69

memory/5080-163-0x0000000003470000-0x0000000003B95000-memory.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftEdgeUpdate.log

MD5 7a1763f6f5577656a43c4c9bd844ff4c
SHA1 df0864de9dcaa196589a66e2280570986a8bbee3
SHA256 d786b67ba29815370580be2c6eccd29adc09a1095a38d7ceff3279f6ab68a325
SHA512 c276a742684e6cf3b1378204fd3cbce73ea9a9ba16550aef8571810785f4be3d0abb28d31a78c0a9e25756b8a91b4f905547a1762544b7bb17dd76a93ca430a9

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\watermark.png

MD5 1f93b502e78190a2f496c2d9558e069d
SHA1 6ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA256 5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512 cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Policy.vpol

MD5 37c62fff1cdd42c987b1dea7875aea8a
SHA1 6c4dbb8c556315c7808f135ba9279ce9e5ccf7e1
SHA256 6cc104bdf2fa9eebe51c8a7ac70a265aee8601285afbac97c0a9e896a3a5854f
SHA512 a76404f14658b75b4495cf3d627e8a9aa6c07fe869eec4a6147a26589f4fe51024d340b97033a2a46e5f1e9643c0a9bc32cac8f88745aca9b79349532d03f0d5

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xml

MD5 2f71d0396b93381c1fd86bf822612868
SHA1 d0801700dd00a51276f32c6ed19f5b713b5db825
SHA256 0543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026
SHA512 67022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xml

MD5 539930de67b99bab23fe2c67000eeddb
SHA1 6b0e5ece46ecb0b019ec71caa44facf122647059
SHA256 2f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c
SHA512 ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce

memory/4824-170-0x0000000000000000-mapping.dmp

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\osver.txt

MD5 bea59a2f25178d677087edde21c60be7
SHA1 56844a00adee7f8d2c161808de19ce6fd191fb61
SHA256 4906553c99e9225413bacd029603f2549fe8d972bf389770063f3e932b623d80
SHA512 008622e6bf66c3cc4bdfc9cda7dc10376e310b560321ee0d7040f7c6da7673cd04799ee04b9e22bb45de378fa0791dc0b6bbf43efed1366d0520c26d803d7400

C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.dll

MD5 d28fbb67ac9d3d1d4ab4a4842c70f678
SHA1 c9b7d11f272555535f5bcfe56dde17742c4c6ef4
SHA256 0e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df
SHA512 59923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69

memory/5080-172-0x0000000003470000-0x0000000003B95000-memory.dmp

memory/4824-173-0x0000000004410000-0x0000000004B35000-memory.dmp

memory/4824-174-0x0000000004410000-0x0000000004B35000-memory.dmp

memory/3432-175-0x0000000000000000-mapping.dmp