Malware Analysis Report

2025-05-28 14:50

Sample ID 221219-p3laksaa7z
Target 2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407
SHA256 2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407
Tags
danabot smokeloader backdoor banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407

Threat Level: Known bad

The file 2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407 was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader backdoor banker trojan

SmokeLoader

Danabot

Detects Smokeloader packer

Blocklisted process makes network request

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Deletes itself

Suspicious use of SetThreadContext

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-19 12:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 12:51

Reported

2022-12-19 12:53

Platform

win10-20220812-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EB8D.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4708 set thread context of 436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355846e100054656d7000003a0009000400efbe0c5553889355846e2e000000000000000000000000000000000000000000000000002f297e00540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 3360 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB8D.exe
PID 3048 wrote to memory of 3360 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB8D.exe
PID 3048 wrote to memory of 3360 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB8D.exe
PID 3360 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\EB8D.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\EB8D.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\EB8D.exe C:\Windows\SysWOW64\rundll32.exe
PID 4708 wrote to memory of 436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4708 wrote to memory of 436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4708 wrote to memory of 436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe

"C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe"

C:\Users\Admin\AppData\Local\Temp\EB8D.exe

C:\Users\Admin\AppData\Local\Temp\EB8D.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23981

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 23.106.123.49:80 23.106.123.49 tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 51.104.15.252:443 tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 127.0.0.1:23981 tcp
N/A 211.171.233.129:80 xisac.com tcp
N/A 127.0.0.1:1312 tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp
N/A 175.126.109.15:80 xisac.com tcp

Files

memory/2408-115-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-116-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-117-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-118-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-119-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-120-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-121-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-123-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-122-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-125-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-126-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-127-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-124-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-128-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-129-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-131-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-132-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-133-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-134-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-135-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-136-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-137-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-138-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-139-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-140-0x0000000000460000-0x000000000050E000-memory.dmp

memory/2408-141-0x00000000005B0000-0x00000000005B9000-memory.dmp

memory/2408-142-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-143-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2408-144-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-145-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-146-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-147-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-148-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-149-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-150-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-151-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/2408-152-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB8D.exe

MD5 8a4cb873c04ffe6859dd5bb381fed9b2
SHA1 c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512 352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd

memory/3360-155-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-156-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-157-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-158-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-159-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-153-0x0000000000000000-mapping.dmp

memory/3360-160-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-161-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-163-0x0000000077460000-0x00000000775EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB8D.exe

MD5 8a4cb873c04ffe6859dd5bb381fed9b2
SHA1 c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512 352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd

memory/3360-164-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-165-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-166-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-167-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-168-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-169-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-170-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-172-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-173-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-174-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-175-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-177-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-176-0x0000000002180000-0x0000000002258000-memory.dmp

memory/3360-178-0x0000000002370000-0x0000000002485000-memory.dmp

memory/3360-180-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3360-182-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-181-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-179-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-183-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-184-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-185-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-186-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-187-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-188-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-189-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3360-190-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/4708-201-0x0000000000000000-mapping.dmp

memory/3360-204-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/4708-303-0x00000000069B0000-0x00000000070D5000-memory.dmp

memory/436-312-0x00007FF7AE175FD0-mapping.dmp

memory/436-317-0x0000000000AC0000-0x0000000000CD9000-memory.dmp

memory/436-318-0x0000020CD2EF0000-0x0000020CD311A000-memory.dmp

memory/4708-319-0x00000000069B0000-0x00000000070D5000-memory.dmp