Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-n1sq7shd73
Target 98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6
SHA256 98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6
Tags
danabot smokeloader systembc backdoor banker discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6

Threat Level: Known bad

The file 98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6 was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader systembc backdoor banker discovery trojan

Danabot

SystemBC

Detects Smokeloader packer

SmokeLoader

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 11:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 11:52

Reported

2022-12-20 11:54

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4FE6.exe N/A
N/A N/A C:\ProgramData\obkref\hqikm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1888 set thread context of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\hqikm.job C:\Users\Admin\AppData\Local\Temp\4FE6.exe N/A
File opened for modification C:\Windows\Tasks\hqikm.job C:\Users\Admin\AppData\Local\Temp\4FE6.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094559c66100054656d7000003a0009000400efbe0c551d9c94559d662e0000000000000000000000000000000000000000000000000024986a00540065006d007000000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 4596 N/A N/A C:\Users\Admin\AppData\Local\Temp\2451.exe
PID 2228 wrote to memory of 4596 N/A N/A C:\Users\Admin\AppData\Local\Temp\2451.exe
PID 2228 wrote to memory of 4596 N/A N/A C:\Users\Admin\AppData\Local\Temp\2451.exe
PID 4596 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2451.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2451.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2451.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FE6.exe
PID 2228 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FE6.exe
PID 2228 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FE6.exe
PID 1888 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1888 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1888 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe

"C:\Users\Admin\AppData\Local\Temp\98ede8733638e771e396ec0e48562ce9c27595916f7a248d1ccbc4fc13f6f7f6.exe"

C:\Users\Admin\AppData\Local\Temp\2451.exe

C:\Users\Admin\AppData\Local\Temp\2451.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 476

C:\Users\Admin\AppData\Local\Temp\4FE6.exe

C:\Users\Admin\AppData\Local\Temp\4FE6.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14137

C:\ProgramData\obkref\hqikm.exe

C:\ProgramData\obkref\hqikm.exe start

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4068 -ip 4068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 492

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\apple-touch-icon-57x57-precomposed.dll",e0U2NVNJ

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 45.141.58.129:80 45.141.58.129 tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 20.189.173.4:443 tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 8.8.8.8:53 bitleague.live udp
N/A 198.38.91.55:443 bitleague.live tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 190.219.54.242:80 xisac.com tcp
N/A 127.0.0.1:14137 tcp
N/A 127.0.0.1:1312 tcp
N/A 109.205.214.18:443 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:14137 tcp

Files

memory/876-132-0x0000000000718000-0x0000000000729000-memory.dmp

memory/876-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

memory/876-134-0x0000000000400000-0x000000000045F000-memory.dmp

memory/876-135-0x0000000000718000-0x0000000000729000-memory.dmp

memory/876-136-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4596-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2451.exe

MD5 be1369ec379e0ec8dd84be3d5a26ac00
SHA1 ee6832ff5c366b22291778d8c314f0d4ec6b1225
SHA256 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912
SHA512 4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171

C:\Users\Admin\AppData\Local\Temp\2451.exe

MD5 be1369ec379e0ec8dd84be3d5a26ac00
SHA1 ee6832ff5c366b22291778d8c314f0d4ec6b1225
SHA256 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912
SHA512 4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171

memory/1888-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

memory/4596-143-0x0000000002254000-0x0000000002343000-memory.dmp

memory/4596-144-0x0000000002350000-0x0000000002480000-memory.dmp

memory/4596-145-0x0000000000400000-0x000000000053E000-memory.dmp

memory/4068-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4FE6.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

C:\Users\Admin\AppData\Local\Temp\4FE6.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/4068-149-0x00000000006D9000-0x00000000006EA000-memory.dmp

memory/4068-150-0x00000000006B0000-0x00000000006B9000-memory.dmp

memory/4068-151-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1888-152-0x0000000006200000-0x0000000006925000-memory.dmp

memory/1888-153-0x0000000006200000-0x0000000006925000-memory.dmp

memory/1888-154-0x0000000004F50000-0x0000000005090000-memory.dmp

memory/1888-155-0x0000000004F50000-0x0000000005090000-memory.dmp

memory/1888-156-0x0000000004F50000-0x0000000005090000-memory.dmp

memory/1888-157-0x0000000004F50000-0x0000000005090000-memory.dmp

memory/1888-159-0x0000000004F50000-0x0000000005090000-memory.dmp

memory/2576-160-0x00007FF795F26890-mapping.dmp

memory/1888-158-0x0000000004F50000-0x0000000005090000-memory.dmp

memory/4068-161-0x00000000006D9000-0x00000000006EA000-memory.dmp

memory/2576-164-0x0000023603A60000-0x0000023603BA0000-memory.dmp

memory/1888-163-0x0000000004FC9000-0x0000000004FCB000-memory.dmp

memory/2576-165-0x0000000000DE0000-0x0000000000FF9000-memory.dmp

memory/2576-162-0x0000023603A60000-0x0000023603BA0000-memory.dmp

C:\ProgramData\obkref\hqikm.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

C:\ProgramData\obkref\hqikm.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/2576-168-0x0000023602090000-0x00000236022BA000-memory.dmp

memory/1888-169-0x0000000006200000-0x0000000006925000-memory.dmp

memory/2424-170-0x00000000006F3000-0x0000000000703000-memory.dmp

memory/2424-171-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4068-172-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4068-173-0x00000000006D9000-0x00000000006EA000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\apple-touch-icon-57x57-precomposed.dll

MD5 90f4135ed3f0327686923564d377f4ef
SHA1 8368b3d9bc52c1a2b4dbeafa240fe6e17b0da99b
SHA256 796291f8e9fbec5c1192d90f31d58b671dac3d120ddb42b517c8e1ccfdbf1e0d
SHA512 50a5bf97f2a8acec0471f7443c3362f1409601f0bd8a14241a704c939845a8c2cc6cb1ba1e8355b35e085dccd983c1879269f5697a5ddb3bc9a8827fe0abcf42

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 7b0dc7fa52f0e2eb87712c85088a160d
SHA1 15ac439ebfa32a2ef4d2de3a92eb761ef4e57d20
SHA256 b76fac7c062c2c1d2fbc9f83eb9816c8db7c408817d3920f68e654afe2a91ebe
SHA512 551bf4954aa8b19c73b80ab1208fe45467b76f5b0d3c98e05517ca8de99818dc581be1adf93c0ca48500aa291bf1319d10c81ac701b54db636e0ef919f909f0a

C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.dll

MD5 90f4135ed3f0327686923564d377f4ef
SHA1 8368b3d9bc52c1a2b4dbeafa240fe6e17b0da99b
SHA256 796291f8e9fbec5c1192d90f31d58b671dac3d120ddb42b517c8e1ccfdbf1e0d
SHA512 50a5bf97f2a8acec0471f7443c3362f1409601f0bd8a14241a704c939845a8c2cc6cb1ba1e8355b35e085dccd983c1879269f5697a5ddb3bc9a8827fe0abcf42

memory/3220-177-0x0000000003490000-0x0000000003BB5000-memory.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2010Win32.xml

MD5 b08a8c2f6941a1a12aa05180aec1dbb9
SHA1 c09f9207502aca3866b182d79221addcca76f4d1
SHA256 843f89d7b8b11907ee5dea2e0108dbb10ce3883d3b7505c55f4e1082db879d3f
SHA512 8de3748bd731835154f3d371ca0174c2b17da64fd39d479b132947304e6ff1d7f95e344aad64b6b9aa831ae37b3ed00d3a05efaf6aed67619e9d69a1e9b89bf7

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\d42cc0c3858a58db2db37658219e6400_9be0bf4d-f8db-4af4-be85-dc38433c9501

MD5 8199f8d3d0c851c1cdc0fcac1f626d97
SHA1 f35267182b284975a9ef0a359670573e12a504b9
SHA256 27cbbea4e7ba38dd50f895ab8139c47d3fb3b469f11db0d4710de44e5bf62a7d
SHA512 31676860806f44e0dabbdb29ddd1c3b7a9de90006cee670c5c871c7ca22fdd750ec64b064dd4ac3253875d0651b25b72361192ebf8fd646cabc873be8721d090

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

MD5 09eb72768015735e81d549d7a5087631
SHA1 0dc0de9d9f1f94a73b760e13dbfb033d58b2962c
SHA256 803200facef08eb731bceb63813c1c873628a271ada9661dda6bb4b638ccb5f8
SHA512 240680b7e01215938623781f3431fb5ae8a2630590285a824f7e41e63e8e06f6fa79e641f4ace6d9dcb96f0c3fe3e928f5ac0eb2992158bda8cb83e95c7e916a

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\user-40.png

MD5 3bde564b05fe619b8082900b5c83b536
SHA1 656b402ff5e478471b1053e50ed8e5bfcc011a11
SHA256 1fa751b71307c22ceb94e3af09688c0e123b26ae8c16e1c521510f309bca4308
SHA512 00303409ca69ee71e6e2702d8f06a8ee5418d01e2e0f726394042b0af4b6a5b35f66d5a70664f031feb7e28d13c124b5d08e4b3998b443a2cba3574c4996ca0b

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\print_pref.ico

MD5 a52a082f2b18811deaf3138d27c57af8
SHA1 317bf685e50de705818bff26f032e7f593830509
SHA256 6b4b668a30271d7853257b5752dc429b39c7b264e77ff3533196e6fd03fbeb88
SHA512 0d6f4bbb993b4e9a0069ddd0503ceb45d8a1cc6f6453cc2faf91cb137fa49e15eeaa3d77cb9954cc07701153932da51977d467c54b1e0fcfe74b6670cac47d99

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Active.GRL

MD5 fffde3df0d91311b7fe3f9bc8642a9ec
SHA1 50987906817aab51e2cc29fbce47ac5f0936a44e
SHA256 bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc
SHA512 5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

memory/1748-184-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.dll

MD5 90f4135ed3f0327686923564d377f4ef
SHA1 8368b3d9bc52c1a2b4dbeafa240fe6e17b0da99b
SHA256 796291f8e9fbec5c1192d90f31d58b671dac3d120ddb42b517c8e1ccfdbf1e0d
SHA512 50a5bf97f2a8acec0471f7443c3362f1409601f0bd8a14241a704c939845a8c2cc6cb1ba1e8355b35e085dccd983c1879269f5697a5ddb3bc9a8827fe0abcf42